PMP: 10. Project Risk Management

-  Project Risk Management aims to identify and manage risks that are not addressed by the other project management processes. When unmanaged these risks can cause the project to deviate from the plan and fail to achieve its objectives.
-  The effectiveness of Project Risk Management is directly related to project success.

-  Risk exists at two levels (Individual risks and Overall risks)
-  Individual risks an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives
-  Overall project risk the effect of uncertainty on the project as a whole, arising from all sources of uncertainty including individual risks, representing the exposure of stakeholders to the implications of variations in project outcome for both positive and negative risks
-  Project risk management aims to enhance positive risks (opportunities) while avoiding or mitigating negative risks (threats)
-  Unmanaged threats may result in issues or problems such as delay, cost overruns, performance shortfall loss of reputation. However, Opportunities that are captured can lead to benefits such as reduced time and cost, improved performance, or reputation.
-  Project Risk Management processes should be conducted iteratively.
-  Risk is initially addressed during project planning by shaping the project strategy
-  project team needs to know what level of risk exposure is acceptable. This is defined by measurable risk thresholds that reflect the risk appetite
-  Risk thresholds express the degree of acceptable variation around a project objective. They are explicitly stated and communicated to the project team and reflected in the definitions of risk impact levels for the project.
-  Project Risk management includes (Non-event risks, Project resilience and integrated risks management)

-  There are two main types of non-event risks (Variability risk and Ambiguity risk)
-  Variability risk: Uncertainty exists about some key characteristics of a planned event or decision such as (productivity may be above or below target, or errors to be higher or lower than expected)
-  Ambiguity risk: Uncertainty exists about what might happen in the future. Areas of the project where imperfect knowledge might affect the project’s ability to achieve its objectives such as (requirements or technical solution, or future developments in regulator frameworks)
-  Variability risks can be addressed using Monte Carlo analysis
-  Ambiguity risks can be addressed using incremental development, prototyping and simulation
-  Ambiguity risks can be managed by defining areas with deficit of knowledge or understanding and filling up the gap by obtaining expert external input or benchmarking

-  Project resilience: The existence of emergent risk is becoming clear, with a growing awareness of unkown-unkowns
-  Emergent risks can be tackled through developing project resilience which requires the project to have (Right level of budget and schedule contingency, Flexible project processes, Empowered project team, Frequent review of early warning and clear input from stakeholders)
-  Integrated risk management: Projects exist in an organizational context, and they may form part of a program or portfolio. Risk exists at each of these levels, and risks should be owned and managed at the appropriate level.
-  In agile/adaptive environments frequent reviews are used of incremental work products and cross-functional project team to accelerate knowledge sharing and ensure risk is managed
-  requirements are kept as a living document that is updated regularly, and work may be reprioritized as the project progresses, based on an improved understanding of current risk exposure.

Plan Risk Management (Planning Process Group)
Plan Risk Management is the process of defining how to conduct risk management activities for a project
Key benefit of this process is that it ensures that the degree, type, and visibility of risk management are proportionate to both risks and the importance of the project to the organization and other stakeholders
-  This process is performed once or at predefined points in the project
-  The Plan Risk Management process should begin when a project is conceived and should be completed early in the project.

Plan Risk Management Inputs:
1- Project Charter
2- Project Management Plan
-  All subsidiary management plans should be taken in consideration in order to make the risk management plan
3- Enterprise Environmental Factors
4- Organizational Process Assets

Plan Risk Management Tools & Techniques:
1- Expert Judgment
2- Data Analysis
-  Stakeholder analysis: to determine the risk appetite of project stakeholders
3- Meetings
-  The risk management plan may be developed as part of the project kick-off meeting or a specific planning meeting may be held
-  Attendees may include project manager, project team, key stakeholders and some from outside the organization such as customers and sellers
-  Skilled facilitator can help remain focused on the tasks
-  Plans for conducting risk management activities are defined in these meetings and documented in the risk management plan

Plan Risk Management Outputs:
1- Risk Management Plan
-  risk management plan is a component of the project management plan that describes how risk management activities will be structured and performed. It may include the following elements
-  Risk Strategy: Describes the general approach to managing risk on this project.
-  Methodology: Defines the specific approaches, tools, and data sources that will be used
-  Role and responsibilities: Defines the lead, support, and risk management team members for each type of activity described in the risk management plan, and clarifies their responsibilities
-  Funding: Identifies the funds needed to perform activities related to Project Risk Management. Establishes protocols for the application of contingency and management reserves
-  Timing: Defines when and how often the Project Risk Management processes will be performed throughout the project life cycle, and establishes risk management activities for inclusion into the project schedule.
-  Risk categories: Provide a means for grouping individual project risks. A common way to structure risk categories is with a risk breakdown structure (RBS). Which hierarchical representation of potential sources of risk. RBS helps team to consider the full range of risk sources which will be useful when identify and categorize risks. When RBS is not used the organization may use a custom risk categorization framework which is a simple list of categories or structure
-  Stakeholder risk appetite: Stakeholder risk appetite should be expressed as measurable risk thresholds around each project objective. These thresholds will determine the acceptable level of overall project risk exposure and inform the definitions of probability and impacts when assessing and prioritizing risks.
-  Definitions of risk probability and impacts: Definitions of risk probability and impact levels are specific to the project context and reflect the risk appetite and thresholds of the organization and key stakeholders. The number of levels reflects the degree of detail required for the Project Risk Management process with more levels used for more detailed risk approach (typically five levels) and fewer for simple process (usually there)
-  Probability and impact Matrix: Opportunities and threats are represented in a common probability and impact matrix using positive definitions of impact for opportunities and negative impact definitions for threats. Descriptive terms (High, medium, low) or numeric values can be used for probability and impact. When numeric values are used, these can be multiplied to give a probability-impact score for each risk, which allows the relative priority of individual risks to be evaluated within each priority level
-  Reporting formats: Define how the outcomes of the Project Risk Management process will be documented, analyzed, and communicated. It describes the content and format of the risk register and the risk report, and any other required outputs from the Project Risk Management processes
-  Tracking: Tracking documents how risk activities will be recorded and how risk management processes will be audited.

Identify Risk (Planning Process Group)
Identify Risks is the process of identifying individual project risks as well as sources of overall project risk, and documenting their characteristics
Key benefit of this process is the documentation of existing individual project risks and the sources of overall project risk. It also brings together information so the project team can respond appropriately to identified risks
-  This process is performed throughout the project
-  Identify Risks considers both individual project risks and sources of overall project risk
-  All project stakeholders should be encouraged to identify individual project risks
-  It’s important to involve project team so they can develop and maintain sense of ownership and responsibility for identified individual risks and overall project risk
-  Risk owners for individual project risks may be nominated as part of the Identify Risks process, and will be confirmed during the Perform Qualitative Risk Analysis process
-  Identify Risks is an iterative process, since new individual project risks may emerge as the project progresses through its life cycle
-  Preliminary risk responses may also be identified and recorded and will be reviewed and confirmed as part of the Plan Risk Responses process

Identify Risk Inputs:
1- Project Management Plan
-  Includes (Requirements management plan, Schedule management plan, Cost management plan, Quality management plan, Resource management plan, Risk management plan, Scope baseline, Schedule baseline and Cost baseline)
2- Project Documents
-  Includes (Assumption log, Cost estimates, Duration estimates, Issue log, Lessons learned register, Requirements documentation, Resource requirements and Stakeholder register)
3- Agreements
-  agreements may have information such as milestone dates, contract type, acceptance criteria, and awards and penalties that can present threats or opportunities

4- Procurement Documentation
-  If the project requires external procurement of resources, the initial procurement documentation should be reviewed as procuring goods and services from outside the organization may increase or decrease overall project risk and may introduce additional individual project risks. Examples (seller performance reports and approved change requests and information inspections
5- Enterprise Environmental Factors
6- Organizational Process Assets

Identify Risk Tools & Techniques:
1- Expert Judgment
2- Data Gathering
-  Brainstorming: The goal of brainstorming to obtain a comprehensive list of individual project risks and sources of overall project risk. Ideas are generated under the guidance of facilitator. Categories of risk, such as in a risk breakdown structure, can be used as a framework
-  Checklists: list of items, actions, or points to be considered. It is often used as a reminder. Risk checklists are developed based on historical information and knowledge that has been accumulated from similar projects. They are an effective way to capture lessons learned from similar projects. Checklists are quick and simple to use, but it is impossible to build exhaustive list. Checklists must be updated from time to time to update new information or remove expired information
-  Interviews: Individual project risks and sources of overall project risk can be identified by interviewing experienced project participants
3- Data Analysis
-  Root cause analysis: used to discover the underlying causes that lead to a problem, and develop preventive action. It can be used to identify problem statement and explore threats that might result from that problem. Also this technique can be used to find opportunities by starting with benefit statement and explore which opportunities might result in that benefit being realized.
-  Assumption and constraint analysis: Assumption and constraint analysis explores the validity of assumptions and constraints to determine which pose a risk to the project. Threats may be identified from the inaccuracy, inconsistency, or incompleteness of assumptions. Constraints may give rise to opportunities through removing or relaxing a limiting factor that affects the execution of a project
-  SWOT analysis: This technique examines the project from each of the strengths, weaknesses, opportunities and threats (SWOT) perspectives. It is used to increase the breadth of identified risks by including internally generated risks. Also examines the degree to which organizational strengths may offset threats and determines if weaknesses might hinder opportunities
-  Document analysis: Risks may be identified from a structured review of project documents, including (assumptions, constraints, previous project files, contracts, agreements and technical documentation). Uncertainty or ambiguity in project documents, as well as inconsistencies within a document or between different documents, may be indicators of risk on the project
4- Interpersonal and Team skills
-  Facilitation: improves the effectiveness of many of the techniques used to identify individual project risks and sources of overall project risk. A skilled facilitator can help participants remain focused
5- Prompt Lists
-  Predetermined list of risk categories that might give rise to individual project risks and that could also act as sources of overall project risk
-  Prompt list can be used as a framework to aid the project team in idea generation when using risk identification techniques
-  The risk categories in the lowest level of the risk breakdown structure can be used as a prompt list for individual project risks
-  PESTLE (Political, Economic, Social, Technological, Legal and Environmental), TECOP (Technical, Environmental, Commercial, Operational, Political) or VUCA (Volatility, Uncertainty, Complexity, and Ambiguity) are common framework for identifying sources of overall project risk
6- Meetings
-  Project team may conduct a specialized meeting (often called a risk workshop).
-  Most risk workshops include some form of brainstorming, but other techniques for identification can be included depending on risk process in risk management plan
-  In small project risk workshops maybe restricted to a subset of project team

Identify Risk Outputs:
1- Risk Register
-  The risk register capture details of identified individual project risks
-  The results of Perform Qualitative Risk Analysis, Plan Risk Responses, Implement Risk Responses, and Monitor Risks are recorded in the risk register
-  Risk register includes (List of identified risks, Potential risk owner and List of potential risk responses)
-  Other data may be included in risk register such as (short risk title, risk category and status, risk triggers, WBS reference and timing information
2- Risk Report
-  The risk report presents information on sources of overall project risk, together with summary information on identified individual project risks
-  Risk report is developed progressively throughout the Project Risk Management process
-  results of Perform Qualitative Risk Analysis, Perform Quantitative Risk Analysis, Plan Risk Responses, Implement Risk Responses, and Monitor Risks are also included in the risk report
-  Risk report includes
- Sources of overall project risk indicating the most important drivers of overall project risk exposure
- Summary information on identified project risks such as (Number of identified threats and opportunities, Categories, Metrics and Trends)
3- Project Document Updates
-  Includes (Assumption log, Issue log and Lessons learned register)

Perform Qualitative Risk Analysis (Planning Process Group)
Perform Qualitative Risk Analysis is the process of prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics
Key benefit of this process is that it focuses efforts on high-priority risks
-  This process is performed throughout the project
-  Perform Qualitative Risk Analysis assesses the priority of identified individual project risks using their probability of occurrence, and Impact on project objectives
-  Effective assessment therefore requires explicit identification and management of the risk attitudes of key participants in the Perform Qualitative Risk Analysis process
-  Risk perception introduces bias into the assessment of identified risks.
-  Addressing bias is a key part of the facilitator’s role if used
-  Perform Qualitative Risk Analysis establishes the relative priorities of individual project risks for Plan Risk Responses, as it identifies a risk owner for each risk who will take responsibility for planning an appropriate risk response and ensuring that it is implemented
-  Qualitative Risk Analysis also lays the foundation for Perform Quantitative Risk Analysis
-  In agile development environment, the Perform Qualitative Risk Analysis process is conducted before the start of each iteration

Perform Qualitative Risk Analysis Inputs:
1- Project Management Plan
-  Includes Risk management plan
2- Project Documents
-  Includes (Assumption log, Risk register and Stakeholder register)
3- Enterprise Environmental Factors
4- Organizational Process Assets

Perform Qualitative Risk Analysis Tools & Techniques:
1- Expert Judgment

2- Data Gathering
-  Interviews: Structured or semi-structured interviews can be used to assess the probability and impacts of individual project risks

3- Data Analysis
-  Risk data quality assessment:
- Evaluates the degree to which the data about individual project risks is accurate and reliable as a basis for qualitative risk analysis.
- The use of low-quality risk data may lead to a qualitative risk analysis that is of little use to the project and if the data quality is unacceptable it is better to gather better data
- Risk data quality can be assessed via a questionnaire measuring project’s stakeholder perceptions
- weighted average of selected data quality characteristics can then be generated to give an overall quality score
-  Risk probability and impact assessment:
- Risk probability assessment considers the likelihood that a specific risk will occur.
- Risk impact assessment considers the potential effect on one or more project objectives such as schedule, cost, quality, or performance
- Impacts will be negative for threats and positive for opportunities
- Risks can be assessed in interviews or meetings
- Risks with low probability and impact may be included within the risk register as part of a watch list for future monitoring.

-  Assessment of other risk parameters: The project team may consider other characteristics of risk, they include:
- Urgency: time within which a response to the risk is to be implemented in order to be effective
- Proximity: time before the risk might have an impact on one objective. short period indicates high proximity
- Manageability: The ease with which the risk owner can manage the occurrence or impact of a risk. Where management is easy, manageability is high
- Controllability: degree to which the risk owner is able to control the risk’s outcome. Where the outcome can be easily controlled, controllability is high
- Detectability: ease with which the results of the risk occurring, can be detected and recognized. Where the risk occurrence can be detected easily, detectability is high
- Connectivity: The extent to which the risk is related to other individual project risks. Where a risk is connected to many other risks, connectivity is high
- Strategic impact: The potential for the risk to have a positive or negative effect on the organization strategic goals. Where the risk has a major effect on strategic goals, strategic impact is high
- Propinquity: degree to which a risk is perceived to matter by one or more stakeholders Where a risk is perceived as very significant, propinquity is high.

4- Interpersonal and Team Skills
-  Facilitation: improves the effectiveness of the qualitative analysis of individual project risks
5- Risk Categorization
-  Risks to the project can be categorized to determine the areas of the project most exposed to the effect of uncertainty by: sources of risk (e.g. Risk breakdown structure (RBS), Area of the project affected (e.g. using Work breakdown structure (WBS), or other useful categories (e.g. project phase, project budget and roles and responsibilities)
-  Grouping risks into categories can lead to the development of more effective risk responses by focusing attention and effort on the areas of highest risk exposure
6- Data Representation
-  Probability and impact matrix
- Grid for mapping the probability of each risk occurrence and its impact on project objectives if that risk occurs. The matrix specifies combinations of probability and impact that allow individual project risks to be divided into priority groups
- The probability of occurrence for each individual project risk is assessed as well as its impact on one or more project objectives
- An organization can assess a risk separately for each objective by having a separate probability and impact matrix for each. Alternatively, it may develop ways to determine one overall priority level for each risk, either by combining assessments for different objectives, or by taking the highest priority level regardless of which objective is affected
-  Hierarchical charts
- Where risks have been categorized using more than two parameters, the probability and impact matrix cannot be used and other graphical representations are required (e.g. bubble chart)
- Bubble chart displays three dimensions of data, where each risk is plotted as a disk (bubble), and the three parameters are represented by the x-axis value, the y-axis value, and the bubble size
7- Meetings
-  Project team may conduct a specialized meeting (often called a risk workshop) to discuss identified individual project risk. The goal of this meeting (Review previously identified risks, Assessment of probability and impacts, Categorization and prioritization.)
-  A risk owner who will be will be responsible for planning an appropriate risk response and reporting progress on managing the risk will be allocated

Perform Qualitative Risk Analysis Outputs:
1- Project Document Updates
-  Includes (Assumption log, Issue log, Risk register and Risk report)

Perform Quantitative Risk Analysis (Planning Process Group)
Perform Quantitative Risk Analysis is the process of numerically analyzing the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives
Key benefit of this process is that it quantifies overall project risk exposure, and it can also provide additional quantitative risk information to support risk response planning
-  This process is not required for every project, but where it is used, it is performed throughout the project
-  Applying this process depends on availability of high-quality data about individual project risks and uncertainty, as well as a sound underlying project baseline for scope, schedule, and cost.
-  Quantitative risk analysis usually requires specialized risk software and expertise. And it consumes additional time and cost.
-  It is most likely appropriate for large or complex projects, or if it was contractual requirement or if a key stakeholder requires it
-  Quantitative risk analysis is the only reliable method to assess overall project risk
-  Outputs from Perform Quantitative Risk Analysis are used as inputs to the Plan Risk Responses process. recommending responses to the level of overall project risk and key individual risks

Perform Quantitative Risk Analysis Inputs:
1- Project Management Plan
-  Includes (Risk management plan, Scope baseline, Schedule baseline and Cost baseline)
2- Project Documents
-  Includes (Assumption log, Basis of estimates, Cost of estimates, Cost forecasts, Duration estimates and Milestone list, Resource requirements, Risk register, Risk report and Schedule forecasts)
3- Enterprise Environmental Factors
4- Organizational Process Assets

Perform Quantitative Risk Analysis Tools & Techniques:
1- Expert Judgment
2- Data Gathering
-  Interviews: Generate inputs for the quantitative risk analysis and sources of uncertainty
3- Interpersonal and Team Skills
-  Facilitation: skilled facilitator is useful for gathering input data during a dedicated risk workshop
4- Representation of Uncertainty
-  Where the duration, cost, or resource requirement for a planned activity is uncertain, the range of possible values can be represented in the model as a probability distribution
-  Most common forms are (triangular, normal, lognormal, beta, uniform or discrete)
-  Individual project risks may be covered by probability distributions. Alternatively, risks may be included in the model as probabilistic branches, where optional activities are added to the model to represent the time and/or cost impact of the risk should it occur, and the chance that these activities actually occur in a particular simulation run matches the risk’s probability
-  Branches are most useful for risks that might occur independently of any planned activity
-  Other sources of uncertainty may also be represented using branches to describe alternative paths through the project

5- Data Analysis
-  Simulation
- Simulations are typically performed using a Monte Carlo analysis
- When running a Monte Carlo analysis for cost risk simulation uses the project cost estimates. When run it for schedule risk, the schedule network diagram and duration estimates are used
- An integrated quantitative cost-schedule risk analysis uses both inputs. The output is a quantitative risk analysis model
- Computer software is used to iterate the quantitative risk analysis model several thousand times
- The input values (e.g. cost estimates, duration estimates) are chosen at random for each iteration. Outputs represent the range of possible outcomes for the project (e.g. project end date or BAC)
- Typical outputs include a histogram presenting the number of iterations where a particular outcome resulted from the simulation, or a cumulative probability distribution (S-curve) representing the probability of achieving any particular outcome or less
- S-curve is an example from Monte Carlo
- For a quantitative schedule risk analysis, it is also possible to conduct a criticality analysis that determines which elements of the risk model have the greatest effect on the project critical path
- A criticality index is calculated for each element in the risk model, which gives frequency with which that element appears on the critical path during the simulation, usually expressed as a percentage
- The output from a criticality analysis allows the project team to focus risk response planning efforts

-  Sensitivity analysis
- helps to determine which individual project risks or other sources of uncertainty have the most potential impact on project outcomes. correlates variations in project outcomes with variations in elements of the quantitative risk analysis model
- Tornado diagram is an example on sensitivity analysis
- Tornado diagram presents the calculated correlation coefficient for each element of the quantitative risk analysis model that can influence the project outcome
- Items are ordered by descending strength of correlation, giving the typical tornado appearance

-  Decision tree analysis
- Used to support selection of the best of several alternative courses of action.
- Alternative paths through the project are shown in the decision tree using branches representing different decisions, each of which can have associated costs and related individual project risks
- The end-points of branches in the decision tree represent the outcome from following that particular path, which can be negative or positive
- The decision tree is evaluated by calculating the expected monetary value of each branch, allowing the optimal path to be selected

-  Influence diagram
- Graphical aids to decision making under uncertainty. It represents a project within the project as a set of entities, outcomes, and influences, together with the relationships and effects between them
- When element in the influence diagram is uncertain as a result of the existence of individual project risks, this can be represented in the influence diagram using ranges or probability distributions.
- The influence diagram is then evaluated using a simulation technique, such as Monte Carlo analysis, to indicate which elements have the greatest influence on key outcomes
- Outputs form influence diagram includes S-curve and tornado diagram

Perform Quantitative Risk Analysis Outputs:
1- Project Document Updates
-  Risk report. Which will be updated to reflect the results on quantitative analysis. It includes
- Assessment of overall project exposure. Which is reflected in two key measures (Chances of project success indicated by the probability that the project will achieve its key objective, and Degree of inherent variability remaining within the project at the time the analysis was conducted)
- Detailed probabilistic: Key outputs from quantitative risk analysis are presented such as (S-curve, tornado diagram and criticality analysis). Possible detailed results of quantitative analysis include (Amount of contingency reserve needed to provide confidence level, Identification of individual project risks, and Major drivers of oval project risk with the greatest influence)
- Prioritized list of individual project risks: This list includes those individual project risks that pose the greatest threat or present the greatest opportunity to the project, as indicated by sensitivity analysis

- Trends in quantitative risk analysis results: As the analysis is repeated at different times during the project life cycle, trends may become apparent that inform the planning of risk responses
- Recommended risk responses: The risk report may present suggested responses to the level of overall project risk exposure or key individual project risks, based on the results of the quantitative risk analysis. These recommendations will form inputs to the Plan Risk Responses process

Plan Risk Responses (Planning Process Group)
Plan Risk Responses is the process of developing options, selecting strategies, and agreeing on actions to address overall project risk exposure, as well as to treat individual project risks
Key benefit of this process is that it identifies appropriate ways to address overall project risk and individual project risks
-  This process is performed throughout the project
-  This process also allocates resources and inserts activities into project documents and the project management plan as needed
-  Effective and appropriate risk responses can minimize individual threats, maximize individual opportunities, and reduce overall project risk exposure
-  Unsuitable risk responses can have the converse effect
-  Once risks have been identified, analyzed, and prioritized, plans should be developed by the nominated risk owner to address project risk
-  Risk responses should be appropriate for the significance of the risk, cost-effective in meeting the challenge, realistic within the project context, agreed upon by all parties involved, and owned by a responsible person.
-  For large or complex projects, it may be appropriate to use a mathematical optimization model or real options analysis as a basis for a more robust economic analysis of alternative risk response.
-  contingency plan (or fallback plan) can be developed for implementation if the selected strategy turns out not to be fully effective or if an accepted risk occurs
-  Secondary risks are risks that arise as a direct result of implementing a risk response.

Plan Risk Response Inputs:
1- Project Management Plan
-  Includes (Resource management plan, Risk management plan and Cost baseline)
2- Project Documents
-  Includes (Lessons learned register, Project schedule, Project team assignments, Risk register, Risk report and Stakeholder register)
3- Enterprise Environmental Factors
4- Organizational Process Assets

Plan Risk Response Tools & Techniques:
1- Expert Judgment
2- Data Gathering
-  Interviews
3- Interpersonal and Team Skills
-  Facilitation

4- Strategies for Threats: Includes (Escalate, Avoid, Transfer, Mitigate and Accept)
-  Escalate:
- Escalation is appropriate when the project team or the project sponsor agrees that a threat is outside the project or the proposed response would exceed the project manager authority.
- Escalated risks are managed at the program/portfolio level not on the project level
- It is important that ownership of escalated threats is accepted by the relevant party in the organization
- Escalated threats are not monitored further by the project team after escalation. But they are recorded in risk register for information

-  Avoid
- Risk avoidance is when the project team acts to eliminate the threat or protect the project from its impact. It is appropriate for high-priority threats with a high probability of occurrence and a large negative impact.
- Avoidance may involve changing some aspect of the project management plan or changing the objective that is in jeopardy in order to eliminate the threat entirely, reducing its probability of occurrence to zero
- Examples of avoidance actions (Removing the cause of a threat, Extending the schedule, Changing the project strategy, or Reducing scope)
- Some risks can be avoided by clarifying requirements, obtaining information, improving communication, or acquiring expertise

-  Transfer
- Shifting ownership of a threat to a third party to manage the risk and to bear the impact
- Risk transfer often involves payment of a risk premium to the party taking on the threat.
- Transfer actions includes (Insurance performance bonds, Warranties and Guarantees)
- Agreements may be used to transfer ownership and liability for specified risks to another party
- Fixed Price contracts are considered Transfer risk response

-  Mitigate
- Action is taken to reduce the probability of occurrence and/or impact of a threat.
- Early mitigation actions are more effective than repair the damage after it occurred
- Examples of mitigation actions (Adopt less complex process, Conduct more tests and Choose stable seller)
- Mitigation may involve prototype development to reduce the risk of scaling up from a bench-scale model of a process or product
- Mitigation does not reduce the probability, but it reduces the impact of the threat

-  Accept
- Risk acceptance acknowledges the existence of a threat, but no proactive action is taken
- Accept is appropriate for low-priority risks, and it may be adopted if other actions not cost-effective
- Acceptance can be either active or passive.
- Most common active acceptance strategy is to establish a contingency reserve if risk occurs
- Passive acceptance involves no proactive action apart from periodic review of the threat

5- Strategies of Opportunities Includes (Escalate, Exploit, Share, Enhance and Accept)

-  Escalate
- This risk response is appropriate when agreed that the opportunity is outside the scope of the project, or would exceed the authority of the project manager
- Escalated opportunity are managed at program/portfolio level not project level
- It is important that ownership of escalated opportunities is accepted by the relevant party
- They are not monitored further after escalation but can be recorded in risk register

-  Exploit
- Exploit strategy is selected for high-priority opportunities to ensure it is realized
- Exploit seeks to capture the benefit associated with the opportunity by ensuring it definitely happens and increase the probability to 100%
- Examples of exploit (Assigning most talented resources to reduce time to complete the project, or using new technologies to reduce cost and duration)

-  Share
- transferring ownership of an opportunity to a third party so that it shares some of the benefit
- It is important to select the new owner of a shared opportunity carefully so they are best able to capture the opportunity for the benefit of the project
- Risk sharing often involves payment of a risk premium to the party taking on the opportunity
- Examples of sharing (Risk-sharing partnerships, Teams and Join ventures)

-  Enhance
- Increase the probability and/or impact of an opportunity.
- Early enhancement is more effective than trying to improve after the opportunity has occurred
- Probability of occurrence of an opportunity may be increased by focusing attention on its causes
- When it is not possible to increase probability, an enhancement response might increase the impact
- Examples of enhance (Adding more resources to an activity to finish early)

-  Accept
- Accepting an opportunity acknowledges its existence but no proactive action is taken
- Accept is appropriate for low-priority opportunities or if it is not possible or cost-effective to address the opportunity any further
- Acceptance can be either active or passive.
- Active strategy includes establishing contingency reserve including (time, money or resources)
- Passive acceptance involves no proactive action apart from periodic review of the opportunity to ensure that it does not change significantly

6- Contingent Response Strategies
-  Some responses are designed for use only if certain events occur
-  Prepare a response plan that will be executed only if predefined conditions occur
-  Events that trigger the contingency response, such as missing intermediate milestones or gaining higher priority with a seller should be defined and tracked
-  Risk response identified using this technique are often called (contingency plans or fallback plans)
7- Strategies for Overall Project Risk
-  Avoid: Where the level of overall project risk is negative and outside the agreed threshold. Example (Removal of high-risk elements of scope. But if it’s not possible to bring the project back within the thresholds, the project may be cancelled)
-  Exploit: Where the level of overall project risk is positive and outside the agreed threshold. Example (Addition of high-benefit elements of scope)
-  Transfer/Share: If the level of overall project risk is high but the organization is unable to address it effectively. A third party may be involved to manage the risk (positive or negative). Example (setting up a collaborative business structure, Joint venture, or subcontracting key elements of the project)
-  Mitigate/Enhance: These strategies involve changing the level of overall project risk (positive or negative) to optimize the chances of achieving the project objectives. Examples (Replanning, Change the scope, Modify project priority, Change resource allocations and change delivery times)
-  Accept: Where no proactive risk response strategy is possible to address overall project risk (positive or negative). Which can be active (contingency reserve) or passive (no proactive action)

8- Data Analysis
-  Alternative analysis: simple comparison of the characteristics and requirements of alternative risk response which may lead to a decision on which response is most appropriate
-  Cost-benefit analysis: If the impact of an individual project risk can be quantified in monetary terms, this method can be used. The ratio of (change in impact level) divided by (implementation cost) gives the cost effectiveness of the response strategy. Where higher ratio is more effective
9- Decision Making
-  Multicriteria decision analysis: One or more risk response strategies may be under consideration. Multicriteria analysis uses a decision matrix to provide a systematic approach for establishing key decision criteria, evaluating and ranking alternatives and selecting a preferred option. Criteria of risk response includes “cost of response”.

Plan Risk Response Outputs:
1- Change Requests
2- Project Management Plan Updates
-  Includes (Schedule management plan, Cost management plan, Quality management plan, Resource management plan, Scope baseline, Schedule baseline, Cost baseline)
3- Project Document Updates
-  Includes (Assumption log, Cost forecasts, Lessons learned register, Project schedule, Project team assignments, Risk register and Risk report)
- Risk register updated when appropriate risk responses are chosen and agreed upon and includes (Response strategies, Action to implement the strategy, Trigger conditions and symptoms of a risk occurrence, Budget and schedule activities, Contingency plan, Fallback plans)
- Risk report is updated to present agreed-upon responses to overall project risk exposure and high-priority risks

Implement Risk Responses (Executing Process Group)
Implement Risk Responses is the process of implementing agreed-upon risk response plans.
Key benefit of this process is that it ensures that agreed-upon risk responses are executed as planned in order to address overall project risk exposure, minimize individual project threats, and maximize individual project opportunities
-  This process is performed throughout the project
-  A common problem with project risk management that no action is taken against identified risks
-  Only if risk owners give the required level of effort to implement the agreed-upon responses will the overall risk exposure of the project and individual threats and opportunities be managed proactively.

Implement Risk Response Inputs:
1- Project Management Plan
-  Includes Risk management plan
2- Project Documents
-  Includes (Lessons learned register, Risk register, and Risk report)
3- Organizational Process Assets

Implement Risk Response Tools & Techniques:
1- Expert Judgment
2- Interpersonal and Team Skills
-  Influencing: Some risk response actions may be owned by people outside the immediate project team or who have competing demands. The project manager or facilitator may be need to exercise influencing to encourage nominated risk owners to take necessary actions.
3- Project Management Information System (PMIS)

Implement Risk Response Outputs:
1- Change Requests
2- Project Documents Updates
-  Includes (Issue log, Lessons learned register, Project team assignments, Risk register and Risk report)

Monitor Risks (Monitoring and Controlling Process Group)
The process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project.
Key benefit of this process is that it enables project decisions to be based on current information about overall project risk exposure and individual project risks
-  This process is performed throughout the project

Monitor Risk Inputs:
1- Project Management Plan
-  Includes Risk management plan
2- Project Documents
-  Includes (Issue log, Lessons learned register, Risk register and Risk report)
3- Work Performance Data
-  Contains data on project status such as risk responses that have been implemented, risks that have occurred, risks that are active and those that have been closed out.
4- Work Performance Reports
-  Provide information from performance measurements that can be analyzed to provide project work performance information including variance analysis, earned value data, and forecasting data

Monitor Risk Tools & Techniques:
1- Data Analysis
-  Technical performance analysis: Compares technical accomplishments during project execution to the schedule of technical achievement. It requires the definition of objective, quantifiable measures of technical performance, which can be used to compare actual results against targets. This may include weight, transaction, times and number of defects
-  Reserve analysis: During execution some risks may occur with positive or negative impact on budget or schedule contingency reserve. Reserve analysis compares the amount of the contingency reserves remaining to the amount of risk remaining at any time in project. To determine of the remaining reserve is adequate. This may graphically presented in “Burndown chart”
2- Audits
-  The project manager is responsible for ensuring that risk audits are performed at an appropriate frequency. Audits may be included during routine project review meetings or at risk review meeting or separate audit meeting is held
3- Meetings
-  Risk reviews: Examine and document the effectiveness of risk responses in dealing with overall and individual project risks. Risk review meeting can be part of periodic project status meeting. And reassess some previously identified risks.

Monitor Risk Outputs:
1- Work Performance Information
-  Information on how project risk management is performing by comparing the individual risks that have occurred with the expectation of how they would occur. This information indicates the effectiveness of the response planning and response implementation processes
2- Change Requests
3- Project Management Plan Updates
-  Any change to any component of project management plan will update it component
4- Project Document Updates
-  Includes (Assumption log, Issue log, Lessons learned register, Risk register and Risk report)
5- Organizational Process Assets Updates
-  Includes (Templates for risk management plan, Risk register/reports, and RBS )