Project risk analysis and

management
(MSPM 712)
By: Tesfaye Etensa (Ass.Prof.)
Department of project management,
LIC
Email: [email protected]
3. Project Risk Analysis and Evaluation
By: Tesfaye Etensa (Ass.Prof.)
Department of Project management,
LIC
Email: [email protected]
 Lecture Three
Project risk analysis and evaluation
3.1 Risk assessment

• Risk assessment is the combined effort of: identifying and analyzing

potential events that may negatively impact individuals, assets, and/or
the environment; and making judgments "on the tolerability of the risk
on the basis of a risk analysis" while considering influencing factor.

• Risk assessment focuses on the risks that both internal and external
threats pose to your data availability, confidentiality, and integrity.

• To assess risks thoroughly, you have to spot all the possible events
that can negatively impact your data ecosystem and data
environment.
3.1 Risk assessment…
• Risk assessments should follow five simple steps:
• Step 1: Identify the hazards (natural or human )
• Step 2: Decide who might be harmed and how
• Step 3: Evaluate the risks and decide on precautions
• Step 4: Record your findings and implement them
• Step 5: Review your assessment and update if necessary
 Risk analysis in prioritizing risks
• How to utilize risk analysis in prioritizing risks?
• All security risks are not equal. Something may have an
impact but low potential.
• High Priority: A high risk-high impact scenario, for instance,
would undeniably be a zero-day attack, whereby hackers
spot a way of exploiting a previously unidentified weakness.
• A zero-day attack (also referred to as Day Zero) is an
attack that exploits a potentially serious software
security weakness that the developer may be unaware of.
• The software developer must rush to resolve the weakness
as soon as it is discovered in order to limit the threat to
software user
 Risk analysis in prioritizing risks
• Medium Priority: An example of a medium-risk
occurrence can be a former worker stealing
information after being terminated from work.
• While most employees just go from one occupation to
the next, others may be disgruntled.
• Low Priority: Low-risk cases include somebody
breaking into your company offices and stealing
various devices.
• The possibility of this event happening is low.
• Also, the possibility of data loss is low, especially if
the devices do not have any stored information on
them.
Example for Definition of Probability and
Impacts
 The ten steps to risk assessment
o The ten steps to risk assessment and developing a risk management action
plan are as follows:
▪ 1. Make a commitment as an organisation to risk management.
▪ 2. Identify all possible material threats and risks.
▪ 3. Assess the level of each risk.
▪ 4. Decide to accept, treat or transfer each risk.
▪ 5. Determine treatment options for all unacceptable risks.
▪ 6. Formalise your risk management action plan.
▪ 7. Implement your treatment options.
▪ 8. Communicate information to everyone affected.
▪ 9. Review your risk management action plan on a periodical basis
(at least quarterly) or sooner if a major issue arises in your
organisation‘s operations.
▪ 10. Identify any new risks and update your plan.
 3.2 Risk analysis
• Risk analysis involves examining how project outcomes and
objectives might change due to the impact of the risk event.
• Once the risks are identified, they are analysed to identify the
qualitative and quantitative impact of the risk on the project
so that appropriate steps can be taken to mitigate them .
• Risk analysis is the process that figures out how likely that a
risk will arise in a project.
• It studies uncertainty and how it would impact the project in
terms of schedule, quality and costs if in fact it was to show
up.
• Two ways to analyze risk is quantitative and qualitative.
• But it is important to know that risk analysis is not an exact
science, it is more like an art.
 3.2 Risk analysis

▪ How likely is the risk event to happen? (probability and

frequency?)
▪ What would be the impact, cost or consequences of that event
occurring? (economic, political, social?).
▪ Once risks are identified you determine the likelihood and
consequence of each risk.
▪ You develop an understanding of the nature of the risk and its
potential to affect project goals and objectives.
▪ This information is also input to your Project Risk Register.
• Probability and Impact
Therefore, Overall exposure(risk)= probability X impact
 A. Qualitative Risk Analysis
A. Qualitative Risk Analysis

▪ Assess the likelihood and impact of identified risks to determine

their magnitude and priority.
▪ How to Perform a Qualitative Risk Analysis?
 Once you’ve got a list of risks, you’ll need to get a good idea of
the probability and impact of each risk.
 Remember the probability and impact guidelines in the Risk
Management plan?
 This is where you use them to assign a probability and impact to
each risk!
 Perform Qualitative Risk Analysis helps you prioritize each risk
and figure out its probability and impact.
 What are the benefits of qualitative risk analysis?
 Qualitative risk analysis can be used at any stage of the project lifecycle.
Some of its top benefits include:
• Provides a structured approach to risk management: Qualitative risk
assessment breaks down the risk management process into a series of well-
defined steps. This helps ensure all potential risks are identified and
addressed in a systematic manner.
• Develops an effective risk management plan: Qualitative risk analysis
identifies all potential project risks as well as their corresponding
mitigation measures. This helps your project stay on track and within
budget.
• Facilitates effective decision-making: Qualitative risk assessment offers a
clear understanding of potential risks and their impact on your project. This
allows you to make informed decisions about how to best mitigate or avoid
the risks.
• Improves the overall project communication: Qualitative risk analysis
provides a common framework and language for discussing risks. This
ensures all project stakeholders are on the same page in terms of
understanding potential risks and their impact on the project.
 A. Qualitative Risk Analysis
• There are several ways to perform a qualitative risk analysis.
• These techniques require varying degrees of discipline and time.
• For small projects, project managers can use what we call the KISS
(Keep It Super Simple) Method.
• This one-dimensional technique involves rating risks as:
Very Low, Low, Medium, High, Very High
• Rather, a more common method is the probability/impact
matrix.
• This two- dimensional technique is used to rate probability
and impact.
▪ Probability is the likelihood that a risk will occur.
▪ The impact is the consequence or effect of the risk,
normally associated with the project objectives such as
schedule, cost, scope, and quality.
 A. Qualitative Risk Analysis
• Rate probability and impact on a scale such as 1 to 5 where 5 is
the highest probability and impact. Then we multiply probability
times the impact to calculate our risk score.
• For example, we could rate a risk as a probability of 4 and an
impact of 3. The risk score would be 4 x 3 = 12.
• The scale may be applied to both threats and opportunities.
• Higher risk scores for threats indicate negative impacts such as
adverse impacts on the schedule or budget.
• And higher risk scores for opportunities indicate positive impacts
such as a reduction in the schedule or budget.
• Risk quantification tools and techniques include:
(i) Probability/impact matrixes
(ii) The Top Ten Risk Item Tracking
(iii) Expert judgment
 Qualitative Analysis Example
Id Risk Description Event Date Probability Impact

1 Performance issues dueto redesignof batch(splitting into 4concurrent Sep-10 High Medium
jobs) arenothandled before the cycle testing begins
2 Server performance issues are not handled before the cycle testing begins in Sep-10 Low Medium
September
3 Unanticipated table changes occur after the coding has been completed in Aug-10 Low Low
August
4 The testing environment chosen could interfere with other high priority Sep-10 Low Medium
projects
5 Priorityto implementnon-rating modmaygo up due to NJ coming up Aug-10 Medium High
right after IOWA.
6 ImpactAnalysis brings up something that we are not thinking of now (on both Jun-10 Medium Medium
mainframe and PARIS sides), that may push the project dates
7 Coding maytake longerthan expected Jul-10 High Medium
8 Finding too many differences between SBR and Mainframe rating of a policy Aug-10 Medium Medium
may push the dates for cycle testing and the project.
9 Daily business functions could be interrupted for Production Problems - Anytime Medium Medium
taking the resources away from this project
10 Othernewproduct(MAAuto, NJAuto, Company8,ChromeExpansion)- Anytime High High
Taking resourcesawayfrom this project
11 System upgrades (Rating Engine 4.0, end of VB6…) may be pushed on us Jun-10 Low Medium
right in the middle of this project
Id Risk Description Event Probabili Impact Magnit
Date ty (days) ude
1 Performance issues due to redesign of batch (splitting into Sep-10 H 70% M 15 10.5
4 concurrent jobs) are not handled before the cycle testing
2 Server performance issues are not handled before the cycle Sep-10 L 10% M 10 1
testing begins in September
3 Unanticipated table changes occur after the coding has been Aug-10 L 10% L 5 0.5
completed in August
4 The testing environment chosen could interfere with other high Sep-10 L 10% M 10 1
priority projects
5 Priority to implement non-rating mod may go up due to NJ Aug-10 M 25% H 40 10
coming up right after IOWA.
6 Impact Analysis brings up something that we are not thinking of Jun-10 M 25% M 15 3.75
now (on both mainframe and PARIS sides), that may push the
7 Coding may take longer than expected Jul-10 H 50% M 20 10
8 Finding too many differences between SBR and Mainframe Aug-10 M 30% M 15 4.5
rating of a policy may push the dates for cycle testing and the
project.
9 Daily business functions could be interrupted for Production Anytime M 30% M 10 3
Problems - taking the resources away from this project
10 Other new product (MA Auto, NJ Auto, Company8, Chrome Anytim H 70% H 45 31.5
Expansion) - Taking resources aw ay from this project e

11 System upgrades (Rating Engine 4.0, end of V B 6 … ) may be Jun-10 L 20% M 20 4

pushed on us right in the middle of this project
11 Total Risk Magnitude for the Project 79.75
 (i) Probability/Impact Matrix
▪ A probability/impact matrix or chart lists the relative
probability of a risk occurring on one side of a matrix
or axis on a chart and the relative impact of the risk
occurring on the other.
▪ List the risks and then label each one as high, medium,
or low in terms of its probability of occurrence and its
impact if it did occur.
▪ Can also calculate risk factors:
• Numbers that represent the overall risk of specific
events based on their probability of occurring and
the consequences to the project if they do occur.
 (i) Probability/Impact Matrix
 The corners of the chart have these characteristics:

▪ Low impact/low probability – Risks in the bottom left corner are low
level, and you can often ignore them.

▪ Low impact/high probability – Risks in the top left corner are of

moderate importance – if these things happen, you can cope with them
and move on.

▪ High impact/low probability – Risks in the bottom right corner are of

high importance if they do occur, but they're very unlikely to happen.

▪ High impact/high probability – Risks towards the top right corner are
of critical importance. These are your top priorities, and are risks that
you must pay close attention
 (i) Sample Probability/Impact Matrix

▪ Bottom-left corner: In this spot, write down risks with low probability and low impact.
▪ Top-left corner: This spot denotes any risks that have a high probability of occurring but low i impact.
▪ Bottom-right corner: Any risk in this corner would have a high impact, but there is a low probability that
it will occur.
▪ Top-right corner: Any risk you put in this corner has both a high probability and high impact.
Chart Showing High-, Medium-, and Low-Risk Technologies
 (ii) Top Ten Risk Item Tracking

• Top ten risk item tracking is a qualitative risk analysis

tool that helps to identify risks and maintain an
awareness of risks throughout the life of a project.

• Establish a periodic review of the top ten project risk

items.

• List the current ranking,

• previous ranking,
• number of times the risk appears on the list over a
period of time, and
• a summary of progress made in resolving the risk item.
Example of Top Ten Risk Item Tracking
 (iii)Expert judgment
 Expert judgment is when you call in an expert to get a skilled
opinion.
 It’s an estimation methodology for project planning that relies on the
expert’s opinion to estimate quantitative project details, such as
timelines and potential resources.
 According to the Project Management Institute (PMI), expert
judgement is one of the most common project management planning
tools.
 In the PMBOK® Guide, they suggest expert judgment as a potential
tool in every single one of their six processes. Specialized
knowledge is expensive, so hiring a skilled full-time employee to
give expert judgement is not always cost-effective.
 Instead, many companies hire external experts to complete
assessments, using them to monitor and control project work in
specific areas.
 Expert judgment
 You can also use expert judgment:
• For cost management.
• During decision-making.
• With forecasting.
• For risk management.
 Types of expert judgment:
 Delphi technique: Running through the expert judgment process
once will leave you with one expert’s opinion, but these can be
biased. The Delphi technique continues the expert judgment process
repeatedly in an effort to remove those cognitive biases.
 Expert elicitation: When a group of experts in a specific knowledge
area form one, cohesive opinion. Usually used when there’s less data
or resources available.
 Expert judgment
This method includes consulting with people who
have deep knowledge or expertise in a particular
area.
It’s especially used in situations where you need to
understand a specific type of project risk (such as
technical risks) or when you need specialized
subject matter expertise.
 Who are the experts?
• Internal project team members
• Subject matter experts
• Project managers
• Project stakeholders
 The 7 steps to get expert judgment
 1. Research the problem
▪ Before you can engage your expert, you must have a thorough
understanding of your problem. Make sure you know exactly
what’s already been completed, where the issue stands, and
what you need from your expert.
 2. Write out your questions
▪ Be as specific as possible here.
▪ The more targeted your questions, the better your expert’s
answers will be.
▪ Using your research from the previous step, develop clear
questions.
▪ The questions you ask can be complex, but should be clear
enough for the expert to understand and answer.
 The 7 steps to get expert judgment
 3. Select your experts
▪ Choose the experts that best fit the needs of this specific problem
or project. For example, if you’re working on product distributions,
you’ll want to involve experts who understand your industry’s
supply chain and the target market. Then explain the problem to
them, sharing all resources and project documents so they have the
knowledge they need to pass effective judgment.
 4. Submit your questions
▪ Send your questions off to your selected experts. If you’re
using project management software, you can attach relevant analyses
and documents directly to the questions. Then when your experts
respond, you can see their answers in real-time.
 The 7 steps to get expert judgment
 5. Review and analyze their judgements
▪ Once you have answers from your experts, it’s up to you to review
them and determine how you’re going to use the information. To
further mitigate bias, you might want to use a peer review process
made up of multiple experts to ensure you’re getting the most
accurate data.
 6. Aggregate judgements in a report
▪ Create a report of all the judgements you receive. Save it as one
central source of truth, so you can easily share the results with
stakeholders.
 7. Communicate results
▪ Once you have your results neat and tidy, send them out to all
stakeholders for review. At this stage, you’ll also start to discuss if
you need another round of expert judgment. Mostly, you repeat the
process if stakeholders spot errors or have additional questions.
 Common pitfalls to avoid during qualitative risk analysis
 Avoid these common pitfalls to increase the effectiveness of qualitative risk
analysis:
• Not clearly defining project objectives: Without a clear understanding of project
objectives and goals, it’ll be difficult to identify risks likely to impact your
projects. To avoid this, have a clear and concise project plan that everyone on your
team understands.
• Focusing too much on individual risks instead of the overall risk
landscape: Neglecting the overall risk landscape and only focusing on individual
risks can lead to suboptimal decision-making. When analyzing project risk, take a
step back and look at the big picture to ensure you are taking a holistic approach.
• Overemphasizing the risk impact factor interms of probability risk
events: While the impact of a risk factor is important to consider, it’s not the only
factor you should take into account when making risk reduction decisions.
Consider the probability of a risk event occurring as well as its potential impact
when making mitigation plans.
• Underestimating the dynamic nature of risks: Risk analysis is inherently
uncertain, as risks can change over time. Underestimating the dynamic nature of
risks can lead to a false sense of security and, ultimately, increase risk exposure.
Therefore, reevaluate risks regularly and update the risk management plan as
needed.
 Tips for effective qualitative risk analysis
• Start by setting clear goals and objectives for your analysis. This will
help guide your decision-making and ensure you focus on the most
potential risks for your project.
• Consult all stakeholders to get different perspectives. This will help you
gain a more comprehensive understanding of risks that are the most
relevant to your project.
• Use a variety of methods to identify risks; don’t rely on only one
method. This will ensure you’re not overlooking any major risks and make
your risk analysis more robust.
• Be prepared to adapt your approach as needed. The risks associated
with a project can change over time, so it’s important to be flexible and
adapt your approach as needed.
• Document your findings and track changes in risks over time. This will
help you communicate your findings to stakeholders and make informed
decisions about risk management strategies.
 B. Quantitative Risk Analysis
• By the time you get here, you‘ve got a list of risks, with a
probability and impact assigned to each.
• That‘s a great starting point, but sometimes you need more
information if you want to make good decisions… You can make
better decisions with more precise information.
• That‘s what this process is about—assigning numerical values for
the probability and impact of each risk
• The main quantitative Risk Analysis tools and techniques
include but are not limited to:
(i) Three Point Estimate – a technique that uses the optimistic,
most likely, and pessimistic values to determine the best estimate.
(ii) Decision Tree Analysis – a diagram that shows the implications
of choosing one or other alternatives.
.
 B. Quantitative Risk Analysis

(iii)Expected Monetary Value (EMV) – a method used to

establish the contingency reserves for a project budget
and schedule.
(iv)Simulation models ( Monte Carlo Analysis) – a technique that uses
optimistic, most likely, and pessimistic estimates to determine the
total project cost and project completion dates.
 For example, we could estimate the probability of completing a
project at a cost of 2 million ETB. Or what is a company wanted to
have an 80% probability of achieving its cost objectives. What is the
cost to achieve 80%?
(V) Sensitivity Analysis – a technique used to determine which risks
have the greatest impact on a project.
 Fault Tree Analysis– the analysis of a structured diagram which
identifies elements that can cause system failure
 (i)Three point Estimates for use in triangular
distribution
 Triangular distribution is a common formula used when there is insufficient
historical data to estimate duration of an activity. It is based on three points that
consider estimation uncertainty and risk.
• Most likely (M): estimate based on the duration of the activity given all the other
considerations.
• Optimistic (O): estimate based on the best-case scenario.
• Pessimistic (P): estimate based on the worst-case scenario.
 Formula: Expected duration of the activity (E) = (O+M+P)/3
 These are then combined to yield either a full probability distribution, for later
combination with distributions obtained similarly for other variables, or summary
descriptors of the distribution, such as the mean, standard deviation or percentage
points of the distribution.
 The accuracy attributed to the results derived can be no better than the accuracy
inherent in the 3 initial points, and there are clear dangers in using an assumed
form for an underlying distribution that itself has little basis.
 Three point Estimates for use in triangular
distribution
▪ 3 points estimation is used to help project managers
predict cost and time required for work packages,
control accounts and the overall project.
▪ The premise is you come up with 3 points:
• Optimistic estimate: estimate based on the best-
case scenario.
• Most likely estimate: estimate based on the
duration of the activity given all the other
considerations.
• Pessimistic estimate: estimate based on the
worst-case scenario.
 Triangular Distribution
In triangular distribution, you will take the
average of the 3 points.
▪ Optimistic estimate (O)
▪ Most likely estimate (M)
▪ Pessimistic estimate (P)
▪ The formula is: (O+M+P)/3
 Beta Distribution (or PERT)

In beta distribution (or PERT), you place more

weight on the most likely estimate.

▪ Optimistic estimate (O)

▪ Most likely estimate (M)
▪ Pessimistic estimate (P)
▪ The formula is: (O+4*M+P)/6
▪ This method is popular.
 Comparison
▪ Beta distribution is more useful in cases where we
have a lot of historical data and information about
similar projects.
▪ If we are doing a project for the first time, it makes
more sense to use triangular distribution.
▪ Triangular distribution is a common formula
used when there is insufficient historical data to
estimate duration of an activity
 Example
▪ Lunar international college is planning a new students information
management system (SIMS).
▪ They have been storing the students records on paper for the past couple
of years, causing many errors, including scheduling disturbing, delay in
graduation and the like. You are the project manager for the project , and
based on your past experiences, you believe the project will take 10 weeks
to complete. Optimistically, it could take as little as 6 weeks, and if some
issues do occur, the worst case scenario is that the project might take 20
weeks to complete.
▪ A. Which distribution can we use? Why?
▪ B. What is the duration estimate for this project?
 (ii) Decision Trees and Expected Monetary Value (EMV)

• A decision tree is a diagramming analysis technique help to

select the best course of action in situations in which future
outcomes are uncertain.
• A graphical representation of expected (monetary) value
calculations
• Very well suited to everyday problems where one wants to
quickly pick the best alternatives
• None events connected by branches
• Choice event
• Risk event
• Terminal
(ii) Decision Trees and Expected Monetary Value
(EMV)
• Expected monetary value (EMV) is the product
of a risk event probability and the risk event’s
monetary value.
• Expected monetary value analysis: The
method considers the probability of each
possible outcome and determines the average
value of all outcomes.
• You can draw a decision tree to help find the
EMV
• Decision Trees Example:
• Building the Decision Tree to Use in Decision Tree Analysis
• In this scenario, you can either:
• Build the new software: To build the new software, the
associated cost is $500,000
• Buy the new software: To buy the new software, the associated
cost is $750,000.
• Stay with the legacy software: If the company decides to
stay with the legacy software, the associated cost is mainly
maintenance and will amount to $100,000.
(ii) Decision Trees
 Decision Trees
• Decision Trees Example – Calculating Expected Monetary Value
for each Decision Tree Path.
• The diagram depicts the decision tree.
• Now, you can calculate the Expected Monetary Value for each
decision.
• The Expected Monetary Value associated with each risk is
calculated by multiplying the probability of the risk with the
impact.
• By doing this, we get the following:
• Initial setup cost are 500,000, 750,000 &100,000 respectively
 Decision Trees

i.e. Growth in business mean is the stage where the business reaches
the point for additional option to generate more profit
 Decision Trees

• Looking at the options listed above, you can start building the
decision trees as shown in the diagram.
• By looking at this information, the lobby for staying with the
legacy software would have the strongest case. But, let‘s see how
it works .

• The Buy the New Software and Build the New Software options
will lead to either a successful deployment or an unsuccessful
one.
• If the deployment is successful then the impact is zero, because
the risk will not have materialized.
• However, if the placement is unsuccessful, then the risk will
materialize and the impact is $2 million.
 Decision Trees

▪ The Stay with the Legacy Software option will lead to

only one impact, which is $2 million, because the legacy
software is not currently meeting the needs of the
company.
▪ Nor, will it meet the needs should there be growth. In this
example, we have assumed that the company will have
growth.
▪ In this example, Decision Trees analysis will be used to
make the project risk management decision.
▪ The next step is to compute the Expected Monetary
Value for each path in the Decision Trees.
 Expected Monetary Value
▪ The expected monetary value is how much money you can expect
to make from a certain decision.
▪ Steps to Calculate Expected Monetary Value (EMV).
▪ To calculate the Expected Monetary Value in project risk
management, you need to:
▪ Step1: Assign a probability of occurrence for the risk.(.i.e
40%,5%,100%)
▪ Step2: Assign monetary value of the impact of the risk when it
occurs.(i..e $ 2,000,000)
▪ Step 3: Multiply Step 1 and Step 2.
▪ The value you get after performing Step 3 is the Expected Monetary
Value. This value is positive for opportunities (positive risks) and
negative for threats (negative risks).
▪ Project risk management requires you to address both types of
project risks
 What is the Expected Monetary Value?
• Consider the earlier example and compute the EMV???
• Build the new software: $ 2,000,000 * 0.4 = $ 800,000
• Buy the new software: $ 2,000,000 * 0.05 = $ 100,000
• Staying with the legacy software: $ 2,000,000 * 1 = $ 2,000,000
• Now, add the setup costs to each Expected Monetary Value:
• Build the new software: $ 500,000 + $ 800,000 = $ 1,300,000
• Buy the new software: $ 750,000 + $ 100,000 = $ 850,000
• Staying with the legacy software: $ 100,000 + $ 2,000,000 = $
2,100,000
• Now let‘s make the decision?
• Now let‘s make the decision in this Decision Trees example.

• This will illustrate the role of Decision Trees in Project Risk

Management.
• Looking at the Expected Monetary Values computed in this
Decision Trees example, you can see that buying the new
software is actually the most cost efficient option, even
though its initial setup cost is the highest.
• Staying with the legacy software is by far the most expensive
option.
 Decision Trees
▪ When you conduct a SWOT Analysis to determine
whether a business idea is worth pursuing, there is
no quantified data to support your decision.
▪ Decision Trees and Decision tree analysis help you
quantify the data, which is then useful in
convincing stakeholders.
▪ It is a critical part in Project Risk Management
• Example II: Expected Monetary Value Example for
Project Risk Management
• Suppose you are leading a construction project.
Weather, cost of construction material, and labor
turmoil are key project risks found in most
construction projects:
• Project Risks 1 – Weather: There is a 25 % chance of
excessive snow fall that‘ll delay the construction for
two weeks which will, in turn, cost the project
$80,000.
• Project Risks 2 – Cost of Construction Material: There is
a 10 % probability of the price of construction
material dropping, which will save the project
$100,000.
 Expected Monetary Value Example for Project
Risk Management
• Project Risks 3 – Labor Turmoil: There is a 5%
probability of construction coming to a halt(stop)
if the workers go on strike. The impact would lead
to a loss of $150,000.
• Consider your industry and geographic area to
determine whether this risk would have a higher
probability.
• Next, let's see how to quantify the project risks by
calculating the Expected Monetary Value of each
risk.
 Expected Monetary Value Example for Project Risk
Management

• In this Expected Monetary Value example, we have two negative

project risks (Weather and Labor Turmoil) and a positive project
risks (Cost of Construction Material).
• The Expected Monetary Value for the project risks:
• Weather: 25/100 * (-$80,000) = – $ 20,000
• Cost of Construction Material: 10/100 * ($100,000) = $ 10,000
• Labor Turmoil: 5/100 * (-$150,000) = – $7,500
• Question: Which types of project risk has the highest impact and
the lowest EMV?
• Answer: Though the highest impact is caused by the Labor
Turmoil project risk, the Expected Monetary Value is the
lowest. This is because the probability of it occurring is very low.
 Interpretation
▪ This means that if the:
▪ Weather negative project risks occurs, the
project loses $20,000,
▪ Cost of Construction Material positive project
risks occurs, the project gains $10,000, and
▪ Labor Turmoil negative project risks occurs the
project loses $ 7,500
• The project’s Expected Monetary Value
(EMV) based on these project risks is:
-($20,000) + ($10,000) – ($7,500) = –$17,500
 Interpretation
▪ Therefore, if all risks occur in the construction project, the project
would lose $17,500.
▪ In this scenario, the project manager can add $17,500 to the budget
to compensate for this.
▪ This is a simplistic Expected Monetary Value calculation example.
▪ Another technique used to calculate complex Expected Monetary
Value calculations is by conducting Decision Tree Analysis.
▪ This analysis helps while making complex project risk
management decisions
 (iii) Simulation Model: Monte Carlo Analysis
• It is a mathematical techniques which is used to estimate
possible outcomes of uncertainty activities.
• A project simulation uses a model that translates the
uncertainties specified at a detailed level into their
potential impact on objectives at the level of the total
project.
• Project simulations are typically performed using the Monte
Carlo technique.
• For a cost risk analysis, a simulation may use the
traditional project WBS as its model.
• For a schedule risk analysis, the Critical Path Method
(CPM) schedule is used.
• Simulation uses a representation or model of a system to
analyze the expected behavior or performance of the
system.
 (iii) Simulation Model: Monte Carlo Analysis
• Monte Carlo analysis simulates a model‘s outcome many times to
provide a statistical distribution of the calculated results.
• It works based on random probability, which generates many
possible outcomes.
 To use a Monte Carlo simulation, you must have three estimates
(most likely, pessimistic, and optimistic) plus an estimate of the
likelihood of the estimate being between the most likely and
optimistic values.
 A large aerospace company used Monte Carlo simulation to help
quantify risks on several advanced-design engineering projects, such
as the National Aerospace Plan (NASP)
 Steps of a Monte Carlo Analysis
1. Assess the range for the variables being considered
2. Determine the probability distribution of each
variable
3. For each variable, select a random value based on the
probability distribution
4. Run a deterministic analysis or one pass through the
model
5. Repeat steps 3 and 4 many times to obtain the
probability distribution of the model‘s results
 Example
Let us try to understand this with the help of an example.
Suppose you are managing a project involving creation of
an e-Learning module.
The creation of the eLearning module comprises of three
tasks: writing content, creating graphics, and integrating
the multimedia elements.
Based on prior experience or other expert knowledge, you
determine the best case, most-likely, and worst-case
estimates for each of these activities as given below:
 Tasks Best-case Most likely Worst-case
estimate estimate estimate

Writing content 4 days 6 days 8 days

Creating graphics 5 days 7 days 9 days

Multimedia 2 days 4 days 6 days

integration
Total duration 11 days 17 days 23 days

▪ The Monte Carlo simulation randomly selects the input values for the different
tasks to generate the possible outcomes. Let us assume that the simulation is
run 500 times.
▪ From the above table, we can see that the project can be completed anywhere
between 11 to 23 days.
▪ When the Monte Carlo simulation runs are performed, we can analyze the
percentage of times each duration outcome between 11 and 23 is obtained.
▪ The following table depicts the outcome of a possible Monte Carlo simulation
 Number of times the simulation Percentage of simulation runs where
Total Project
result was less than or equal to the the result was less than or equal to the
Duration
Total Project Duration Total Project Duration

11 5 1%

12 20 4%

13 75 15%

14 90 18%

15 125 25%

16 140 28%

17 165 33%

18 275 55%

19 440 88%

20 475 95%

21 490 98%

22 495 99%

23 500 100%

This can be shown graphically in the following manner:

▪ What the above table and chart suggest is, for example, that the likelihood of completing the project in 17
days or less is 33%. Similarly, the likelihood of completing the project in 19 days or less is 88%, etc.
▪ Note the importance of verifying the possibility of completing the project in 17 days, as this, according to
the Most Likely estimates, was the time you would expect the project to take.
▪ Given the above analysis, it looks much more likely that the project will end up taking anywhere
between 19 – 20 days
 (iv) Sensitivity Analysis
• Sensitivity analysis is a technique used to
show the effects of changing one or more
variables on an outcome
• How changes in inputs changes the output i.e.
how sensitive output is to changes in input
▪ Sensitivity analysis is the quantitative risk assessment of
how changes in a specific model variable impacts the
output of the model.
• For example, many people use it to determine what the
monthly payments for a loan will be given different
interest rates or periods of the loan, or for determining
break-even points based on different assumptions
• Spreadsheet software, such as Excel, is a common tool for
performing sensitivity analysis
(iv) Sensitivity Analysis
69
70
 Sensitivity Analysis
▪ The value variables are:
o estimated based on the most probable forecasts.
o influenced by a great number of factors, and the actual
values may differ considerably from the forecasted
values.
▪ It is, therefore, useful to consider the effects of likely
changes in the key variables on the viability of the project.
We can do this by performing sensitivity analysis.
▪ The viability of projects is evaluated based on a
comparison of their NPV (the project is said to be viable if
71
the is NPV positive).
 Sensitivity Analysis
 Sensitivity analysis focuses on analyzing the effects of changes in key
variables on the project's IRR or NPV, the two most widely used
measures of the project worth of use, flexibility and low cost.
 Sensitivity analysis typically involves posing "what if"? questions.
o For example, what if demand fell by 10% compared to our original
forecasts? Would the project still be viable?
 In project appraisal, sensitivity analysis assesses how responsive the
project's NPV is to changes in the variables used to calculate that NPV.
 The NPV could depend on a number of uncertain independent
variables: (a) Selling price, (b) Sales volume, (c) Cost of capital, (d)
Initial cost, (e) Operating costs, (f) Benefits, etc.
 Sensitivity analysis, therefore, provides an indication of why a project
might fail. 72
 Sensitivity Analysis
 Management should:
• Review critical variables to assess whether or not there is a
strong possibility of events occurring which will lead to a
negative NPV.
• Pay particular attention to controlling those variables to which
the NPV is particularly sensitive to, once the decision has been
taken to accept the investment.
 A simple approach to deciding for which variables the NPV is
sensitive is to calculate the sensitivity of each variable:

 The lower the percentage, the more sensitive is NPV to that

project variable as the variable would need to change by a smaller
amount to make the project non-viable.
73
 The Purpose of Sensitivity Analysis
 Sensitivity analysis is a technique for investigating the
impact of changes in project variables on the base case
(most probable outcome scenario).
 Typically, only adverse changes are considered in a
sensitivity analysis.
▪ The purpose of sensitivity analysis is:
1. To help identify the key variables which influence the
project cost and benefit streams.
2. To investigate the consequences of likely adverse
changes in these key variables.
3. To assess whether project decisions are likely to be
affected by such changes.
4. To identify actions that could mitigate possible adverse
effects on the project. 74
 Sensitivity analysis
• Sensitivity analysis can be applied in a number of different disciplines,
including business analysis, investing, environmental studies, engineering,
physics and chemistry
• Used to determine which risks have the most potential impact on the
project.
• Sensitivity analysis examines the extent to which variation of a project
element affects a project objective when all other uncertain elements are
held at their baseline values.
• There are five steps in to the scenario analysis process:
• Step One – Defining the Problem. This seems to always be where
things get started in business.
• Step Two – Gathering Data. ...
• Step Three – Separate Certainties from Uncertainties. ...
• Step Four – Develop Scenarios. ...
• Step Five – Use the Scenarios in Your Planning
 Step 1: Identifying the Key Variables

▪ The baseline project analysis incorporates many variables: quantities and

their inter-relationships, prices or economic values, and the timing of project
effects.
▪ It is not necessary to investigate the sensitivity of the project to variables
that are predictable or relatively small in value.
▪ Other variables may be less predictable or larger in value.
 As a result of previous experience and analysis of the project context, a
preliminary set of likely key variables include:
1. Variables that are numerically large (e.g., investment cost).
2. Variables may be small, but the value of which is very important for the
design of the project.
3. Variables occurring early in the project life (e.g., investment costs and
initial fixed operating costs), will be relatively unaffected by
discounting.
76
4. Variables affected by economic changes (e.g., real income).
Steps 2 and 3: Calculation of effects of changing variables

 The values of the basic indicators of project viability

(ENPV) should be recalculated for different values of key
variables.
 This is preferably done by calculating sensitivity indicators
and switching values (see below).

77
 Steps 2 and 3: Calculation of effects of changing variables

Interpretation
• SI: percentage change in NPV.
• SV: A change of the approximate value of the variable is
necessary before the NPV becomes zero.
Characteristic
• SI: Indicates to which variables the project result is or is not
sensitive. Suggests further examination of change in the
variable.
• SV: Measures the extent of change for a variable that will
leave the project decision unchanged.
 Note: The switching value is, by definition, the reciprocal of
the sensitivity indicator.
78
 It can also be calculated by using the sensitivity formula
presented in equation 1.
Step 4: Analysis of Effects of Changes in Key Variables
▪ At this point, the results of the sensitivity analysis
should be reviewed.
▪ It should be asked:

1. Which are the variables with high sensitivity

indicators?

2. How likely are the (adverse) changes (as indicated

by the switching value) in the values of the
variables that would alter the project decision?
79
 Calculation
Base Case: Base Case:
Price = Pb = 300 Price = Pb = 300
NPVb = 20,912 NPVb = 20,912
Scenario 1: Scenario 1:
P1 = 270 (10% change) P1 = 270 (10% change)
NPV1 = 6,895 NPV1 = 6,895
(20,912−6895) (300−270) (100∗20,912) 300−270
SI= / 300 = 6.70 SV= / 300 = 14.9%
20,912 (20,912−6895)
Interpretation: A 10% change in Interpretation: A change (increase) of 10
input (price), results 6.70*10 percent percent in the key variable (price) will
changes in NPV. cause the price present value to become
zero. 80
 Applying the Sensitivity Tests

 Suppose Bishoftu Automotive Engineering Industry (BAEI) is

considering a project with the following cash flows and a discount rate
of 12%.

• Measure the sensitivity of the project to changes in several key

variables, as follows:
1. An increase in investment cost by 20 percent.
2. A decrease in economic benefits by 20 percent.
3. An increase in costs of operation and maintenance (O & M) by 81
20 percent.
 Applying the Sensitivity Tests

To make the sensitivity analysis, we should first

compute the baseline NPV for each of the variables
presented in the second column above.
Recall from the previous chapter that NPV is given by:

▪ Given that NPVB NPVC NPVI and NPVOM represent NPV

of benefits, cost, investment as well as operation and
maintenance, respectively, we have the following results:

82
 Applying the Sensitivity Tests

• Then The NPV is the difference between NPVB and NPVC.

NPV = NPVB - NPVC = 2104 -1978 = 126
• This value is also called the baseline NPV (NPVb). 83
 Applying the Sensitivity Tests
• We can summarize the effects of the above changes in the following
table (for detailed procedures, look at your exercise book).

Item Baseline Changes Effect SI SV (%)

on NPV

NPV 126

Benefits 2104 -20% -294.8 16.698 5.989

Investment 1687 20% -211.4 13.373 7.5

O&M 291 20% 67.8 2.3015 43.3

84
SI= Sensitivity indicator ; SV=switching value
Analysis of Effects of Changes in Key Variables
1. In the case of an increase in investment costs of 20%, the
sensitivity indicator is 13.38.
• This means that the change of 20 percent in the variable
(investment cost) results in a change of 266 percent
(13.3*20%) in the ENPV.
• It follows that the higher the SI, the more sensitive the
NPV is the change in the concerned variable.
2. In the same example, the switching value is 7.5 percent
which is the reciprocal value of the SI x 100.
o This means that a change (increase) of 7.5 percent in the
key variable (investment cost) will cause the ENPV to
become zero.
o The lower the SV, the more sensitive the NPV is to the 85
change in the variable concerned and the higher the risk
with the project.
 Strength and Weakness of Sensitivity Analysis

Strengths Weaknesses
(a) No complicated theory to (a) It is not an optimizing technique. It
understand. provides information on the basis on
which decisions can be made. It does not
(b) Information will be presented to point directly to the correct decision.
management in a form that facilitates
subjective judgment to decide the (b) It assumes that changes to variables can
likelihood of the various possible be made independently, eg. investment cost
outcomes considered. will change independently of other variables.
This is unlikely. If one variable changes, the
(c) Indicates just how critical are firm would probably change other variables
some of the forecasts which are at the same time and there would be little
considered to be uncertain. effect on NPV [a simulation method].

d) Identifies areas that are crucial to (c) It only identifies how far a variable need
the success of the project [those to change. It does not look at the probability
86
areas can be carefully monitored]. of such a change.
 Shortfalls when using quantitative risk analysis
• There are three potential shortfalls when using quantitative risk
analysis techniques:
• Data quality: It is essential to avoid the GIGO situation
(garbage in garbage out), and attention must be paid to
ensuring good quality inputs to the model.
• Interpretation: Outputs from risk models require interpretation,
and Quantitative Risk Analysis will not tell the project manager
what decision to make.
• Action: The project team must be prepared to use the results of
risk modelling, and to take decisions based on the analysis. You
should beware of analysis paralysis since quantitative risk
analysis is merely a means to an end, and must lead to action.
 3.3 Evaluate the risks

• Risk Evaluation is the process used to compare the

estimated risk against the given risk criteria so as to
determine the significance of the risk.
• Note also that risk evaluation may be used to assist in
the decision to risk treatment.
• Rank the risks according to management
priorities, by risk category and rated by likelihood
and possible cost or consequence.
• Determine inherent levels of risk.
 Shortfalls when using quantitative risk analysis
• There are three potential shortfalls when using quantitative risk
analysis techniques:
• Data quality: It is essential to avoid the GIGO situation
(garbage in garbage out), and attention must be paid to
ensuring good quality inputs to the model.
• Interpretation: Outputs from risk models require interpretation,
and Quantitative Risk Analysis will not tell the project manager
what decision to make.
• Action: The project team must be prepared to use the results of
risk modelling, and to take decisions based on the analysis. You
should beware of ‗analysis paralysis‗, since quantitative risk
analysis is merely a means to an end, and must lead to action.
 3.3 Evaluate the risks

• Risk Evaluation is the process used to compare the

estimated risk against the given risk criteria so as to
determine the significance of the risk.
• Note also that risk evaluation may be used to assist in
the decision to risk treatment.
• Rank the risks according to management
priorities, by risk category and rated by likelihood
and possible cost or consequence.
• Determine inherent levels of risk.
 3.3 Evaluate the risks
• Risk evaluation involves comparing the level of risk
found during the analysis process with previously
established risk criteria, and deciding whether these
risks require treatment.
• The result of a risk evaluation is a prioritized list of
risks that require further action.
• You evaluate or rank the risk by determining the risk
magnitude, which is the combination of likelihood and
consequence.
• You make decisions about whether the risk is
acceptable or whether it is serious enough to warrant
treatment. These risk rankings are also added to your
Project Risk register.
 Evaluate the risks( cont..

▪ Using Risk Scores to Set Priorities

▪ H e r e ’s w h e r e t h e p r i o r i t i z a t i o n c o m e s i n t o p l a y.
▪ C o n s id e r t h e fo l l o w in g r is k s :
Risk Probability Impact Risk Score
A 2 4 8

B 5 5 25

C 4 5 20

D 3 4 12

E 4 4 16

F 3 3 9
 Evaluate the risks( cont..)
▪ Which risks are greatest?
▪ Let’s sort the table in descending order on
the risk score.
▪ Risk Probability Impact Risk Score
B 5 5 25
C 4 5 20
E 4 4 16
D 3 4 12
F 3 3 9
A 2 4 8
• Who evaluate risk ?or Who Are Your Risk Owners?
• A risk owner is an individual–typically a subject
matter expert– who is responsible for evaluating the
risk, developing response plans, monitoring the risk,
and executing risk responses when necessary.
• The risk owner may engage others in the evaluation
process.
• When Should You Perform Qualitative Risk Analysis?
• Project managers should facilitate the risk evaluation
processes early in their projects.
• Throughout the project, risk reviews should be
conducted.
• Current risks are reviewed again and new risks are
identified and analyzed.
 Evaluate the risks
▪ After establishing ‘Likelihood’ and ‘Consequence’ you can
use a table like this to set a level of risk.

Extreme Very high Moderate Low Negligible

Almost
Severe Severe High Major Moderate
certain
Likely Severe High Major Significant Moderate
Moderate High Major Significant Moderate Low
Unlikely Major Significant Moderate Low Very low
Rare Significant Moderate Low Very low Very Low

You must define what these risk levels mean to you.

 Summary
• are two ways to evaluate risks:
• 1.Qualitative Risk Analysis. Qualitative analysis such
as rating probability and impact should always be
performed. This allows you to quickly prioritize and rank
your risks.
• 2.Quantitative Risk Analysis. Quantitative analysis is
not always performed. This analysis requires more
time but provides more data to aid in making
decisions. You cannot respond to all risks, neither
should you.
• Prioritization is a way to deal with competing
demands. This aids in determining where you will
spend your limited time and effort.
 Evaluate the risks
• You evaluate project risk in order:
o To have the greatest impact. 80%of the impact will come from
20% of the risks.
o To respond wisely and appropriately.
o To assign resources suitably.
• There are two methods for qualitative risk evaluation:-
• (i) KISS Method I use the KISS (Keep It Super Simple) Method on
smaller projects and with teams that lack maturity in assessing
risks.
• This one-dimensional technique involves rating risks as:
•Very Low •Low •Medium •High • Very High
• (ii) Probability/Impact Method : Most normally use this
technique with larger, more complex projects and with teams
that have experience with risk assessments.
• This two- dimensional technique is used to rate probability and
Thank you very much for being with
me for a while!