In my never-ending quest to seek out and provide additional information and even different angles and views on items I’ve discussed through my own thoughts and experiences, I’ve stumbled on some additional textbook type info on risk management. This may be obvious info for some of us – things we’ve all heard before. But risk management is one of those areas where the project manager and the project team can never really know too much or be too confident or be too prepared.

So, with the potential for information overload, here is a comprehensive guide on Risk Management. This info comes from an excerpt in a book by Michael Newell and Marina Grashina entitled “The Project Management Question and Answer Book.” I will define risk management, discuss the basic steps of risk management,

What is risk management?

A risk is a possible unplanned event. It can be positive or negative. In project management, the success of our projects depends on our ability to predict a particular outcome. Since risks are the unpredictable part of the project, it is important for us to be able to control them as much as possible and make them as predictable as possible. A pure risk or threat is a risk that has only a negative possibility as an outcome. A business risk is a normal risk of doing business. It can have a good or bad outcome. An opportunity is a risk that has only good outcomes. These risks can be of two types, known risks and unknown risks. The known risks are those that we can identify, and the unknown risks are those that cannot be anticipated at all.

Risk management is the process of identifying, analyzing, and quantifying risks, responding to them with a risk strategy, and then controlling them.

Risk has ‘uncertainty’ as its main characteristic. Risks can be thought of as project tasks with the exception that project tasks are work tasks that must be done as part of the project, and risks are work tasks that may or may not have to be done in order to complete the project. The uncertainty associated with any risk relates to the knowledge that we have about it. The greater the knowledge we have about a risk, the less uncertainty there will be about it.

Risk management must be done throughout any project. We must do it at the beginning of the project, at the end of the project, and many times during the project. In the beginning, there is little information about the project, and the uncertainty is at its highest, however, the amount of money that has been put into the project at this point is small.

In the beginning of the project the risks seem distant and unrealistic, but it is truly disheartening to have to deal with a problem in the middle of the project when it was brought up during the writing of the project charter. For example, one of the project team members tells us that the customer has asked for a special salt spray test in the past and we might have to do it again for this new project. He also mentions that our old salt spray test cabinet is no longer usable since it was destroyed when it was dropped off of a truck. A little investigation would find that the salt spray test cabinet is custom-made and must be ordered six months before delivery by the only company certified to make the device.


At the end of the project, risks are still important. There are certainly fewer risks at the end of the project than at other times, but there is little time or budget left for them at the end of the project. Even risks that are not all that serious in the beginning and middle portions of the project become serious when time and money to handle them are both short near the end of the project. Two weeks before the project is supposed to have final acceptance by the customer, we find that the requirement for the user manual is not the 30 pages we anticipated but the 300 pages the customer now tells us we must write.

Risks are things that may or may not have to be done. All risks have a probability and an impact. If a risk has a probability of 1.0 it means it is certain to happen; if the risk is 0.0, it is certain not to happen. So, all risks tend to have a probability that is somewhat less than 1.0 and somewhat greater than 0.0, and all risks have an impact associated with them. If the impact is zero, the risk has no effect and can be ignored.

The question of known and unknown risks is of great importance in projects. Known risks are pretty obvious. A known risk is a risk that we can identify. The problem is that we can never identify all the risks in a project because it can be too expensive. We are normally satisfied to identify an acceptable number of risks. This number of risks is a function of our risk tolerance, a topic we will discuss later in this chapter.

Since it will never be practical to find all of the risks in a project, it follows that there will be risks that are not identified. These are the unknown risks. Just because we do not identify particular risks does not mean that we do not have to set financial resources aside for them. The known risks will be budgeted in the contingency budget, and the unknown risks will be budgeted in the management reserve.

It is important to note that the impact cost of the risk is not put into the project's performance or operating budget. At the beginning of this guide we looked at the general definition of Risk Management. Now we will dive into the four steps in Risk Management and define each step. This is another excerpt from Michael Newell and Marina Grashina’s book entitled “The Project Management Question and Answer Book.”

What are the basic steps in risk management?

There are usually four steps considered in managing any risk. This will vary from author to author, so we will stick with the Project Management Institute's Guide to the Project Management Body of Knowledge.

The PMBOK lists the steps in the risk process as follows:

- Risk identification

Risk identification is the process of identifying the threats and opportunities that could occur during the life of the project along with their associated uncertainties. The life of the project means the complete life cycle of the project, not just the time the project team is in place, the time until the final acceptance by the customer, or even the end of the warranty period.


Risks should be considered through the useful life of the product or service that we are providing by executing the project. The risk of corrosion causing a catastrophic product failure during the useful life of a product that we have designed and built should be considered, and corrective action should be taken in accordance with the seriousness of the threat. Risks can be identified in a large number of ways, and all of the productive and economical ways should be employed.

- Risk quantification

Risk quantification is the process of evaluating the risk as a potential threat or opportunity. We are mainly concerned about two items: risk probability and risk impact. Risk probability tells us the likelihood that the risk will take place, and risk impact is the measure of how much pain or happiness will result if it does take place. Risks that have very high impacts with very low probabilities and risks that have very low impacts with high probabilities are usually of little concern, so we need to consider the combination of these two items before considering how important a risk is. The combination of impact and probability is called severity.

For example, we do not need to worry too much about the risk of a hurricane impacting a certain construction of an apartment building if the project is taking place in Moscow. Hurricanes seldom occur there so there is a very low probability. On the other hand, we may want to worry about the risk of heavy snowfall which does occur frequently. We also do not need to worry too much about the risk that one of the construction workers on the project will call in sick one day during the project. Although the probability is very high that this will occur more than once in the life of the project, we are able to anticipate this problem and the impact is relatively small even for skilled workers.

What we do need to concern ourselves about are the risks that have a relatively high impact and a relatively high probability of occurring.

- Risk response

Risk response is the process of taking measures about the risk. It is how we respond to risks. In this process we address the best approaches to dealing with a risk that has a high severity and which consequences cannot be accepted.

Responding to a risk includes ignoring the risk, letting it happen, and worrying about the consequences at the time. It also includes doing something about the risk before it happens. This includes putting together a work-around plan that can be quickly implemented when the risk occurs. It might include subcontracting the responsibility of the risk to an outside vendor or even an insurance company, or it might include avoiding the risk altogether.

- Risk control

Risk control is the process of controlling the risks. This involves keeping track of the risks that have occurred and can no longer occur, the risks that can still occur, and changes in the probability and impact of such risks. Generally, a reporting system is maintained so that the current picture of the risks is known.

How to recognize the areas for possible risks occurrence?

When managing risks, the first thing we must do is recognize the areas of the project where the risks can occur. This means that we will have to investigate the following areas:

- Scope

We must look at the work of the project. The work breakdown structure (WBS) will be useful here. The project scope must be clearly defined in terms of both the deliverables and the work that must be done to deliver them. Errors and omissions on the part of the project team and the stakeholders must be minimized. As always, the WBS will be very helpful in doing this.

- Time

Estimates for the duration of the project and the duration of the project tasks must be done accurately and reliably. The sequence of work must be identified, and the interrelationships between the tasks must be clearly defined.

- Cost

Estimates for tasks must be done accurately and reliably. All associated costs must be considered and reported accurately.


Life cycle costs should be considered as well as maintenance, warranty, inflation, and any other costs.

- Customer Expectations

Estimates of project success must be considered in terms of customer needs and desires. The ability of the project to be scaled up or manufactured in different quantities or for different uses and sizes must also be considered.

- Resources

This involves the quantity, quality, and availability of the resources that will be needed for the project. Skills must be defined in the roles that will be necessary for the project.

- Organization

This is the ability to interface with the stakeholder's organization in terms of communications and knowledge.

Many people both inside and outside the project will be necessary for risk identification. This includes input not only from the project team and all of the stakeholders but also from project managers who have managed this type of project before and even consultants who have special expertise about certain kinds of risks. It may be necessary to organize the types of risks into categories so that separate teams can be brought together more efficiently.

Many of the risks that will affect the project are risks that have happened in one form or another on other projects of this type. Utilizing the information available in the previous project's lessons-learned documents will be very helpful in identifying risks for this project. An organized review of past projects should be done as part of the risk identification process.

Since much of the risk identification process will involve large numbers of people, formal group dynamics techniques should be used.

Brainstorming Technique

In brainstorming, a facilitator briefs the meeting attendees and asks the participants of the meeting to name risks that they think could occur in the project. The facilitator encourages the participants to name any risk they can think of, even ones that seem silly, and makes a list of the risks on a board, flip chart or a mind map. What happens in brainstorming is that the ideas of one person generate new ideas from another person, and a kind of chain reaction takes place, producing the identification of many ideas about risk.


- Delphi Technique

This technique of group dynamics eliminates the problem of dominance, shyness, or intimidation that sometimes occurs in brainstorming meetings. In the Delphi technique, the participants are anonymous to each other. This technique can be conducted with Internet messaging or even by e-mail and has the advantage that people can participate from many different locations. In this technique the facilitator asks for input from the participants. He takes their ideas and consolidates them into a list that is sent to each participant. The participants then add ideas to those already listed. This circulation of the lists continues until no additional ideas are generated.

The Delphi technique creates a lot of work for the facilitator. All ideas have to be listed by the facilitator, who also usually has to telephone many of the participants in order to get them to participate in each round. The overall time to do the Delphi technique can be weeks depending on how dedicated the participants are.

- Nominal Group Technique

This is another type of meeting technique. In the nominal group technique, the participants are known to one another as in brainstorming, but the ideas are submitted to the facilitator as written lists. This makes the ideas, if not the participants, anonymous. The facilitator lists the ideas on a flip chart or a board, and the participants add more ideas in another round of written lists until no additional ideas are added.

This technique reduces any status concerns or intimidation that might be present in a brainstorming session but does not eliminate it entirely. There is more work for the facilitator, but the nominal group method can be done in a single meeting, and participation improves over brainstorming even if some enthusiasm may be lost.

- Expert Interviews

There might be experts available either inside or outside the company for a new project and a new kind of business. Expert interviews must be handled with care. If the project team is not prepared for the expert interview, much time can be wasted with the expert simply telling stories about his or her past exploits. An effort should be made to develop a list of questions for the expert.

- Ishikawa or Fishbone Diagrams

Fishbone diagrams or cause-and-effect diagrams also called Ishikawa diagrams after their founder, Kaoru Ishikawa, a Japanese quality engineer, are useful in identifying risks. There’s more detail available than what I’m going to go into here or include here from the book excerpt. Mostly, because this article would end up being far too long. I’ll go into Risk Quantification at a higher level here, and then present further detail in a subsequent article.

This information below on Risk Quantification comes again – for the most part – from the book “The Project Management Question and Answer Book.”

Risk quantification is the process of evaluating the risks that have been identified and developing the data that will be needed for making decisions as to what should be done about them. Risk management is done from very early in the project until the very end. For this reason qualitative analysis should be used at some points in the project, and quantitative techniques should be used at other times.

The objective of quantification is to establish a way of arranging the risks in the order of importance. In most projects, there will not be enough time or money to take action against every risk that is identified.

The severity of the risk is a practical measure for quantifying risks. Severity is a combination of the risk probability and the risk impact. In its simplest form, the risks can be ranked as high and low severity or possibly high, medium, and low. At the other extreme, the probability of the risk can be a percentage or a decimal value between zero and one, and the impact can be estimated in dollars. When the impact in dollars and the probability in decimal are multiplied together, the result is the quantitative expected value of the risk.

Various statistical techniques such as PERT (program evaluation and review technique), statistical sampling, sensitivity analysis, decision tree analysis, financial ratios, Monte Carlo, and critical chain can all be used to evaluate and quantify risks.

- Qualitative and Quantitative Analysis

Qualitative risk analysis is appropriate early in the project and is effective in categorizing which risks should or should not be planned for and what corrective action should be taken for them. Qualitative analysis techniques will not give us the precise values for the risk that we would like to have. They are very effective when we have little time to evaluate risks before they actually happen.

Quantitative values may be applied to risks when using qualitative analysis. Values such as very risky, not so risky; high and low; high, medium, and low; high, high medium, medium, medium low, and low are generally used. The qualitative evaluation might also evaluate the risks on a scale of one to ten. These values can be applied to both the probability and the impact of the risk. The impact and probability can then be combined to give similar descriptions to the severity of the risk.

If an evaluation of the impact and probability used a scaled evaluation of one to ten, the numbers could be multiplied to get the severity. In this way, a probability of 7 with an impact of 9 would give us a severity of 63. This number for severity should give us plenty of information for ranking the risks. Using the high, medium, and low version sometimes creates disagreements about risks that are on the borderline between one value and another. For example, does this risk have an impact of medium or high when it is close to the border between the two values? And what happens when the impact is very high or very low and the probability is the opposite?

While qualitative analysis is less precise than quantitative analysis, evaluating the results is far less expensive in terms of both time and money. The results are good enough to indicate the overall risk of the project and identify the high-priority risks in order to begin taking some corrective action. This kind of information may assist in pricing the project to a client.

Quantitative risk analysis attempts to attach specific numerical values to the risks. The severity can be assessed from these numerical values for impact and probability. Numerical techniques for decision analysis are used for this approach. These techniques include Monte Carlo analysis, PERT, computer simulations, decision tree analysis, critical chain scheduling, statistical estimating techniques, and expected value analysis. Generally, we find the use of statistics and probability theory to be useful in quantitative analysis.

Care should always be used in the quantitative analysis because using a good quantitative technique with bad data is worse than not using the technique at all. Many people are impressed with statistical models and simulations and never look at the data to see how good they are. It is quite possible to impress people into making the wrong decision based on an excellent analysis of bad data. Care should also be exercised in the use of quantitative techniques because the cost of applying the technique and collecting the data can sometimes be more than the cost of the risks the technique helps to quantify.

What is risk tolerance?

In this guide, we will also cover risk tolerance - your organization’s ability to tolerate different risks and identify those lines in the sand for tolerable risks and intolerable risks. Many factors can weigh into an organization’s ability to tolerate certain risks. Some that come to mind are: how critical is the risk to the success of the project, will avoidance cost us on the project or cost us a certain level of customer satisfaction, and how does the cost/benefit analysis on the risk compare with the profitability of the project and the risks potential impact to that profitability.

This discussion on risk tolerance comes mainly from another excerpt of the book “The Project Management Question and Answer Book.” 

Risk tolerance is the willingness of some person or some organization to accept or avoid risk. In any group of people, there are gamblers or risk takers and there are non-gamblers or risk avoiders. People who have a low willingness to accept risks and the consequences of risks are called risk avoiders. Those people who are willing to take risks are called risk takers.

It is important to know that people and organizations have different risk tolerances. Some customers do not want to risk the delivery of the project they are paying for by taking a chance on something new. Other customers will welcome the opportunity if the danger is not too great.

For example, if we were manufacturing a product like some of the products that are advertised on late-night television, we would probably have a relatively high-risk tolerance for the product's failure. This is because the product is priced very low and is not going to put anyone's life in danger. Customers buying very low priced items can expect them to have a shorter useful life than the advertising indicates. If customers want a product that will last longer, they buy an item that is built better and is probably more expensive.

This ability to choose is related to risk tolerance. In the mind of the consumer, there is a tolerance for risk, which is expressed in his or her willingness to spend money. A consumer who is interested in having a highly reliable product that will last a long time is willing to pay more to get these features. Another consumer who is not willing to pay more to get a better product will be more accepting of the risk that the product will fail.

If we draw increasing impact and increasing probability on an X and Y axis, we can draw the locus of all points of equal severity as a line on the graph in Figure 1.


Acceptable risks are any risks that are below and to the left of this locus of points of equal severity. Unacceptable risks are those risks that have a severity above and to the right of this severity line.

If we shift the severity line up and to the right, as in Figure 2, we are describing a person or an organization that is more of a risk taker. That is, the severity of the risks that one is willing to take is higher than before we shifted the line, and the person or organization shown is more of a gambler.



If, on the other hand, we shift the line down and to the left, as in Figure 3, we are describing a person or organization that is less of a risk taker. That is to say that the severity of the risks that a person or organization is willing to take is less than before we shifted the line.



In the classes we teach, we often perform the experiment of telling the students that we are willing to bet money on the roll of a single die, a cube with a number one through six on each side. (That's half of a pair of dice to you nongamblers.) In the bet ,we say that if the die comes up with a one or a two, we win. If the die comes up with a three, four, five, or six they win. The question is, "Who would be willing to play for a penny?" Nearly everyone stays in the game at this point.

Then the stakes are raised to one dollar, and some of the people no longer want to play. As the stakes are raised higher and higher, more people drop out of the game. Eventually, unless there is a really hard-core gambler, everyone drops out of the game because the stakes are too high.

Even though the odds are very favorable, four chances out of six to win, when the bet is high enough, people will not play because the pain of losing is too great even when there are favorable odds. This is a great example of risk tolerance. Individuals and companies do the same thing with threats and opportunities. In risk tolerance, we are concerned with people's personal values and views as well as the company's values and views. We may be dealing with a high-flying company that is willing to take many chances, but the individual who is representing the company may not be willing to stake his career on the risk you are suggesting. On the other hand, we do not want to be misled by the salesperson who is optimistic about everything until the sale is made.

Risk tolerance is somewhat describable in monetary terms. Our risk tolerance is how much we are willing to lose if the risk happens. In the case of a product that is sold to a consumer, the cost of the failure of the product might be the cost of the repair or replacement of the product if it fails. In the situation where someone's life is in danger, these decisions become much more important. The tolerance for a risk that is life-threatening is very high indeed. This is because we cannot put a monetary value on human life.

What are risk response strategies?

Risk response strategies are the approaches we can make to dealing with the risks we have identified and quantified. In the section on risk quantification, we discussed evaluating the risk in terms of its impact and probability in such a way that we would be able to rank risks in their order of importance. This is what we called severity, the combination of impact and probability.

Risk response strategy is really based on risk tolerance, which has been discussed. Risk tolerance in terms of severity is the point above which a risk is not acceptable and below which the risk is acceptable.

Several strategies are available for dealing with risks. These are avoidance, acceptance, transfer, and mitigation.

There are many reasons for selecting one risk strategy over another, and all of these factors must be considered. Cost and schedule are the most likely reasons for a given risk to have a high severity. Other factors may affect our choice of risk strategy. For example, if a schedule risk is identified for a task in the project, and if this task has many other tasks depending on it, its severity may be calculated as being lower than is apparent, and the severity should be adjusted even though the schedule impact due to the disruption may be difficult to judge. The strategy should be appropriate for the risk it is intended for.

The following four strategies comprise the strategies that are normally used for risk:

- Risk Acceptance

Acceptance of a risk means that the severity of the risk is low enough that we will do nothing about the risk unless it occurs. Using the acceptance strategy means that the severity of the risk is lower than our risk tolerance level. If this were not the case, it would not make sense to accept the risk. Once the risk occurs, we will fix the problem and move on.

The risk is acceptable because the severity of the risk is lower than our risk tolerance. Accepting a risk does not mean that we will not do something about the risk when and if it occurs; it means that we will do something about it only if it occurs. Many of the project risks will fall into this category. It is the category where the many insignificant risks are put. Many of these risks cost less to fix when they occur than it would cost to investigate and plan for them.

There are two kinds of acceptance, active and passive. Acceptance is active when a risk is identified as being acceptable but we decide to make a plan for what to do when and if the risk occurs. It is much more effective to have a plan in place when these types of risk occur rather than trying to deal with the risk when there is little time and lots of hysterics. There is also another risk involved: the wrong thing can be done to solve the problem because its solution was not clearly thought out under pressure in the heat of the moment.

Acceptance is passive when nothing at all is done to plan for the risk occurrence. Many of the identified risks in the project will be passively accepted. These risks are simply too small to be of concern. The cost of developing a plan and documenting it can be higher than the cost of dealing with the risk without preparation.

An example of risk acceptance is the risk that off-the-shelf software that was purchased for the project will be defective. There is a probability of 2 percent that this will occur. That is, that the CD the software is delivered on will not work and will have to be replaced with a new CD. This causes a delay of five days to a task that has twenty-five days of free float. Passive acceptance will probably be used in dealing with this risk. It is probably not worth the effort to anticipate the problem and do something about it. It is simpler to wait and see if something is wrong with the CD and take corrective action. Of course, it would be foolish to receive the CD and not test it until it was needed.

- Risk Transfer

The transfer strategy in managing risk is to give responsibility for the risk to someone outside the project. The risk does not go away; the responsibility of the risk is simply given to someone else. This can be done a number of ways. One way is to negotiate the refusal of a project deliverable that has a high risk of causing problems and have that risk contracted to another project. The stakeholder simply agrees that the deliverable is not required as part of the project and finds another project that is willing to do it.

Risks can also be transferred to a contractor working for the project. If this is done with a firm fixed price contract, the vendor will be obligated to deliver the agreed product for a fixed price. In this situation, the vendor is responsible for any risks that occur while trying to complete the contract. While this may seem like a good solution to risk management problems, the vendors were not born yesterday afternoon. The vendor's risk strategy may be to increase the selling price to compensate for the risk if it occurs. Of course, if the risk does not occur the vendor will make extra money. If you try to transfer the risk in this way, it may be that you will find that you are paying for the impact of the risk whether it happens or not.

Probably the most common method of transfer is to buy insurance. With insurance, you give a relatively small amount of money to an insurance company. This amount of money, called a premium, is usually much smaller than the cost of the risk. If the risk happens, the insurance company pays to have the risk resolved. If the risk does not take place, the insurance company keeps the premium.

It is interesting to note that you can insure against only your own or your company's loss. Buying insurance on someone else's life or property, for example, is not allowed in most places unless that person or property represents a loss to you. If this were not true, there would probably be people hanging around hospitals buying policies on people who looked really sick.

- Risk Avoidance

This strategy is used to make the risk cease to be a possibility. Avoidance is a little different from the other strategies we have discussed. In risk avoidance, we completely eliminate the possibility of the risk. The simplest way to avoid a risk is to remove it from the project deliverables. If the sponsor of the project agrees to allow a risk-filled deliverable to be removed from the project, the risk is removed along with the deliverable. Of course, the price the sponsor is paying for the project will probably be reduced to compensate for the reduction in scope. In avoiding risk in this way, we should remember that profits are often related to the risks we take to complete projects that have risks. Another way to avoid risks is to design around them. This strategy involves changing the design of the product so that the risk cannot occur. Suppose we have a project to design and manufacture a new kind of barbecue grill. During testing, we discover that the screws that hold the bottom of the grill where the ashes collect rust and deteriorate quickly. A failure of the ash collecting bottom could result in hot charcoal being dumped onto a wooden deck and causing a fire. We decide that this is an unacceptable risk and that our strategy is to avoid the risk.

One way to avoid the risk is to not build and sell the barbecue grill at all and abandon the project. We decide that this is an unnecessarily conservative strategy. Another way is to change the material that the screws are made from. Instead of plain steel screws, we decide to redesign and use stainless steel screws. The stainless steel screws will not rust, and the potential problem will be eliminated. This completely eliminates the rusting problem of the screws and avoids the risk of a screw failure causing a fire.

- Risk Mitigation

When we discussed risk tolerance, we said that risks that were above the risk tolerance maximum were not acceptable risks and that something had to be done about them. Mitigation is a strategy where some work is done on unacceptable risks to reduce either their probability or their impact to a point where their severity falls below the maximum risk tolerance level.

Using the risk mitigation strategy involves taking some money out of the contingency budget that was the expected value of the risk before mitigation. Some of this money is put into the project's operating budget to carry out the mitigation strategy. Since the probability or impact will be reduced, the expected value of the risk will be reduced as well, and the contingency budget should be reduced accordingly.

Finally, we will look at all four response strategies again in terms of what each means to allocating dollars to your projects. We go into detail on where money usually allocated for the different strategies of avoidance, acceptance, transfer, and mitigation. The following information, for the most part, is from an excerpt of the book “The Project Management Question and Answer Book.”

Risk strategies and money allocation

Perhaps it would be a good idea to review how the money is allocated for different risk strategies.

Risk avoidance is frequently going to cost some money. The money that we spend to redesign the project so that the risk is eliminated is money that will have to be spent regardless of the probability of the risk. The additional work of doing the redesign and adding more expensive parts will be part of the operating budget. No money needs to be put into the risk reserves if the risk is completely eliminated. If the risk has already been allocated funding in the contingency budget, the increase in the operating budget can be taken from the contingency budget.


Risk acceptance will have money put into the contingency budget if the risk has been identified. If the risk is an unknown risk and has not been identified, the money for it will be roughly estimated and become part of the management reserve. If the risk does happen, the money is taken from the contingency budget or the management reserve and moved into the operating budget when the plan for dealing with the risk is put into place.

Risk mitigation will have money put into the contingency budget to handle the risk if it occurs. There will also have to be money put into the operating budget to take care of the cost of the mitigating activities that are being taken for this risk. The mitigation of the risk will reduce either the probability or the impact of the risk, and the contingency budget should therefore be reduced.

Risk transfer requires money to be put into the operating budget to pay for the additional cost of either subcontracting the risk or buying insurance for it. The money to do the work for the activity affected, not including the risk cost, was put into the operating budget when the task was created. The cost of the transfer, either the additional cost that the supplier will receive or the cost of the insurance premium, must be added to the operating budget. This money can be taken from the contingency budget.

The operating budget of the project, sometimes called the performance budget, is the amount of money needed to do the things that are planned for in the project. This includes all of the work to produce all of the deliverables that were planned for in the project. It is not the total project budget; it includes funding only for the things that are planned for. Subject to limitations in the project policy, this money can be spent freely by the persons responsible for the tasks of the project as long as the expenditures are following the project plan.

The contingency reserve is the money to do the things that may or may not have to be done but that have been identified. This is where the funding for risks that actually take place comes from. When a risk takes place, the project manager authorizes money to be taken from the contingency budget and placed into the operating budget. Generally, the project manager must approve money transferred from contingency reserves to operating budgets. In larger projects, a subproject manager may approve these funds. The transfer of funds must include any appropriate changes to scope or schedule.

The management reserve is money that is set aside for the risks that have not been identified, the so-called unknown risks. This transfer is made when a risk occurs that has not been identified and money must be spent to solve the effects of the risk. The use of these funds usually has to be approved by a manager one level above the project manager.

In the final part on the guide for Defining Risk Management, we look at what risk control is and how we monitor and track the risks that are identified and new ones that are encountered on our projects. This information is again, for the most part, derived from the book “The Project Management Question and Answer Book.”

What is risk control?

The process of monitoring and controlling and keeping track of the identified and the unidentified risks is risk control. In this process, we hope to identify risks that are no longer possible and risks that are coming due, as well as any new risks that may become evident. We will also monitor risk activity to make sure the risk plans have been carried out successfully. Problems that have been found out in the risk plan can help us adjust the plans for future risk activities.

Risk control and monitoring are part of the risk management process and must be started early in the project and continued until the end. As the project progresses, we will find that many of the risks will change, some will no longer be possible, others will happen and be disposed of, and new risks will be identified. In addition, we will learn about the project and the risks associated with it and adjust our vision of individual risks.

The level of risk tolerance should be monitored as well. The attitude of the stakeholders will change during the course of the project. Communication with all stakeholders is important since it gives us a means of assessing changes in their risk tolerance.

Risk control may involve changing the way we look at risk. There are several reasons why this might take place. The risk tolerance of the stakeholders may change; the risk tolerance of the project team may change. As the project progresses toward its completion, certain risks that were thought to be very important to the success of the project may become risks that are no longer thought of as being so important.

At the beginning of the space shuttle project, the heat-resistant ceramic tiles were originally thought of as being one of the major risks in the program. If the tiles were lost or their integrity was compromised, the heat of reentry, some 3,000 degrees Fahrenheit, could reach the airframe's aluminum structure and cause the breakup of the ship. As time went by and NASA flew over one hundred missions with the space shuttle vehicles and the whole take-off and landing process became routine, the perceived severity of the risk diminished. During this time there were minor failures of the re-entry tiles, but these failures proved to be minor repairs, and the shuttle vehicles suffered only minor damage. A program to develop a method of repairing risks in space was discontinued because it was deemed impractical. Part of the impracticality was probably because of the perceived reduction in the probability and impact of heat shield failures.


On February 1, 2003, just three days after the anniversary of the crash of the space shuttle Challenger, Columbia, the oldest space shuttle in the fleet, disintegrated on approach to landing. At this writing, the investigations have hardly begun, but the heat shielding tiles are once again suspect because there is little that can go wrong on re-entry except for a heat shield failure.

We see that during the project, the evaluation of the risk of heat shield failure began as high risk. As time went on, the risk was revalued lower and lower. After the crash, the valuation of the risk has no doubt been raised higher than its former level.

In all projects, as we gain knowledge and experience about the project and its risks, we will change our attitude toward the risks in the project. This is natural and important. As we learn, we must change the level of effort we spend in certain areas or we will never have the resources, time, or money to complete any project.

A control system for risk is influenced by the organization the project is being managed under as well. In a project that is high in risk, we might have a person who is at a high level and is exclusively responsible for managing risks. On projects that are relatively routine by comparison, the risk manager may be the person responsible for the tasks that are most affected by the occurrence of a risk. These persons are responsible for communicating risk progress to the project manager and other affected stakeholders.

Risk audits can be used to document the effectiveness of the risk plans and the strategies that were used to mitigate, avoid, or transfer risks. A judgment can be made as to whether it was cost-effective to ignore the risks that were ignored.

Deviations in the project performance may indicate the effect of risks on the project. The earned value reporting system is helpful in identifying trends in performance on the project. Generally, schedule slippage and cost overruns are the results of some problems that have occurred. Trends in certain areas may indicate that risks are more severe than was anticipated or that new risks have taken place. One important product of the earned value reporting system is the indication of the cost and completion date at the end of the project. The sooner these slips in schedule or budget overruns can be communicated to the stakeholders, the better it will be for the project. Schedule slides and budget overruns that are severe enough can result in project termination.

A workaround is an unplanned response to a risk that was previously unidentified. These are the unknown risks that were discussed at the beginning of this chapter. They are also the risks that were passively accepted since these were deemed to be risks that would be ignored. Workarounds are paid for from funds from the contingency reserve or the management reserve, depending on whether the risk was identified and accepted or whether it was unknown until it occurred. In any case, the funding for the workaround comes out of these accounts and is put into the operating budget of the project, and a new baseline is created.

Since contingency plans and workarounds are not part of the project baselines until they occur, they should be initiated and approved by the execution of official change notification. Remember that changes to the baselines should require an official change notification as the vehicle for showing the change in funding, schedules, and scope resulting in a new and current baseline.