6th Edition PMBOK® Guide–Chapter 11 Risk Management: Key Concepts

Before I go through the 7 project management processes associated with the Risk Management knowledge area, I thought I would cover some concepts, many of which are covered in the introductory section to this knowledge area which starts on page 397 of the PMBOK® Guide but some of which are not and are based on my reading of the material.

  1. “Risk” definition–the actual definition of risk in PMI is “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.”   The definition of risk in “real life” is usually an event that has a potential negative effect, but the risk definition in PMI is wider in that it includes positive effects as well, or what we would normally refer to as an “opportunity” as opposed to the normal meaning of the word which refers to “threats.”   I would not say, for example, that “there’s a risk of my having a good time at the office party” (unless I were being ironic or sarcastic).  But in PMI parlance, this use of the word risk to cover positive opportunities is okay.
  2. Risks and stakeholders–a stakeholder is a “person … that may affect the outcome of a project.”   Note the similarity between the definition of a stakeholder and that of a risk, of an event which may affect the outcome of a project.    The difference?   One is human and one is not.   That’s why we refer to stakeholder engagement but risk management.    You can engage stakeholders and reason with them (or most of them, at any rate), and perhaps manage their expectations.   You can’t, however, argue with the weather and cajole it into doing what you want.   You can prepare for the event of bad weather if it occurs by avoiding it or mitigating it by taking along an umbrella (or using the expanded definition of risk, by taking advantage of good weather).    But you need to take into account both risks and stakeholders, because both can influence your project.
  3. Overall vs. individual risk–individual risks have to do with specific events, but overall risk has to do with uncertainly on the project as a whole.   A company has a certain risk tolerance as part of its organizational culture, and this tolerances refers not to individual risks but to risks in general.   A start-up company is going to be more risk tolerant than an established organization, for example, because the very process of setting up such a company is laden with risks to begin with.   On the other hand, companies that are industry leaders may find that they have to be more risk tolerant in order to maintain their lead position (to take advantage of opportunities which may expand their market).
  4. Known vs. unknown risks–Donald Rumsfeld, the Secretary of Defense under George Bush, gave the risk management world a colorful way of phrasing the difference between known vs. unknown risks:  he called known risks the “known unknowns” and contrasted them with the “unknown unknowns.”   Known risks are “known unknowns” because you know or anticipate that they may happen, but you  don’t know whether they will happen or not.   “Unknown unknowns” are those risks which you don’t anticipate.   This is not just a theoretical concept:   there are very real differences in the way they are handled.   Known risks are put in the risk register, and you create risk responses for them which are funded out of contingency reserves.   Unknown risks are not put in the risk register, of course, for the very reason that they are unanticipated.   If they do occur, since you don’t have a plan for a risk response, you have to come up with an out-on-spot solution called a “workaround” which is funded out of management reserves.
  5. Risk and probability–Do you have a risk of dying?   The answer is no because there is no risk involved:  it is a certain event.    The mortality rates that actuarial statistics measure involve the question of how old you will be when you die, which is a different matter because that involves an uncertainty or probability.    One of the things that makes risks manageable is the “law of large numbers”, which is a principle of probability according to which the frequencies of events with the same likelihood of occurrence even out, given enough trials or instances.   So the risks that often occur are the ones that you can predict a probability of occurring with a certain level of confidence.   The unknown risks are those that are unpredictable because they are fortunately rarer.
  6. Risks vs. issues–a risk is a potential event, which if it occurs, no longer becomes a potential problem, but an actual problem called an issue.   Once a risk occurs and becomes an issue, it is dealt with on the issue log, rather than on the risk register.
  7. Risk management flow–here’s the flow of processes for the risk management knowledge area.
    1. Plan–Create a plan for how you will manage risks on your project (gives guidelines on how to do all the other processes)
    2. Identify–Think of all the risks you can that may occur on a project.
    3. Perform Qualitative Risk Analysis–Classify the risks identified in step 2 according to a subjective scheme (low, medium, high) and come up with a strategy of how to deal with them based on the classification.   Low risks you may want to just accept; medium risks you will want to mitigate or insure against, and high risks you may want to do what you can to avoid them.
    4. Perform Quantitative Risk Analysis–Take the risks identified in step 3 that you plan to mitigate or insure against, and come up with an estimate of the cost risk involved.
    5. Plan Risk Responses–Take the risks identified in step 3 that you plan to mitigate and come up with a plan for how to mitigate the probability of their occurring, or the impact on the project if they do happen to occur.   Come up with reserves that will fund these risk responses based on the cost analysis done in step 4.
    6. Implement Risk Responses–in the course of a project, respond to risks as they occur based on the plan developed in step 5.
    7. Monitor Risks–if risks do not occur, then modify the risk register to reflect this; if new risks are identified, add to the risk register developed in step 2.

Next I will discuss the inputs, tools and techniques and outputs for the seven processes of risk management outlined above…


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: