6th Edition PMBOK® Guide: Process 11.4 Perform Quantitative Risk Analysis: Outputs

Here are the outputs to the process 11.4 Perform Quantitative Risk Analysis:  hey are all project documents which give quantitative results regarding the overall project risk exposure, as well as a probabilistic analysis of the project.    In addition, there is a prioritized list of individual project risks, the start of a trend analysis in quantitative risk which will be updated throughout the project, and a set of recommended risk responses which sets you up for the next process 11.5 Plan Risk Responses.

Although the outputs focus on the overall project risks, various individual risks are highlighted that pose the greatest threat or opportunity to achieving the key objectives.

11.4.3  Perform Quantitative Risk Analysis:   Outputs

  • Assessment of overall project risk exposure
    • Chances of project success, measured by the probability that the project will achieve its key objectives (deadline or other interim milestones, required cost target, etc.)
    • Degree of variability remaining within the project, indicated by the range of possible project outcomes (related to the largest individual risks that are indicated by the sensitivity analysis tool/technique).
  • Detailed probabilistic analysis of the project
    • Amount of contingency reserve needed to provide a specified level of confidence
    • Identification of individual project risks or other sources of uncertainty that have the greatest effect on the project critical path.
    • Major drivers of overall project risk.
  • Prioritized list of individual project risks–using sensitivity analysis, you identify those project risks that pose the greatest opportunity to the project.
  • Trends in quantitative risk analysis results–you take this same quantitative risk analysis output and update it during the project if there are any changes either in probability or impact of the largest individual project risks.   In this way, you can chart the trends in quantitative risk analysis results.   For example, if a major individual risk is not triggered during the project, then this has an effect of lowering the overall project risk because that individual risk was a big contributor to the total risk.   Or if the probability of a risk increases, this may have an effect of increasing the overall project risk.   The trends may show where it is important to spend the effort in developing risk responses.
  • Recommended risk responses–based on the results of the quantitative risk analysis, the risk report may present suggested responses to the level of overall individual risk exposure or key individual project risks, thus giving valuable input to the next process

The next post cover will the inputs for process 11.5 Plan Risk Responses, which come from not only the 4 other planning processes for risk management, but from documents related to other project management knowledge areas.


6th Edition PMBOK® Guide: Process 11.4 Perform Quantitative Risk Analysis: Tools and Techniques (3)

Now is the post where we discuss the data analysis techniques of quantitative risk analysis.

11.4.2   Perform Quantitative Risk Analysis:   Tools and Techniques  Data Analysis

  • Simulation–in the qualitative data analysis, you assigned a probability and an impact to each individual project risk.   With simulation, it’s as if you roll the dice on each risk to see whether in a particular scenario the risk would occur.   If it does occur, you count that impact towards the total.   If it does not occur, then you don’t count it.   You sum up the impacts that get added to the total by all the triggered risks for that scenario.   Then you have the computer software do the calculation over and over again, and you get as a result a probability curve for how much the total impact will be.   Then you choose a confidence interval, so that you can say as a conclusion that “within 90% confidence level, the potential impact of the project risks will be a total of X dollars.”   For an example of such a probability curve associated with the simulation, see Figure 11-13 on p. 433 of the 6th Edition of the PMBOK® guide.   Note that because such a simulation requires sometimes thousands of calculations, this is not something you will be required to do for the exam, but you will be required to know what this data analysis does and basically how it works.
  • Sensitivity analysis–out of all the individual project risks, there will be some that have the most important potential impact on project outcomes.   A typical way of representing these potential impacts is the “tornado diagram”, so called because the wedge shapes that represent the largest potential impact are put on top, and the smaller risks with progressively smaller impact are put underneath so that the diagram is vaguely funnel shaped.  An example of such a tornado diagram is in Figure 11-14 on p. 434 of the 6th Edition of the PMBOK® guide.
  • Decision tree analysis–the concept behind decision tree analysis is actually pretty simple.   Say there is a scenario in which there are two possible decisions, decision A and decision B.    For each decision, there are two possible outcomes, outcome A and outcome B.   You calculate how much money it will cost to adopt decision A, and calculate the Expected Monetary Value (EMV) of scenario A by taking the impact of outcome A times the probability of it occurring plus the impact of outcome B times the probability of it occurring.   The total EMV of scenario B is then calculated and compared to the EMV of scenario A.   Which has the lower EMV, decision A or decision B?   That is the decision that you should choose.   Look at the example of Figure 11-16 of a Decision Tree problem on p. 435 of the 6th Edition of the PMBOK® guide.
  • Influence diagrams–you take a particular situation within a project, most likely the ones you get from the sensitivity analysis described above that show the situations that have the greatest potential impact on the project.   What are the factors that influence these individual project risks?   You then do an analysis of the probability distributions effecting these influences, so you can model what the combined total of these influences will be on the probability and impact of the individual project risk you are looking into.

Although all of these techniques are quantitative, they all ultimately stem from the same concepts of probability and impact that you looked at in the previous process Perform Qualitative Risk Analysis.   The only difference is that a) the impact has to have a specific dollar amount rather than a qualitative description, and b) the analysis of all the individual project risks is summed up to show a total potential impact on the overall project objectives, usually involving the three basic constraints of schedule (will the project be done within the deadline), cost (will the project be done within the budget), and scope (will all the requirements of the project be met).

The next post will discuss the outputs of this process…

6th Edition PMBOK® Guide: Process 11.4 Perform Quantitative Risk Analysis: Tools and Techniques (2)

In yesterday’s post, I discussed the “generic” tools and techniques associated with this process 11.3 Perform Quantitative Risk Analysis, that is, those that are also used in conjunction with a number of other planning processes:  expert judgment, data gathering, and interpersonal and team skills.

Today let’s talk abut the remaining tools and techniques which are specific to this process.

11.4.2  Perform Quantitative Risk Analysis:  Tools and Techniques  Representations of Uncertainty

When you are dealing with uncertainty in regards to estimates for duration, cost and resources, the model of how to deal with this is a probability distribution.   Let’s take two examples that should be familiar if you know about the three-point estimates used in estimating duration and/or cost estimates.

Take an example of estimating how long it takes for you to get to work.   If you are asked by your boss to give him or her an estimate of how long it takes you to get to work, you may give that person a single figure, a one-point estimate, say 30 minutes.   That’s the estimate you use if everything is going well with regards to traffic–no accidents, no road construction, no weather hazards, etc.

Now let’s say that your boss says you have to be at a start-up meeting at a certain time, and that your success on the job is critically depending on being there on time.   Will you leave your 30 minutes ahead of that meeting time?   If you are me, and you are being risk adverse, you will want to leave a little earlier.   How much earlier?

Here’s where the three-point estimate comes in.   The 30-minute estimate is actually just the most likely (M) estimate.   A pessimistic estimate (P) is based on what happens if a negative risk occurs, such as one of the things I mentioned above such as a traffic accident that slows traffic down.    These things happen infrequently, but if they do occur, it could mean a delay of at least 30 minutes, meaning a total of a 60-minute commute.   An optimistic estimate (O) is based on what happens if a positive risk occurs also known as an opportunity.   There may be less traffic than normal on a given day, perhaps because it is a federal holiday which most people get off but you don’t.   The only positive aspect of being one of the few who have to work on that day is that traffic is similar to weekend traffic, and you may find yourself zipping to work in only 20 minutes.

How do calculate the three-point estimate based on the most likely, pessimistic and optimistic estimates?   Well, here’s where the probability distribution comes in.

If you have a triangular distribution, you count the pessimistic, optimistic and most likely EQUALLY.   You take their average the normal way with three items that are of equal weight, namely (P + O + M)/3 = (60 + 20 + 30)/3 = 35 minutes.   But if you are using a beta or weighted average distribution, this gives 4 times as much weight to the most likely estimate.   Why?  Well, that’s why it’s called the “most likely”, because it is most likely to happen as compared to the scenarios behind the pessimistic and optimistic estimate.   In this case the weighted average is then (P + O + 4M)/6.   Why do you divide by 6 instead of 3?   Because it’s like there are six different terms, with four of them being the same one, the most likely estimate.   In this case, then, the weighted average becomes [60 + 20 + 4(30)]/6 = 33.3 minutes.   So you would give yourself an extra 3.3 minutes head start to get out the door rather than an extra 5 minutes in the case of the triangular or regular average.

Now there are other probability distribution such as the “normal” distribution or “bell curve” distribution that represent the normally occurring distribution of probabilities in naturally occurring phenomena like height in populations, etc.   Other types of probability distributions are listed on p. 432 of the 6th Edition PMBOK® Guide.

Another way for uncertainty to be represented in the case of individual project risks is something called expected monetary value or EMV.   Let’s say there is a 10% risk of something happening, but the impact if it does happen is that it will cost the project $10,000.   How much money should you put aside for a risk response?   With EMV you simply take the probability of 10% and multiply it times the potential impact of $10,000, and you get $1,000 as the money that should be put aside.   This risk response is an example of a contingency reserve, or money that is put aside in case an individual project risk occurs that has been predicted beforehand in the risk register.   If you take the various probabilistic branches for all the individual project risks, you get something close to the simulation described in the next tool and technique called “data analysis.”

We’ll talk about that set of techniques in the next post.

6th Edition PMBOK® Guide: Process 11.4 Perform Quantitative Risk Analysis: Tools and Techniques (1)

This is a very complex process and there are two types of tools and techniques used with it:   what I term the “generic” tools and techniques which are used with many planning processes, not just this one.   And then there are the data analysis techniques (simulation, sensitivity analysis, decision tree analysis, influence diagrams) that are used specifically with this particular process.

I am going to split up the tools and techniques and describe the generic ones in this post, and save the ones that are specific to this process for the next post.

11.4.2  Perform Quantitative Risk Analysis:  Tools and Techniques  Expert Judgment

Expertise should be considered form those people who have specialized knowledge regarding the quantitative analysis of risks.   In particular, those who know about:

  • Translating the information on individual project risks in terms of probability and impact into numeric inputs for the quantitative risk analysis model using a tool called Earned Monetary Value.
  • Selecting the most appropriate representation of uncertainty to model particular risks.   You are familiar with the triangular and beta distributions from the concept of three-point estimates.   There are other distributions that are possible and an expert will know what is the most appropriate for the project at hand and know how to work with them.
  • Which of the modeling techniques are most suitable for use on the project (simulation, sensitivity analysis, decision tree analysis, and/or influence diagrams).
  • Interpreting the outputs of quantitative risk analysis and preparing them for inclusion in the risk register and risk report.  Data Gathering

Interviews are the main form of technique used to gather data from the experts mentioned above.  Interpersonal and Team Skills

Although individual interviews with experts are helpful, with a complex topic like risk analysis it is often extremely beneficial to have a dedicated risk workshop, and this is where the skill of facilitation of such a workshop comes into play.   A facilitator needs to help do the following:

  • Establish a clear understanding of the purpose of the workshop
  • Build consensus among participants
  • Ensure continued focus on the task, especially if someone talks about something which is not in the scope of the workshop
  • Use creative approaches to deal with interpersonal conflict or to uncover sources of bias.

The next post will cover the other two sets of tools and techniques:   representations of uncertainty and data analysis.

6th Edition PMBOK® Guide: Process 11.3 Perform Quantitative Risk Analysis: Inputs

Qualitative risk analysis and quantitative risk analysis are different in the following ways.

  • Qualitative risk analysis is based on the subjective impression of stakeholders regarding the probability and impact of individual project risks.   Quantitative risk analysis, on the other hand is based on the availability of high-quality objective data about the probability of those risks and objective data regarding their impact on the project baseline for scope, schedule, and cost.
  • Quantitative risk analysis is appropriate for large or complex projects, or those that are strategically important or are required by key stakeholders or contractual requirements.
  • Qualitative risk analysis focuses on individual project risks, but quantitative risk analysis evaluates the aggregated effect of these risks on the overall project outcome.    The overall goal is to be able to specify the level of confidence in being able to achieve the stated basic constraints of scope, time and cost.

This post deals with the inputs to this process.

11.4.1  Perform Quantitative Risk Analysis:   Inputs  Project Management Plan

The components of the project management plan that are used as inputs consist of a) the risk management plan component and the baselines for the three basic constraints of scope, time and cost.

  • Risk management–the risk management plan should indicate whether the project is of sufficient size and complexity to warrant the time, cost and human energy spent in doing a quantitative risk analysis.
  • Scope, schedule and cost baseline–these baselines give the starting point for evaluating individual project risks and other sources of uncertainty.   For example, any activity identified in the scope baseline component of the Work Breakdown Structure as being on the critical path should automatically be scrutinized as being higher risk because any delay in that activity will cause a delay in the entire project. Project Documents

The PMBOK® Guide lists these in alphabetical order, but I am listing them below according to their category to make the list easier to comprehend.

Documents related to basic constraints and assumptions

  • Assumption log–assumptions that pose a risk to project objectives should be examined as well as the effect of basic constraints of the scope, time and cost
  • Milestone list–these define the schedule targets against which the results of a quantitative schedule risk analysis are compared (for example, a finding that there is 80% confidence in achieving the project deadline)
  • Resource requirements–the required resources (both human resources and physical resources) can provide a starting point from which variability is evaluated.   For example, the delivery date of required key physical resources or the availability dates for key human resources would create risks to the project objectives if they are not adhered to.

Documents related to estimates

  • Basis of estimates–this provides background on the estimate’s accuracy, methodology, and source of information.
  • Cost estimates, duration estimates–three-point estimates which give the most likely estimate, as well as the optimistic and pessimistic estimates based on the triggering of certain risks, provide a starting point for the modeling of qualitative risk analysis.

Documents related to forecasts

  • Cost forecast, schedule forecast–cost and schedule forecasts using earned value management such as the Estimate to Complete (ETC), the Budget at Completion (BAC), and the To-Complete Performance Index (TCPI) may be used in conjunction with quantitative risk analysis to determine the confidence level of achieving those targets.

Documents related to risks

  • Risk register–this will include details of individual project risks to be used as input for the quantitative risk analysis done in this process.
  • Risk report–this risk report describes sources of overall project risk (which can be found in the project charter)  Enterprise Environmental Factors

  • Industry studies of similar projects
  • Published material, such as commercial risk databases or checklists.  Organizational Process Assets

  • Information from previous similar projects done by the organization.

The next post will cover the tools and techniques of quantitative risk analysis, but these are so numerous and some of them so complex that it will take a couple of posts to describe them all…


6th Edition PMBOK® Guide: Process 11.3 Perform Qualitative Risk Analysis: Outputs

The results of the qualitative risk analysis performed in this process are put into the risk register and the risk report, with additional changes being made to the assumption log and issue log as necessary.

These are the main outputs of the process 11.3 Perform Qualitative Risk Analysis:

11.3.3  Perform Qualitative Risk Analysis:   Outputs

  • Risk register–the risk register should have a list of identified risks and the risk owners based on the results of the last process 11.2 Identify Risks.   For each of these risk register entries, you should now add information on the following:
    • Assessments of probability and impacts for each individual project risk
    • The combined risk score and its priority level (very low, low, moderate, high, or very high)
    • Risk urgency information and/or additional risk categorization
    • Watch list for low-priority risks
  • Risk report–the risk report that goes out to all stakeholders concerned with risk should include the following:
    • The most important individual projects risks with the highest probability/impact
    • Prioritized list of all identified risks on the project
    • Summary conclusion
  • Assumption log–if during this process, new assumptions are made, or new constraints identified, these may  be added to the assumption log
  • Issue log–if during this process, any new issues are uncovered or any changes are made to the currently logged issues, the log is updated to reflect them

The next process is taking the qualitative analyis and going one step further and doing a qualitative analysis.   The next post will cover the inputs to this process.

6th Edition PMBOK® Guide: Process 11.3 Perform Qualitative Risk Analysis: Tools and Techniques

This process takes the individual project risks identified in the last process 11.2 Identify Risks and starts to categorize them by assessing their probability of occurring and their potential impact on the project if they do occur.   Why do this assessment?   Because it allows you to prioritize them so that you are concentrating on higher risks.   There are four basic ways of dealing with negative risk to a project:

  • Accept–for low-impact, low-probability risks
  • Transfer–for high-impact, low-probability risks:   transferring some of the risk via insurance.
  • Mitigate–for low-impact, high-probability risks:   taking preventive measures to lower the probability that the risk may occur, or to mitigate the impact if it does occur.   You can’t stop it from raining, for example, but you can take an umbrella to prevent yourself from getting soaked if it does rain.
  • Avoid–for high-probability, high-impact risks:   figuring out possible alternatives to reduce the probability, or by outsourcing higher-risk activities to other companies more experienced in dealing with that risk.

This general framework of generic risk strategies comes from the 5th Edition PMBOK® Guide,; although it does not explicitly appear in the 6th Edition, I still found it a useful framework for conceptualizing how the qualitative analysis of risk leads to some generic strategies for dealing with individual project risks based on their category according to probability and impact.    It is in the next process with quantitative risk analysis that an individual risk response can be crafted.

11.3.2  Perform Qualitative Analysis:   Tools and Techniques  Expert Judgment

This is one of the “generic” techniques used in a lot of planning processes.   It means asking for subject matter experts, in this case on the subject of qualitative risk analysis, to help your project team assess the probability and impacts of individual project risks.   These are people who have either done a similar analysis before, and particularly those who have analyzed a similar project to the one currently being done by your organization.  Data Gathering

Interviews with stakeholders are one way of assessing the probability and impact of individual project risks.  Data Analysis

  • Risk probability and impact statement:   risk probability is the likelihood that a specific risk will occur, and risk impact is the potential effect on one or more project objectives such as schedule, cost, quality or overall performance of scope.  Although it is a qualitative analysis meaning that is based on the subjective impressions of people, it can be nonetheless quantified to a certain extent by giving a scale or range for the probability and/or impact.   For example, you could use the following scheme to rate each risk from 1 to 5:
    • Very low (1)
    • Low (2)
    • Moderate (3)
    • High (4)
    • Very high (5)

Or you could try rating each risk from between 0 and 1, with “very low” being close to 0 and “very high” being close to 1.   It depends on how your organization classifies risk and this should be included in the risk management plan.

When you combine the two factors together, you will get a combined probability and impact rating.   In the top scheme above, the combined rating will be from 1 to 25, and in the bottom rating, it will be between 0 and 1.   An example of such a combined probability and impact rating matrix is given in Figure 11-5 on page 408 of the 6th edition of PMBOK® Guide.

Usually risks that are both low impact and probability are put on a “watch list”, where they are simply accepted (meaning that there is no specific risk response to try to mitigate the impact or probability), but are monitored to see if they increase in probability or impact during the course of the project, in which case a risk response may have to be developed.

  • Risk data quality assessment–although this is most often done during the monitoring and control process group, it is important to review the results of the qualitative risk analysis to make sure they are accurate.
  • Assessment of other risk parameters–although probability and impact are the most important parameters to assess, your organization may add others, such as “urgency”, the period of time within which a risk response needs to be implemented for that particular risk.   The complete list of these additional parameters are listed on p. 424 of the 6th edition of PMBOK® Guide.  Interpersonal and Team Skills

Here is another “generic” tool and technique used in conjunction with gathering data in many planning processes.   Facilitation is like a group interview technique where participants focus on the risk analysis task  and reach a consensus on assessments of probability and impact rather than just having individual interviews.  Risk Categorization

There is a tool called a Risk Breakdown Structure which helps categorize risks based on their source such as the following suggested categories listed in Figure 11-4 on p. 406 of the 6th edition of PMBOK® Guide:

  • Technical risk
  • Management risk
  • Commercial risk
  • External risk

Grouping risk into these categories can help in focusing on particular types of risk, and developing generic risk responses to address groups of risks related to the same source.  Data Representation

  • Probability and impact matrix–this is a grid for mapping the probability and impact of each individual risk, with an example being given in Figure 11.5 on p. 408 of the 6th edition of PMBOK® Guide.
  • Hierarchical charts–another possible form of data representation would be if there are three parameters, so for example, the probability and urgency would be represented by the x- and y-axis, and the impact denoted by a bubble which represents the size of the potential impact on the project.   An example of what this looks like is included on Figure 11-10 on p. 426 of the 6th edition of the PMBOK® Guide.  Meetings

PMI recommends that there be special meetings devoted specifically to the discussion of individual project risks.   This is not just during the planning phase, like in this process of assessing their probability and impact, but also during other processes.

The meeting related to this process should include the following:

  • Review of the list of previous identified risks
  • Risk owner allocated to each individual project risk
  • Reviewing the probability and impact scales to be used during the analysis
  • Conducting an assessment of the probability and impact of the individual project risks and using probability/impact matrix to get combined rating
  • Categorization and prioritization of risks based on combined probability/impact rating
  • Identification of additional risks (to be added to the risk register)

The next post will be on the outputs of this process.




6th Edition PMBOK® Guide–Process 11.3 Perform Qualitative Risk Analysis: Inputs

In the last process 11.2 Identify Risks, individual project risks were identified, and in this process and the next one, these identified risks will be analyzed in two ways:   first qualitatively then quantitatively.

In the first qualitative analysis, you take the risk and assess its probability of occurrence and its impact on the project.   The key benefit is that it prioritizes risks so that you can focus the team’s efforts on high-priority risks.   The reason why this analysis is called qualitative is because it is based on the subjective perceptions of risk by the project team.

It is in the next process of quantitative risk analysis that the project team starts using objective measures in order to get a better handle on the magnitude of the individual risks involved.

So what are the inputs to this process?   Of course the project management plan, in particular the risk management plan component, will be used because it gives guidelines on how to do all of the risk management processes, including this one.   Project documents will be needed, the most obvious one being the risk register, but other documents may be consulted as well such as the assumption log (for both the key assumptions and constraints) and the stakeholder register (in order to assign possible risk owners).

11.3.1  Perform Qualitative Risk Analysis:  Inputs Project Management Plan

As mentioned above, the risk management plan, one of the component plans of the overall project management plan, is an important input.   In particular, the following elements are of particular interest to this process.

  • Roles and responsibilities–who is the lead of the risk management team and who are the team members?   Who will support the activities within the organization?  What are the specific responsibilities of each member of the team?
  • Schedule–defines when and how often risk management processes will be performed throughout the project life cycle, and establishes those risk management activities that will be included into the project schedule., including those related to this process of qualitative risk analysis.
  • Budget–gives the budget for risk management activities that will be included into the project budget, including those related to this process of qualitative risk analysis.
  • Risk categories–a risk breakdown structure or RBS is a representation of potential sources of risk on a project.   Creating an RBS helps the project team consider the full range of sources from which individual project risks may arise.
  • Definitions of risk probability and impact–used in this process 11.3 Perform Qualitative Risk Analysis, the probability and impact matrix divides these concepts into qualitative thresholds like “low”, “medium” and “high”.   The definition of these thresholds is important to establish at the beginning of the project.
  • Stakeholder risk appetite–this should be expressed in terms of measurable risk thresholds around each project objective in order to determine the acceptable level of overall project risk exposure.   Project Documents

  • Assumption log–this is the log you create to keep track of monitoring key assumptions and constraints that may affect the project.   High-level strategic and operational assumptions and constraints are identified in the business case (a document prepared by business analysts) and are listed in the project charter.   Lower-level assumptions related to individual activities and tasks are identified throughout the project, such as
    • Technical specifications
    • Estimates (for both cost and schedule)
  • The risk register, the output of the last process 11.2 Identify Risks, will contain details of each identified individual project risk that will be assessed during the Perform Qualitative Risk Analysis process.   Details regarding the probability and impact of each individual risk will be added to the risk register as a result of this process.
  • Stakeholder register–this will include details of project stakeholders who may be nominated as risk owners.   They will be consulted during this process to get their perceptions of the probability and impact of the risks they have been assigned.  Enterprise Environmental Factors

  • Published material, including commercial risk databases or checklists, from similar projects.  Organizational Process Assets

  • Information from similar completed projects done by the organization.

The next post will discuss the tools and techniques of this process.   Some are generic, that is, used in a lot of other processes as well, such as expert judgment, and interpersonal and team skills.   Some, such as the data gathering technique of interviews, are used in other processes.   The data analysis techniques of risk probability and impact assessment, however, is unique to this process.

6th Edition PMBOK® Guide–Process 11.2 Identify Risks: Outputs

I’ve been busy with a move, which is a project of its own, but I’ve finally finished unpacking, and consider this moving project officially CLOSED.   So today I am resuming my daily task of summarizing the contents of the 6th Edition PMBOK® Guide, and I left off at describing the outputs of the process 11.2 Identify Risks.

11.2.3 Identify Risks:  Outputs Risk Register

This document is similar to the stakeholder register in that it is created in one process, but is elaborated on during other processes throughout the course of the project.   The risk register captures identified individual project risks.   These risks after being identified will need to be identified, analyzed both quantitatively and qualitatively, and then risk responses will have to be developed for them in later processes.   In this first process, the risks need to be identified, but if any information on risk owners (risk responses is available, it can be added at this point to be confirmed in later processes. Risk owners are those who have responsibility for monitoring and controlling those particular risks to which they are assigned, and implementing a risk response if the risk is triggered.

Here are the elements the risk register should include:

  • List of identified risks–it should be given a unique identifier in the risk register, and it should be described in detail, including their cause and their potential effect on the project.
  • Potential risk owners–if a potential risk owner can be identified at this point, the risk owner is recorded in the risk register.   This is confirmed in process 11.3 Perform Qualitative Risk Analysis.
  • Potential risk response–if a potential risk response can be identified at this point, the risk response is recorded in the risk register.   This is confirmed in process 11.5 Plan Risk Responses.  Risk Report

This is a new output for this process in the 6th Edition PMBOK® Guide.   As the various risk processes are completed, the results are included in the risk report.   The important results for this process that need to be concluded are:

  • Sources of overall project risk, which may be obtained from the project charter.
  • Summary information on individual project risks listed in the risk register, such as:
    • Number of identified threats and opportunities
    • Distribution of risks across risk categories (based on source of risks)
    • Any metrics and trends to be used in future risk reports  Project Documents Updates

  • Assumption log–if in identifying risks, any new assumptions are made, or new constraints are identified, the assumption log should be updated with this new information.
  • Issue log–any new issues uncovered during this process of identifying risks should be added to the issue log.
  • Lessons learned register–any techniques that were effective in identifying risks should be added to the lessons learned register in order to improve performance in later phases of the project.

The next process will start the analysis of the risks listed in the risk register.