Project Risk Management

Marco Sampietro1. Professor at SDA Bocconi School of Management. marco.sampietro@sdabocconi.it Maurizio Poli. Professor at SDA Bocconi School of Management. maurizio.poli@sdabocconi.it 1 Why Managing Project Risk Projects are implemented by organizations in order to seize new opportunities that, according to their Management, may be appreciated by the market or can contribute to a better internal efficiency in the organization. Projects are characterized by innovation. Innovation can be implemented in multiple ways: it could mean following a different pathway that has never been considered before, or it could mean following the direction taken by other companies, by also treasure and use at best the experience and the mistakes made by others, or it could also mean applying improvements to well-known products or services, and so on and so forth. In any case, innovation implies a certain degree of uncertainty namely, the fact that there is not a thorough knowledge of events that might happen in the future. In general terms, the higher the degree of innovation is, the higher the uncertainty level will be. An uncertain situation can produce positive as well as negative effects. In the first case, we are dealing with opportunities which, if properly identified and managed, can bring some benefits to the project; in the second case, we are faced with risks which, if not properly identified and managed, can impact the project in negative terms, by making it more expensive, or with a project that goes beyond the expected and planned duration or with one that is poorer in qualitative terms with respect to expectations. Consequently, the fact of non-managing the risk (and opportunities) means overlooking the innovative feature of projects more specifically, it means missing a crucial point that characterizes a project vis--vis ordinary operations or recurring activities within an organization. More specifically, even if we do not want to take into consideration risk management as a discipline, project management can be viewed as a tool to decrease the level of uncertainty and, consequently, a tool to decrease risk in projects. By identifying and clarifying objectives, allocating resources with well defined competences, clarifying responsibilities, fixing some assessment phases in the project and so on and so forth, we tend to decrease the uncertainty level in the project. Where is the difference? By planning, we opt for a pathway (one of the multiple options available) that will take us to the achievement of pre-set targets. This being said, such path will not be free of obstacles: via the implementation of risk management we will try to understand and manage problems and opportunities derived from the implementation of a specific path / plan. The planning activity tells us

Paragraphs from 1 to 5.1 and 6, 7, 8 are by Marco Sampietro. Paragraph 5.2 is by Maurizio Poli.

the course to follow; risk management tries to eliminate the turbulence that might take us off-route. I do not understand: we have devised a perfect plan, we have identified costs right down to the last penny just as we have calculated duration also taking minutes into account, and still we have problems. We are exceeding our budget! Maybe, I have to drill-down information to get to an even more detailed picture! We are late/out by 3% on what was originally planned, thats not bad, especially if we think that our usual supplier has gone bankrupt and did not deliver our goods. Luckily, I sensed that there was something wrong, and I started to look for another supplier that could replace the original one. Chi ha gestito il rischio ? 2 The risk management process The risk management process is a proactive and systematic approach, which aims at keeping the project under control as well as at decreasing its uncertainty level. Managing risks means minimizing the consequences of adverse events, but also maximizing the effects of positive events (risks and opportunities). In this document, we will focus on the area that has to do with managing adverse events. Lets start by reviewing the typical features of a risk management process. The definition systematic means following a well-defined risk-management process. The definition proactive means bein able to identify and manage risks before they brake out. This consideration needs to be reviewed more in detail. Proactivity does not mean being able to see into the future; conversely, it means a timely identification, by resorting to the most appropriate tools, of the highest number of risks that might impact a project. It also means that, once identified, some remedial measures will need to be taken. Just identifying risks and not managing them (managing does not only mean eradicating them, as we will see later on in this paper) is pointless. The only value that such a behaviour might have is that, once they actually erupt, we can recognize them, at least if we were aware about their features (poor consolation!). A good risk management process is set out in five macro phases (fig. 1): 1. Planning the risk management process, by defining the actual execution activities linked to the management process, people involved in the process as well as procedures to be implemented; 2. Risk identification, with specific assessment of projectspecific risks, by making the different information sources taking part in the assessment; 3. Risk analysis, by quantitatively and/or qualitatively reviewing and assessing the risks identified in the previous phase and also deciding which risks need a specific attention and focus;
2

4. Planning a response to risks, by defining which measures shall be taken in order to reduce the project overall risk; 5. Risk monitoring and control, by implementing the risk response plan as soon as they occur or bypass a given threshold. In this chapter, focus will mainly be on phases 2 and 3. The risk management process shall not be viewed as an isolated type of activity. Conversely, risk management shall take place on a regular base more specifically, it is only by making the project develop that new risks can come to light (or some already existing ones can be fixed) and new useful information can be used for analysis and new planning.

RM Process Planning Risk Identification Risk Analysis Risk Response Monitoring & Control

Figure 1. The risk management process

3 Planning a Risk Management Process As to this phase, the main target is to provide guidelines for risk management activities, by setting a structured approach for actually managing the risk. In order to develop this phase, the following points shall be taken into consideration: any existing policies and procedures pertaining to risks in general terms, the implemented approach shall be fine-tuned with the type of project more specifically, with its dimensions, its impacts, with the project team experience as well as with respect to the importance of the project itself vis--vis the organization.

As to the first point, if the company has already devised some guidelines pertaining to risk management in more general terms, or to management of some specific risks, the project risk plan shall also use and include them. It is a useful approach, because it prevents any duplications of efforts, and it allows for sending a quite consistent message to co-workers, who are already familiar with such procedures. As to the second point, it pertains to customization of the implemented approach based on true needs and on the environment where it is used.
In a mono-functional software development project, the project manager had decided to resort to a pre-defined list of risks devised by a famous University and to personally mark on that list the risks pertaining to the project. He had achieved a good result, as many mistakes had been avoided. That same person, one year later, was appointed as leader of a project focused on the optimization and streamlining of processes involving five organization functions. The project manager, based on his previous experience, decided to use the same check list. Unfortunately, he was not successful this time, as he was able to identify and manage the technology-related risks, but he totally underestimated or overlooked the organizational-related ones. Consequently, the project became highly conflicting and timing and costs went out of control.

At this phase, the following issues shall be tackled: selecting the information sources to be used for risk detection (historical data, check list, knowledge of people, etc.); defining the risk identification techniques to be used brainstorming, forms, etc.); (interviews,

defining roles and responsibilities of people with respect to risk management (who is responsible for the management of a specific risk area, what are his/her powers); Setting the time-frame for risk-maintenance purposes; Defining how to allocate and interpret values linked to risks (probability, timing and impacts) (Which are the scales to be used: numerical, qualitative ones? Down to what detail?); Setting the attention and action threshold to be used as a reference (within our organization, is it wise to focus on a risk with medium probability and impact scores?) Defining the communication and reporting methods to be implemented.

By focusing on the above listed points, we implement an official mechanism that can be easily used and communicated; moreover, it makes project risk management more effective and stable over the time. The project risk plan can then be used in other projects, if properly customized.
4

I do not understand, do you want to drive me crazy?! In the project that we managed 6 months ago, we rated risk probability on a low, medium/low, medium, medium/high, high and extremely high scale. In the project that we had 3 months ago, we used the 0.2, 0.4, 0.5, 0.6, 0.8, 0.9 rating scale. Now we are rating risk probability by using the words unlikely, quite likely, likely, highly likely. Cant we identify a standard rating scale that fits all the projects? You are incompetent: now we are late because of you! You have not managed risk by rating it as medium, and now we need to find alternative solutions! I am sorry, but in the previous project, risks rated as medium were not even taken into consideration!

4 Risk Identification Phase Apart from drawing up the risk management plan, which sets the framework and the guidelines to be followed, the risk identification phase is of particular relevance, as it sets the foundations for truly managing risks (it is a bit like the WBS used for planning activities). We can have some excellent methods for managing risks, but if we apply them to the wrong ones or if we are not able to identify the most important ones, the outcome is a pure expression of style, which will produce poor benefits for the projects. Consequently, the identification phase shall be a very thorough job. Identifying risks entails also the following: understanding the causes generating them, opting for the most appropriate methods supporting a thorough understanding of root-causes.

As to the first bullet-point, risk factors are generated by the actual project features and by its interactions with the environment. By reasoning according to macro-areas, there might be risks linked to the following: the intrinsic characteristics of the project to be implemented (the main output); project management more specifically, the way events in the project are planned and controlled. This point includes technical and method-related issues as well as organizational issues; the outside environment, by which the following is meant: o managing communication, contacts, interests and the level of involvement of all those who are impacted by the project (stakeholders); o managing constraints coming from entities that are beyond our control, like regulations, directives, etc.

Such macro-areas are linked to the identification methodologies. In fact, there are methodologies that only cover part of them, and being aware of this is advisable so as to focus also on the overlooked areas. The methodologies and the identification tools covered by our paper are the following: 1. WBS 2. Networks 3. Assumption analysis 4. Check list 5. Interviews 6. Brain storming 7. Historical data The identified risks shall be proposed with a short description, in order to be clear without any possible misunderstanding. Such description, in order to be as understandable as possible, shall be organized into three sections: cause, risk, effect (figure 2). Just out of clarity: by cause, we mean the event triggering the risk; this being said, what we consider as being a cause might be viewed as an effect by others. Our ability to drill down our analysis on causes depends on the available resources and on the degree of control that we have on events. Cause As the supplier has provisioning problems Risk Effect

The delivery of motors The project time-frame might be delayed might be extended

Figure 2. Example of risk description The cause As the supplier has provisioning problems could actually be determined by other events, like a financial crisis of upstream suppliers, which might be triggered by other causes and so on and so forth. Such other causes could also be unknown by us. Being able to trace back the real causes could only be useful, if people involved in the project can take measures with respect to them. In the above illustrated example, the fact of knowing that the provisioning problem is caused by hindrances in getting the row material used in the manufacturing of motors does not add much to our analysis, as we do not have powers to find a way out. The various techniques that we are going to illustrate can jointly be used. Some of them provide some semi-finished results that can be used as such, others are a support to further reasoning. WBS. WBS breaks down the objective into activities that can be planned, managed and assigned to a unique person. Consequently, WBS is a static representation of the
6

path that has been chosen in order to deal with the project and, as such, it can be useful as starting point for risk identification. More specifically, risks will have an impact on the activities set in the WBS and, consequently, focus shall be given on those activities. The major benefit that WBS has is that it allows the analysis to be carried out against the project-specific background; nevertheless, it also has some flaws: it does not tell risks and causes, it only identifies the activities where risks might develop; activities often show a granular structure that does not allow for the identification of truly operative guidelines; activities supporting the project are often not included in the WBS i.e.: project management activities or communication management ones although they are a risk source too (and they should be included in a good WBS); in WBS risks and effects connected to time scheduling do not appear, because the information on dependencies and resources allocation is not included.

Networks. By reviewing the project network, in general, and the CPM diagram, in particular, some risks can be detected: activities with multiple input from different paths risk to become a risk-area, due to the needed synchronization, which is based on a massive coordination work; the critical path may produce the risk of non-compliance with the timing; the semi-critical paths can easily become risk sources with respect to timing non-compliance; the quality of resources dedicated to activities identified in the critical and semi-critical paths shall carefully be evaluated, if we want to avoid a higher risk of timing non-compliance.

Assumption analysis. Projects, meant as innovative activities, are not exclusively based on certainties, they are rather based on hypotheses (assumptions). An assumption analysis, in terms of incompleteness and inaccuracy, can be a useful source for risk identification. Examples are assumptions on price growth, assumptions on turnover etc. Check list. These are risk precompiled lists that can be used in a quite simple way. Usually, checklists are summaries based on the experience of multiple projects. Many are those publicly available and some of them focus on some specific areas. Checklists have the advantage of speeding up identification of the most-recurring risks. Such feature makes them also dangerous, because people tend to exclusively focus on the risks included in such document, or to approach them with condescension (lets speed
7

up, this checklist is the same as the one we had for our latest project...). Lastly, the fact of resorting to a check list does not mean that risk identification is to be carried out by one single person. Interviews. Interviews are useful for identifying risks as well as for analysing them. They are used as an alternative to group identification (when such option is not feasible), or in order to get the opinion of people who are not directly involved in the project, but who are believed they could provide some useful insights. Interviews to experts become particularly important namely, asking the opinion of people who are thought to be able to provide a high added value, thanks to their experience. Brain storming. This technique is based on the distinction and separation of the ideageneration phase from the actual judgement. In a meeting dedicated to risk identification, this means asking participants to list what are the negative events that might break out in the project. It is possible to follow incremental detail levels more specifically, starting from identification of project risks per area, the analysis can drill down to individual activities. Historical information. Resorting to a project-risk database can be a valuable source of ideas, provided that risks are sorted according to some specific project characteristics otherwise the result is a thicker and thicker checklist that gets more and more generic.

5 Risk Analysis Phase The identification phase only produces a list of risks, which, unfortunately, is not useful for an operative management of the project. As a matter of fact, a long list of risks can create greater confusion, rather than producing remarkable benefits, as the attempt to manage all of them would probably result in an actual duplication of work. Consequently, a further step forward is advisable: analyzing the risks to understand their characteristics is now necessary so as to focus the attention on the most relevant ones. The type of attention that takes to risk management depends on each individual company and sometimes on each individual project. During the analysis phase, the following measures shall be linked to each individual risk: event probability to occur; timing of the event that could potentially occur; event frequency (i.e. if the risk is repetitive or not); identification of the impacted activities; identification of the impact on individual activities and on the project as a whole in terms of: o timing,
8

o costs, o quality, o other important performance dimensions. Usually, such information cannot exclusively be provided by the project manager: involving all the people who have a thorough knowledge of risks and of what they entail, similarly to the identification phase, is necessary. In the previous example, pertaining to provisioning problems experienced by suppliers, the purchase department could provide some useful indications. Risk analysis can be developed in quantitative as well as qualitative terms. A qualitative analysis is useful to understand the general characteristics of individual risks, it is likewise useful to plan adequate responses and to gain a better understanding of the overall risk-level in the project. Conversely, a quantitative analysis can be useful to get a more in-depth reviewing of each individual risk (usually, the most important ones) as well as to review how the project as a whole will develop different scenarios. A quantitative analysis provides more comprehensive information about the project dynamics; this being said, it is more expensive and requires the project manager to have a higher degree of knowledge and preparation. Project characteristics dictate what is the best approach to be implemented. As an example, an order with heavy penalties in case of late delivery could push people involved in the project to opt for a quantitative approach; conversely, a non-critical internal project can cover risks by using a qualitative approach. In any case, one approach does not exclude the other, and they can usefully be used in parallel.

5.1 Qualitative Risk Analysis A qualitative risk analysis is based on the assignment of general values/measures on variables pertaining to risks; sometimes it can be based on subjective assumptions, especially when collecting other types of information is impossible or when collecting that same information is too expensive with respect to the importance of the risk itself. Before carrying out an in-depth analysis of risks, in case we are faced with a high number of them, understanding accuracy of the collected information can be useful. As a matter of fact, project people could be facing a case in which many are the risks originally identified and, in reality, they are just speculations or the information risks are based on are totally unreliable. Knowing the quantity and the quality of information that got to the identification of a certain type of risk is crucial, if we want to understand these issues. This is quite a delicate type of task as, in such cases, the following reasoning/behaviour might be developed: In order to show how good I am, I will identify a set of risks and I will do my best to make people think that they are all important so that, once the project is completed, when activities under my
9

responsibility will prove to be all successful, they will think that I am the best, because I have successfully managed also the most adverse situations. Leaving aside these types of behaviours, and thinking in more cooperative terms, we can obtain a first sorting of risks by resorting to a tool as hereinafter described.
Risk cause The supplier is about to go bankrupt and, as a consequence, our supply of row material could be stopped Quantity of available data (from 1 to 10) Quality of data (from 1 to 10)

Figure 3. Risk quality analysis The measurement scale is arbitrary. What really matters is being able to identify some quantitative and qualitative data scores, so that risk is eliminated or searching for some additional pieces of information can start. For instance, if the information of a supplier being close to bankruptcy comes from its direct competitor, maybe the quality of that specific figure is not to be viewed as excellent. Conversely, if ten suppliers say the same thing, trying to gain some more insights on that specific information is advisable. In case the General Manager also recognizes the fact that his/her company is in financial troubles, data quantity as well as quality are at their maximum level/scores. Now we have a list of actual risks, with which the above listed scores shall be matched. As to risk likelihood to break out, scales from 1 to 10, from 1 to 7 or a low medium high probability scale can be used. Obviously, using a scale that allows for a little bit of argumentation is extremely useful; as a matter of fact, only resorting to high, medium or low is not so much productive or fruitful. There is an important point worth of being highlighted: the maximum value/score in a scale does not correspond to certainty, as certainty is not a risk anymore, it is a fact. Consequently, activities relating to such facts shall be illustrated in the project plan. For instance, if a project envisages diggers to be used in Greenland, stating that there is the risk that temperatures could be very low and that fuel could freeze in tanks is not fair, as the weather will be extremely cold for sure and adding antifreeze additives is a must.
1 1 Very low 10% 20% 30% 2 3 2 Low 40% 4 5 3 Medium 50% 60% 70% 6 7 4 High 80% 8 9 5 Very high 90% 95% 10

Figure 4. Examples of scales used for a qualitative risk analysis The fact that a risk has been identified does not mean that it will immediately come to the surface; consequently, identifying when its negative effects will break out is advisable. Also in this case, various types of scales can be used (days, weeks, months; short-, medium- or long term scales, and so on and so forth). Moreover, risks can be
10

recurring and, consequently, understanding if a risk will only take place once or whether it will erupt on a regular base, becomes an important piece of information namely, knowing how many times and with what time pattern it will break out is advisable. The analysis is completed by assessing the impact of each individual risk factor. Assessing the impact means identifying where a risk will strike (which activities will be impacted by a risk), what and for how long namely, will it mainly impact time, costs or quality? And what will the size of such impact be? In fact, assessing the impact of a risk factor is difficult, when it is not put against the project background. For instance, a possible late delivery of motorbike rims is not a problem, if bikes are held by a gantry in the final assembly stages and wheels are only mounted at the very end of the assembling process. Conversely, if in that given company motorbikes rims are usually assembled when they are already sitting on their kickstand, the impact can be remarkable. Sharing the project structure with people involved in risk analysis is the only way to get some consistent assessment; otherwise, a risk that has a strong impact on the activities carried out by one single person could be judged by that same person as strongly impacting the project as a whole. It is now possible to provide an assessment of risk impact on a given project. Also in this case a measurement scale can be used but, conversely from the one telling us probability of a given risk to break out, which is easily readable, associating some parameters to each value/score is requested. This idea is illustrated in figure 5.
Impact 7 6 The project cannot be viewed as successful Up to 30% increase in costs, or in timing, or quality to be viewed as borderline in terms of acceptability A 20% to 29% increase in costs, or in timing or quite poor quality A 10% to 19% increase in costs, or in timing or remarkable decrease in quality An increase from 3% to 10% in costs, or in timing, or visible decrease in quality Up to 2% increase in costs, or in timing, or a slightly measurable decrease in quality Impact almost unobserved Interpretation

5 4 3 2 1

Figure 5. Example of an impact scale and its related interpretation Among the three reference parameters (timing, costs and quality), quality is the most difficult to be judged. As to this parameter, the organization shall try to identify some measurement methods that are shared for all the projects, or for some categories. For instance, in case of software development, an ex-ante quality measurement value could be the number of functionalities provided versus what has been planed. All the elements needed to get a general overview of risks in a project are now available.
11

Usually people resort to a matrix-based description formula, in order to have an immediate and easy reading of data. An easy although a bit simplistic way to get an indicator about the project overall riskiness/risk level is to sum the probability products with the impact for each risk divided by the number of risks. In the following example, where letters correspond to risks, we know that the maximum risk value is 49 (in case all the risks show a probability accounting for 7, with an impact amounting to 7 as well), the minimum is 1 (all the risk having probability and impact accounting for 1). In this case, we get a value of 15.7. Such outcome could be seen as being high but also low, it depends on the attention thresholds that weve predefined. 7 6 5 Impact 4 3 2 1 P 1 2 3 4 O G 5 N I M Q F 6 7 C L A H E D B

Probability Figure 6. Matrix showing project risks. Risks included in the matrix do not usually need the same type of focus. As a matter of fact, when they are high in number, managing them by using the same level of attention becomes more difficult. Consequently, resorting to some methods for grouping risks is needed. Sometimes we find approaches proposing a ranking based on multiplying probability by the impact. Such example is proposed in figure 7.
Ranking 1 2 3 4 .. Risk B D A H .. PXI 42 35 30 25 ..

Figure 7. Risk ranking example

12

At this point, either we opt for a pre-defined number of risks, or we can decide to focus on all the ones exceeding a given threshold. This way of proceeding is based on a precise assumption - namely, risk neutrality. In other words, it means that two risks are viewed as being the same, even when one is the result of high probability times low impact and, conversely, the other is the result of low probability times high impact. This being said, we are often faced with risk disinclination, which means that, even when the P X I product is the same, risks with a higher impact will be handled with greater attention even when their probability to break out is low. It has been said that risks cannot be managed in the same way; Consequently, they shall be sorted in homogeneous risk groups so as to be able to handle them accordingly. Multiple alternatives are available: figure 8 proposes sorting of risk into three groups, by starting from the disinclination/hostility to risks assumption. 7 6 Probability 5 4 3 2 1 P 1 2 3 4 Impact O G 5 N I M Q F 6 7 C L A H E D B

Risk to be analysed in quantitative terms and that shall be included in the risk response plan Risk to be analysed in qualitative terms and that shall be included in the risk response plan Risk to be monitored and for which reports shall be produced

Figure 8. Risk Grouping At this point, we can summarize the above illustrated data in a streamlined form that includes all the pieces of information that are useful for the phases to follow.
Risk Effect Cause Probability Impact Trigger Event Impacted Expiration Analysis Activities Date

13

5.2 Risk Quantitative Analysis The qualitative analysis focused on the assignment of probability and impact values/scores to individual risks, and on the acquisition of a piece of information summarizing the risk level of a project as a whole. A quantitative analysis can be used to further investigate the qualitative one, but it is, above all, a useful tool to understand how the project timing and cost references can change in different scenarios. As the issue is quite broad, this paragraph does not aim at reviewing in a comprehensive way all the methods that can be used to develop a quantitative analysis for risk management in a project, it rather offers useful hints in order to have a better understanding of logics and issues proposed by this further in-depth analysis. As already specified, quantitative methodologies are mainly applied to timing and cost analysis of projects, as these are aspects that perfectly fit a quantitative measurement and approach. This paragraph is dedicated to this specific focus, and its starting point is the project operational plan illustrated in the previous chapters.

5.2.1 Uncertainty, variability and risk In the first place, we shall try to define how quantitative analysis can be useful by identifying the right terminology. In the standard practice, terms like variability, uncertainty and risk are used as synonyms as, in the everyday language, they give the idea of non-peace of mind of the decision-maker or of the phenomenon under review. Conversely, the quantitative methodologies provide different meanings to such words. Variability is a system feature, it is intrinsic in the system itself and, in order to take variability measures, we have to act on the system. When we toss two coins, we do know that the possible outcome is fourfold: (H= heads, T= tails): HH, HT, TH, TT, and they all have the same probability to break out (25%). If we want to change such results, we need to act on the coins by modifying their structure. Uncertainty is a state of knowledge regarding those who have to make decisions (or, generally speaking, those who have to tackle a problem). If we want to influence uncertainty, we can try to improve our knowledge. In the previous example, uncertainty could be linked to our poor knowledge of the two coins (we do not know, for instance, if they are regular coins or if they are loaded, if they truly have two facets, or if their weight is evenly distributed). Uncertainty adds up to variability of the decision-maker anxiety level, but it is possible to decrease its impact without intervening on the physical state of the system for instance, by examining the coins, and deciding to have the decision-maker state as the only variability.

14

Lastly, risk, is an individual perception of a situation, by which a set of variabilities, uncertainty and decision consequences is meant. In the above illustrated example, accepting, or not , to bet 100.00 on the two heads result (HH) can produce the perception of a completely different outcome in two different players (and, as a consequence, the decision will be different), even though they are dealing with the same system (coins and sum to bet) and have the same knowledge (coins are regular). The difference in perception is determined by human nature. We can identify a sort of scale in the attitude of those who are faced with a variable and uncertain situation (that is to say, in everyday language, a risky situation); it ranges from strong disinclination to something up to high propensity to risk, passing through a condition or attitude of indifference. Nevertheless, also the magnitude of consequences and the incidental/situation are important more specifically, the same player could make two opposed decisions, if faced with the following problem: is it better to bet 100.00? or is it better to bet 10.00? (the magnitude of consequences). By the same token, he/she could decide for a different third option, if he/she had just found 200.00 in the street (incidental/fortuitous situation). In operative practices, the quantitative analysis supporting planning and project control mainly focuses on managing the first two illustrated elements namely, variability and uncertainty, which are defined as overall uncertainty 2. Conversely, in literature, quantitative approaches to such issues are much wider in range3. This being said, this paper will only focus on risk analysis methods, where risk shall only be meant as variability and uncertainty. There are some risk management issues namely, the ones linked to uncertainty on which measures can be taken, and separating them from other issues is advisable. Any attempt to foresee and plan, in whatever domain, is impacted by variability and uncertainty, by isolating the latter, we could be able to gain a better understanding on how to reduce it and, consequently, we could increase the overall degree of confidence in the system. The project manager thought that the test phase would last from 2 to 4 weeks, based on the relevant data collected on previous project. Nevertheless, he also knew that this was the first time they had to work in parallel with the client, and this could produce a slow down in their work; consequently, he thought that an estimation that was twice as much could have been more reasonable namely, from 2 to 8 weeks. This risk of time extension worried him, then he recalled he got into contact with another project manager who had already worked with that same client and decided to call him....

2 3

See Vose D., Risk Analysis - A Quantitative Guide, John Wiley & Sons, 2000.

As to the individual risk perception, there are many quantitative theories and mathematical approaches (utility functions, risk disinclination curves, determination of the equivalent certainty, etc.), which have not been included in the focus of this short paper.

15

The steps needed in order to quantify uncertainty and variability in a project are going to be briefly touched upon in the following section. They can be summarised as follows: input definition, in order to introduce variability and uncertainty: probability distributions; resorting to quantitative techniques to measure risk: decision-making trees, PERT (Program Evaluation & Review Technique), Monte Carlo method/simulation. output interpretation - namely, reading results (probability and scenarios) based on project risk analysis.

5.2.2 Input: Probability Distributions Making reference to probability is quite normal, when we talk about variability and uncertainty. Probability, meant as the measurement of the likelihood of a given scenario to occur, describes, in a methodologically correct way, the first part of the problem, which is then completed by matching the result of each individual scenario with the identified probability. An organized set of these two pieces of information (probability and results) is called probability distribution. In the previous example, the probability distribution for the I bet 100.00 on two heads (HH) variable is the following: Result Probability 100 25% -100 75%

If we add uncertainty (for instance, there is a 10% probability that one of the two coins is loaded and, as a consequence, has two TAILS facets) to variability which has properly been illustrated by distribution and, as already mentioned, is in-built in the system - this fact will change distribution by reducing our probabilities to be successful. The new distribution, which now aims at giving an outline of what we have defined as overall uncertainty, is as follows: Result Probability 100 22,5% -100 77,5%

In reality, we will very rarely be faced with phenomena that can be defined in a moderate way , as the above illustrated case namely, a limited number of possible results, to which probabilities are matched. Usually, we are faced with situations that can more easily be described as value ranges .
16

When we have to introduce variability and uncertainty in the duration of a project activity, we will feel more comfortable by indicating a variation range (this activity can have a duration between 10 and 20 days), rather than indicating fixed durations, to which specific probabilities are matched (this activity may have a 10-day duration with a 20% probability, or a 13-day duration with a 30% duration, or a 16-day duration with a 35% probability, or a 20-day duration with a 15% probability rate). The same holds true when estimating a cost4. This approach, which we call continuous, will generate probability distributions different from the previous ones (which we called discrete) by allowing us to take into consideration all the possible values within the range, something that will produce a more realistic description. Obviously, just resorting to the range could be of poor significance (minimum maximum), and this would make us miss some pieces of information, even though they could be extremely useful: What does happen within a range? Are there any values, or small ranges, to which the related probability to happen could be higher? Are such values, or ranges, closer to the minimum or maximum limit? and so on and so forth. In order to fix such situation, we can use continuous probability distributions with different features based on the available input. Obviously, each distribution shall be characterized by a different set and type of initial information (parameters). Among the very many probability distributions in literature, we hereby illustrate, as an example, the ones that are most commonly used in project risk analysis5.

Normal Distribution (o Gaussian) It is the most famous type of distribution, it is bell shaped, and it is used in the measurement of many phenomena as it is characterized by a central value (the mean value), which in the Normal Distribution is also median and most probable value, or mode and by a random disturbance (which can be quantified via a standard deviation, ). Sometimes, its symmetrical shape causes it to be unfit, when nonrecurring representation of varied types of situations are needed, while a possible technical problem (the density function that describes it is defined between - and +) is bypassed in practice by interrupting distribution at an acceptable probability value, which can even be higher than 99% (see figure 9).

Obviously, in many cases durations and costs can be linked. Nevertheless, in practice, the two types of analyses remain separated due to a need for less complexity as well as for a balanced allocation of competences.
5

For a more in-depth dissertation, we suggest to use as refernce one of the many publications on Statistics or Theory of Probabilities lik, for instance, Mood A.M., Graybill F.A., Boes D.C., Introduction to the Theory of Statistics, McGraw-Hill, 1987.

17

Normale(20;2)

Normale(35;3)

Normale(20;5)

10

15

20

25

30

35

40

45

Probability

Figure 9. Normal Distibution Beta modified Distribution (or Beta PERT) The Beta modified distribution owes its reputation to the crucial relevance it has within the PERT methodology (Program Evaluation & Review Technique), one of the stochastic network techniques used for time scheduling, which have been developed starting from the CPM methodology. The main characteristics for this type of distribution are its versatility (Beta distribution can have very different representations) and the intuitive way with which the three parameters defining it are expressed: minimum, most probable value (mode) and maximum. Such second peculiarity makes it extremely useful, as it allows for changing a scenario-based qualitative approach (pessimistic, base, optimistic) into a quantitative approach defined by a probability distribution that can be expressed by means of all the values included in the pessimism-to-optimism range, and where break-out probabilities increase, the closest they get to a base value (the most likely scenario) and, conversely, they decrease, the farthest they get from a base value, and the closest they get to one of the two extremes in a totally consistent way with respect to the qualitative hypothesis adopted.
18

BetaPERT(1;35;40) BetaPERT(5;10;35)

BetaPERT(0;20;45)

10

15

20

25

30

35

40

45

Figure 10. BetaPERT Distribution

Triangular Distribution The triangular distribution could be considered as the most popular and used type of distribution in the risk analysis models, as it is intuitively simple. Also this distribution is defined by three parameters (minimum, mode, maximum), which can easily find their parallel in the ways used to define scenarios. Compared to the BetaPERT distribution, it shows it is much more impacted by extreme values, especially if they are very distant from the mode value (base scenario), and this produces a higher degree of variability. Maybe this is also the reason why it is the mostly used in cases where scenario setting is poorly supported by historic data or it is completely based on subjective views.

Triangolare(5;10;35)

Triangolare(1;35;40) Triangolare(0;20;45)

10

15

20

25

30

35

40

45

Figure 11. Triangular Probability Distribution

19

Uniform Distribution This distribution, which is also called Rectangular Distribution due to the shape of the density function describing it, is the easiest and, consequently, the roughest way to use a continuous probability distribution for analysing risks. By means of this assumption, the same probability level is assigned to all the results/values within a minimum to maximum range. Uniform distribution could be seen as the last chance, each time there is the willingness to approach in a quantitative way variability and uncertainty in an assessment (for instance, duration or cost for a given activity), when only the extremes can be assessed (as said, minimum and maximum values) and without having the possibility or the willingness to add some further information (the most probable value, mean, etc.).
Uniforme(1;8)

Uniforme(5;20) Uniforme(15;40)

10

15

20

25

30

35

40

45

Figure 12. Uniform Distribution

Generic Continuous Distribution It is the most flexible way to assign a probability distribution, also allowing for the definition of many shades that could not be identified by using classic distribution methods. It is normally used when historic and research-based data are availble6.

The Project Manager tried to collect some data about trends in the duration of the Assembly activity in similar projects, he realized that the minimum time reference was 6 days, the maximum time reference was 18 days, but he also noticed that most of the reviewed projects reported an 11-day duration. He decided that variability had to be included and opted for adding a probability distribution that had also to take into consideration that information.

Another possibilty in this case is fitting, that is to say the possibility of matching to the observed empirical distribution a theoretical distribution (similar to the ones illustrated in this paragraph) reviewing similarities via statistical tests analizzando la somiglianza attraverso analisi statistiche (test).

20

In figure 13 specific information is proposed as an example for structuring a risk quantitative analysis for project scheduling.

Activity

Probability Distribution

Duration (weeks) min, optimistic = 3

Activity A

Triangular

mode, most probable = 5 max, pessimistic = 8 min, optimistic = 8

Activity B

BetaPERT

mode, most probable = 11 max, pessimistic = 20 mean, most probable = 12

Activity C

Normal

standard deviation = 2 (min, max 6 from mean value) min, optimistic = 7

Activity D

Triangular

mode, most probable = 9 max, pessimistic = 15

Figure 13. Example of input data (time scheduling)

5.2.3 Use of Quantitative Techniques for Measuring Risk Once we have completed the input framework, as the uncertain variables have been assigned an appropriate probability distribution, we need to tackle the problem of how to transfer such information to the output, that is to say on the analysis targets. The most common methodologies, the ones based on simulations, envisage the use of a model that, as to risk management in a project, is nothing more than the model included in the project operative plan: a solid network (which includes allocation of resources and costs) or, as an alternative, a network exclusively dedicated to time scheduling (which is obtained by means of Project Management application tools) and a budget model for reviewing costs (which is developed in an electronic sheet). Procedures used to build up a model are like the ones illustrated in the previous chapters, when we were talking about the project operative plan. The only difference is that some deterministic input (activity duration and costs) have been changed into random variables (namely, having assigned to them probability distributions). Such measures produced a more realistic model. At this point, we can observe the effects of overall uncertainty (variability and uncertainty) included in the model against the variables that are the target of the
21

model itself: project timing and costs. The technique that, thanks to the development of hardware and software tools and to its conceptual straightforwardness, is mostly used in this type of analysis is a stochastic simulation technique called Monte Carlo simulation technique/method. The Monte Carlo simulation method resorts to random sampling to create a set of possible scenarios and then it reviews, ex-post, the distribution of results. Via the random sampling, a possible value is selected from each probability distribution input; the data obtained by means of this procedure are used to make a calculation via the deterministic model at the base of the simulation (for instance, CPM for scheduling a project timing) of the values obtained for the variables under analysis, which are then saved/stored. By repeating this procedure for a significant number of times (sample size),7 an empirical distribution of results is obtained; it properly represents consequences on variability and uncertainty output given to input8.

5.2.4 Output: Measuring the Overall Uncertainty for Target Variables Now that we have completed the calculation part, we can tackle the third final part in our analysis: interpretation of results. As for each statistical sample, also the one obtained via the Monte Carlo simulation for the target variables can be described by summarizing indicators (statistic indexes) and by an overall reading of data distribution. The example proposed in Figure 14 shows summary-data identified for the Project Duration target variable (the time unit is expressed in weeks) after having carried out 10000 iterations (that is to say, after having built up a sample made up of 10000 scenarios). Obviously, the type of reviewing that we are about to propose can also be carried out for each target variable under analysis (namely, overall costs, duration of each individual activity, milestones, etc.)9.

The high number of software available for this type of analysis ( @Risk, Crystal Ball, Risk+, among many others), makes this part based on repetition of the algorithm quite easy in its execution, and allows to have a very high number of cases included in the sample so as to ensure reliability (from a statistic view point) of the resulting distributions (Law of Large Numbers or Empirical Law on Chance).
8

For further insights on the Monte Carlo simulation method, reviewed under an applicative profile, reference shall be made, among other authors, to J.Mun, Applied Risk Analysis, Wiley Finance, 2004 and D.Vose op. cit., while for insights on its origins, reference shall be made to the historian Metropolis N., Ulam S., The Monte Carlo method, in Journal of the American Statistical Association, 1949.
9

Even in this case, we suggest to refer to a more specific bibliography for gaining more in-depth knowledge (for instance, Vose D. op.cit., Mun J. op.cit.), as in this paper we prefer to provide an example of the logics used for interpreting results.

22

Indici statistici Iterazioni Media Mediana Moda Standard Deviation Varianza Coeff. of Variazione Min Max Range

10000 54,58 54,49 --3,23 10,45 0,06 43,47 68,70 25,23

Percentile 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Valore 43,47 50,51 51,83 52,83 53,66 54,49 55,31 56,21 57,28 58,73 68,70

Figure 14. Project Duration: example of summarising output The main information that we can deduct from the table is the following: On average, the project is going to last a bit less than 55 weeks (54,58); There are two possible extreme scenarios: one is pessimistic, the other is optimistic (max and min) accounting for 68.7 and 43.47 weeks respectively; within such range, variability is not extremely high (Standard Deviation amounting to 3,23 weeks); we actually have only a 10% probability (10% percentile) to go down below a 50.51 week duration and a 90% probability (90% percentile) of not exceeding 58.73 weeks.

We have quantified the overall uncertainty, which is a consequence of the input data (in this case, duration estimates for each individual project activity), and we have obtained a first set of numerical indications supporting our risk analysis. Even though we do not aim, in this specific paper, at drilling down this matter in quantitative terms, we can see that, apart from summarizing information that has just been reviewed, the simulation offers us the opportunity of analysing in detail all the results derived from the N iterations (10000, in the example), that is to say the complete sample. In Figure 15, we see the complete distribution of the scenarios resulting for the target variable, which are represented via probability distribution and cumulative distribution10.

10

The cumulative probability (frequency) distribution is, avoiding to resort to extremely rigorous definitions, an alternative representation, through which we want to highlight probability (frequency) with which a random variable results to be lower or equal to a given value. It is obtained by adding up each time (by cumulating) probabilities (frequencies) up to reaching the value of interest.

23

25,0%

20,0%

Probabilit

15,0%

10,0%

5,0%

0,0% 42 44 46 48 50 52 54 56 58 Durata (settimane) 60 62 64 66 68

100% 90% 80%

Probabilit cumulata

(60; 95,06%)

70% 60% 50% 40% 30% 20% 10% 0% 40 45 50 55 Durata (settimane) 60 65 70

(50; 7,24%)

Figure15. Project duration: probability distribution and cumulative distribution At this detail level, we can obtain further information like, for instance, the probability to remain within a certain target duration: in the example we only have a 7.24% probability for the project to last less than/or as much as 50 weeks, while we are quite confident that it will last 60 weeks, for which we have a less than 5% probability to exceed such reference (4.94%= 100% - 95.06%). As already mentioned, this analysis pertaining to project duration is an example, or better an aspect, of the quantitative risk analysis that can be carried out. As a matter of fact, by applying the proposed methodology, it is possible to structure a type of analysis impacting multiple project management aspects (timing, costs, but also use of resources, sequence of activities, milestone compliance, etc.). This further drilling down enriches the information needed not only for a comprehensive definition of the project plan, but also for an effective execution and control activity. The Project Manager looked at the result of the simulation he had launched and a chill ran down his spine: according to those calculations, the project showed more than 30% probability to exceed the cost target and, even worse, for quite remarkable sums. He was not used to run this type of risk, and he was quite worried about such information. He drew up a detailed report on the information produced by that simulation getting down to individual Work Package details in the WBS, and he immediately asked to have a meeting with the project team. They had to prepare some countermeasures (in the planning, execution and control phases) in order to reduce variability and uncertainty impacting the project up to that moment.
24

6 The Phase Dedicated to Planning a Risk Response From quantitative and qualitative analyses some useful pieces of information can be identified, in order to understand what risks will influence the project as well as how the project could be impacted by such potential events. In this phase, we want to identify measures to be taken in order to reduce the overall project risk so as to reduce, as a consequence, the likelihood for each potential risk to break out (and, by the same token, increasing probabilities and the positive influence of opportunities). Many are the options available to reach this goal. In any case, three response levels shall be devised. They are the following: actions to be taken in order to manage risks or impacts before they occur; actions to be taken when risks have occurred (contingency plan); actions to be taken when the contingency plan did not produced the desired effects (fallback plan).

The fallback plan is only envisaged in rare cases, when risks are so much impacting that thinking about any possible alternative is required. Usually, when reviewing the type of possible responses to risk, people immediately think about reducing their probability or impact. In reality, this is one of the many possible response. In fact, the following options are available: avoiding risk by not implementing the activity it could have an impact on; rationally accepting risk by understanding (using rationality) that any response can be more negative than actually experience damage; transferring risk - that is to say, assigning risk to external third parties (insurance companies or outsourcing); mitigating risk more specifically, reducing its probability or its impact, which might mean acting on risks or, even better, acting on causes.

The above listed actions can produce an impact on a project structure; consequently, the project plan might need to be modified. So far, we have talked about risk management making little reference to people involved in such procedure. The risk identification phase shall be the focus of a group of people namely, a team that includes a project manager, project team members and, where possible, stakeholders. In the analysis phase, group activities are still relevant and needed, but assigning probability dimensions and impact is based on rooted knowledge of each individual risk entity. In this case, analysis shall be started by one single person: the work of a group can only provide some additional contributions. Planning responses to risks is a phase similar to risk analysis: the expert for each risk
25

can offer his/her idea, the team can review and improve it. This being said, when acting on risks is needed, allocating responsibilities to individuals is advisable in order to have a better and more effective type of management. A Risk Owner is the person accountable for implementing actions decided for an individual risk. A Risk Owner must have the power needed for carrying out such task. By identifying a Risk Owner, the management of a project is streamlined as, once risks and actions have been defined by the team, the individual can act in order to implement such decisions. When such role is not assigned, frequent meeting are needed to fix contingent problems.

7 The Risk Monitoring and Control Phase

The monitoring phase aims at assessing whether actions on risks have produced the desired results, while the control phase focuses on implementing the changes needed for an appropriate project management. During such phase, positive i.e.: risks that get fixed without taking actions - as well as unexpected negative events i.e.: the surfacing of previously non-identified risks - can occur. In this case, some immediate corrective measures shall be taken. The control phase closes and starts a new risk management process; in fact, by assessing how good the actions taken up to that moment are, elements and information for deciding new actions to be taken can be identified.

8 Conclusions
Risk Management is a crucial activity to professionally manage projects. Projects, by nature, are exposed to risky events, and not taking such events into consideration means underestimating the true essence of projects themselves. Risk management can vary from basic activities that do not require some specific knowledge or skills to much more complex types of approach. The type of approach depends on values at stake.

26

Bibliography
Greenfield M.A., Risk as a Resource, Langley Research Center, 1998 Greenfield M.A., Risk Management Tools, Langley Research Center, 2000 Grey S., Pratical Risk Assesment for Project Management, John Wiley & Sons, 1995 Metropolis N., Ulam S., The Monte Carlo method, in Journal of the American Statistical Association, 1949 Mood A.M., Graybill F.A., Boes D.C., Introduction to the Theory of Statistics, McGraw-Hill, 1987 Mulcahy R., Risk Management, RMC Publications, 2003 Mun J., Applied Risk Analysis, Wiley Finance, 2004 Rosenberg L., Hammer T., Gallo A., Continuos Tisk Management at NASA, 1999 Vose D., Risk Analysis - A Quantitative Guide, John Wiley & Sons, 2000 PMI, A guide to project management body of knowledge. Project Management Institute PMBOK Guide, 2000

27