Mastering Risk and
Procurement in
Project Management
A Guide to Planning, Controlling, and
Resolving Unexpected Problems
Randal Wilson
Associate Publisher: Amy Neidlinger
Executive Editor: Jeanne Glasser Levine
Development Editor: Natasha Torres
Operations Specialist: Jodi Kemper
Cover Designer: Chuti Prasertsith
Managing Editor: Kristy Hart
Project Editors: Laura Hernandez, Elaine Wiley
Copy Editor: Language Logistics, LLC
Proofreader: Katie Matejka
Indexer: Erika Millen
Compositor: Nonie Ratcliff
Manufacturing Buyer: Dan Uhrig
© 2015 by Randal Wilson
Upper Saddle River, New Jersey 07458
For information about buying this title in bulk quantities, or for special sales
opportunities (which may include electronic versions; custom cover designs; and content
particular to your business, training goals, marketing focus, or branding interests), please
contact our corporate sales department at corpsales@pearsoned.com or (800) 382-3419.
For government sales inquiries, please contact governmentsales@pearsoned.com.
For questions about sales outside the U.S., please contact international@pearsoned.com.
Company and product names mentioned herein are the trademarks or registered
trademarks of their respective owners.
All rights reserved. No part of this book may be reproduced, in any form or by any
means, without permission in writing from the publisher.
Printed in the United States of America
First Printing September 2014
ISBN-10: 0-13-383790-4
ISBN-13: 9-78-013383790-2
Pearson Education LTD.
Pearson Education Australia PTY, Limited.
Pearson Education Singapore, Pte. Ltd.
Pearson Education Asia, Ltd.
Pearson Education Canada, Ltd.
Pearson Educación de Mexico, S.A. de C.V.
Pearson Education—Japan
Pearson Education Malaysia, Pte. Ltd.
Library of Congress Control Number: 2014943267
I would like to dedicate this book to my wife Dusty
and sons Nolan, Garrett, and Carlin
for their support and patience
through this project.
This page intentionally left blank
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Problems Are Inevitable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
What Is Risk? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Bad Risk Versus Good Risk . . . . . . . . . . . . . . . . . . . . . 3
Risk Versus Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . 4
What Is Procurement? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Risks and Procurement Go Hand-in-Hand . . . . . . . . . . . . . . 6
Seeing Is Believing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Risk and Procurement—Planned?. . . . . . . . . . . . . . . . 8
Save the Project and Organization. . . . . . . . . . . . . . . . 8
Proactive Versus Reactive . . . . . . . . . . . . . . . . . . . . . . 9
Problem Management Versus Change
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Is the Project Manager a Risk?. . . . . . . . . . . . . . . . . . . . . . . 11
Organizational Culture of Risk Planning . . . . . . . . . . . . . . . 12
Part I: Risk and Procurement Planning
Chapter 1
Risk Strategy and Planning . . . . . . . . . . . . . . . . . . . . . . . . 19
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Practical Application. . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 Risk Strategy Versus Risk Planning . . . . . . . . . . . . . . . .
Strategic Risk Planning. . . . . . . . . . . . . . . . . . . . . . . .
Tactical Risk Planning . . . . . . . . . . . . . . . . . . . . . . . .
1.3 Develop Risk Management Plan (Process) . . . . . . . . . .
Risk Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . .
Define Risk Tolerance . . . . . . . . . . . . . . . . . . . . . . . .
Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contingency or Redesign Planning . . . . . . . . . . . . . .
Risk Monitoring Process. . . . . . . . . . . . . . . . . . . . . . .
Develop Risk Controls . . . . . . . . . . . . . . . . . . . . . . . .
Change Management Process . . . . . . . . . . . . . . . . . .
Closer for Risk Events . . . . . . . . . . . . . . . . . . . . . . . .
Communicate Risk Event Results . . . . . . . . . . . . . . .
Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
20
20
21
26
29
30
30
31
31
31
32
32
33
33
34
vi
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
1.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7 PMBOK Connections (5th Ed.) . . . . . . . . . . . . . . . . . . .
1.8 Case Study (Use for Chapters 1, 2, 3, and 4). . . . . . . . .
1.9 Case Study Questions and Exercise . . . . . . . . . . . . . . . .
Chapter 2
Identifying Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2 Information Gathering . . . . . . . . . . . . . . . . . . . . . . . . . .
Who, What, and How . . . . . . . . . . . . . . . . . . . . . . . . .
Activity Information Checklist . . . . . . . . . . . . . . . . . .
2.3 Identifying the Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resources to Help Identify Risks. . . . . . . . . . . . . . . .
Types of Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.4 Categorizing Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Big Three (Triple Constraint). . . . . . . . . . . . . . .
Change Management . . . . . . . . . . . . . . . . . . . . . . . . .
2.5 Documenting Risk Information . . . . . . . . . . . . . . . . . . .
Risk Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Risk Management Plan. . . . . . . . . . . . . . . . . . . . . . . .
2.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.7 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.8 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.9 PMBOK Connections (5th Ed.) . . . . . . . . . . . . . . . . . . .
2.10 Case Study Questions (Use Case Study in
Chapter 1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 3
34
35
35
36
36
37
39
40
41
45
46
47
52
60
61
65
66
66
67
67
69
69
69
70
Risk Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Qualitative Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . .
Simple and Fast . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Risk Assessment Matrix . . . . . . . . . . . . . . . . . . . . . . .
Diagramming Methods. . . . . . . . . . . . . . . . . . . . . . . .
Decision Tree Analysis (Non-numerical) . . . . . . . . .
3.2 Quantitative Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Gathering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Beta and Triangular Probability Distributions . . . . .
71
74
74
75
76
78
78
79
80
CONTENTS
Sensitivity Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monte Carlo Simulation . . . . . . . . . . . . . . . . . . . . . . .
Decision Tree Analysis (Numerical) . . . . . . . . . . . . .
3.3 Risk Prioritizing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Is Sensitive on the Project? . . . . . . . . . . . . . . .
Separate by Probability and Severity . . . . . . . . . . . . .
Category Weighting . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.5 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.6 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.7 PMBOK Connections (5th Ed.) . . . . . . . . . . . . . . . . . . .
3.8 Case Study Questions (Use Case Study in
Chapter 1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 4
vii
83
84
84
87
87
88
89
89
90
91
91
91
Plan Procurement Strategy . . . . . . . . . . . . . . . . . . . . . . . . 93
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
4.2 Project Procurement Requirements . . . . . . . . . . . . . . . 94
Procurement Information Sources . . . . . . . . . . . . . . 94
Special Customer Requirements . . . . . . . . . . . . . . . . 98
Regulatory Requirements. . . . . . . . . . . . . . . . . . . . . . 99
4.3 Procurement Decision Processes. . . . . . . . . . . . . . . . . 100
Make or Buy Analysis . . . . . . . . . . . . . . . . . . . . . . . . 101
Purchase Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . 107
4.4 Contract Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
What Is a Contract? . . . . . . . . . . . . . . . . . . . . . . . . . 112
Why Are Contracts Used? . . . . . . . . . . . . . . . . . . . . 114
Contract Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
4.5 Risk Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Buyer Versus Seller. . . . . . . . . . . . . . . . . . . . . . . . . . 119
Organizational Versus Project Level . . . . . . . . . . . . 120
Triple Constraint. . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
4.7 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.8 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.9 PMBOK Connecvtions (5th Ed.) . . . . . . . . . . . . . . . . . 124
4.10 Case Study Questions (Use the Case Study
in Chapter 1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
viii
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
Part II: Project Execution
Chapter 5
Risk Response Strategies. . . . . . . . . . . . . . . . . . . . . . . . . 127
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2 Strategy in Risk Response . . . . . . . . . . . . . . . . . . . . . .
Reactive Response Mode . . . . . . . . . . . . . . . . . . . . .
Proactive Response Mode . . . . . . . . . . . . . . . . . . . .
Negative Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits, Trade-Offs, and Pitfalls. . . . . . . . . . . . . . .
Positive Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.3 Contingency Response Strategy. . . . . . . . . . . . . . . . . .
Contractual Response Strategy . . . . . . . . . . . . . . . .
Organizational Process Response Planning . . . . . . .
5.4 Project Document Updates . . . . . . . . . . . . . . . . . . . . .
5.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.6 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.7 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.8 PMBOK Connections (5th Ed.) . . . . . . . . . . . . . . . . . .
5.9 Case Study (Use for Chapters 5 and 6) . . . . . . . . . . . .
5.10 Case Study Questions . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 6
127
128
128
129
130
131
133
133
134
135
137
137
139
139
139
139
140
Procurement Execution Strategies . . . . . . . . . . . . . . . . . 141
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2 Considerations Before Executing Procurements . . . .
6.3 Executing Purchases . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.4 Executing Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.5 Results of Executing Procurements . . . . . . . . . . . . . . .
6.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.7 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.8 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9 PMBOK Connections (5th Ed.) . . . . . . . . . . . . . . . . . .
6.10 Case Study Questions (Use Case Study in
Chapter 5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
141
143
151
161
175
176
177
178
178
178
Part III: Integrated Monitoring and Control
Chapter 7
Risk Monitoring and Control . . . . . . . . . . . . . . . . . . . . . 181
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
7.2 Risk Monitoring Techniques . . . . . . . . . . . . . . . . . . . . 182
CONTENTS
7.3 Risk Control Techniques . . . . . . . . . . . . . . . . . . . . . . .
7.4 Manage Change Control . . . . . . . . . . . . . . . . . . . . . . .
7.5 Project Document Updates . . . . . . . . . . . . . . . . . . . . .
7.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.7 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.8 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.9 PMBOK Connections (5th Ed.) . . . . . . . . . . . . . . . . . .
7.10 Case Study (Use for Chapters 7 and 8) . . . . . . . . . . .
7.11 Case Study Questions . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 8
ix
188
202
209
209
211
211
212
212
212
Procurement Monitoring and Control . . . . . . . . . . . . . . 213
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.2 Procurement Monitoring Techniques . . . . . . . . . . . . .
8.3 Procurement Control Techniques . . . . . . . . . . . . . . . .
8.4 Integrated Procurement Change Control . . . . . . . . . .
8.5 Project Document Updates . . . . . . . . . . . . . . . . . . . . .
8.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.7 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.8 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.9 PMBOK Connections (5th Ed.) . . . . . . . . . . . . . . . . . .
8.10 Case Study Questions (Use Case Study
in Chapter 7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
213
215
223
225
228
229
230
230
231
231
Part IV: Project Closer
Chapter 9
Close Risk Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.2 Evaluate Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.3 Close Risk Responses . . . . . . . . . . . . . . . . . . . . . . . . . .
9.4 Claims and Disputes . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.5 Documentation and Communication . . . . . . . . . . . . .
9.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.7 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.8 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.9 PMBOK Connections (5th Ed.) . . . . . . . . . . . . . . . . . .
9.10 Case Study (Use for Chapters 9 and 10) . . . . . . . . . .
9.11 Case Study Questions . . . . . . . . . . . . . . . . . . . . . . . . .
235
236
238
241
243
244
245
245
246
246
247
x
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
Chapter 10
Close Procurements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10.2 Evaluate Open Procurements . . . . . . . . . . . . . . . . . .
10.3 Close Procurements . . . . . . . . . . . . . . . . . . . . . . . . . .
10.4 Claims and Disputes . . . . . . . . . . . . . . . . . . . . . . . . . .
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10.6 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10.7 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10.8 PMBOK Connections (5th Ed.) . . . . . . . . . . . . . . . . .
10.9 Case Study Questions (Use Case Study
from Chapter 9) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
249
250
252
257
259
260
261
262
262
262
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
About the Author
Randal Wilson, MBA, PMP, serves as Visiting Professor of Project Management, Keller Graduate School of Management, at the Elk
Grove, CA DeVry University campus. His teaching style is one of
addressing Project Management concepts using not only academic
course guidelines and text, but includes in-depth discussions in lectures using practical application from industry experience.
Mr. Wilson is currently Operations and Project Manager at Parker
Hose and Fittings. He is responsible for five locations across Northern
California and Nevada, as well as project management of redesigns/
renovation of existing facilities and construction of new facilities.
Mr. Wilson was formally in the telecommunications industry as
Senior New Product Introduction Engineer at REMEC, Inc., Senior
New Product Introduction Engineer with Spectrian Corp., and Associate Design Engineer with American Microwave Technology. He
also served as Senior Manufacturing Engineer at Hewlett Packard.
He is a certified Project Management Professional (PMP) of the
Project Management Institute. He acquired an MBA with a concentration in General Operations Management from Keller Graduate
School of Management of DeVry University in Fremont, California,
and a Bachelor of Science in Technical Management with a concentration in Project Management from DeVry University in Fremont.
This page intentionally left blank
Introduction
Manufacturing, distribution, sales, and service organizations have
one thing in common: the requirement of resources. An organization’s success, in many cases, is a direct function of how it obtains and
manages resources to carry out its strategic business objectives. The
organization’s first and most important task is to obtain management
personnel who are skilled and experienced in acquiring and managing
resources, which may include:
• Human resources
• Materials and supplies
• Equipment and facilities
• Transportation
• Finances
• Intellectual property
In the process of obtaining resources within all organizations,
either for daily operations or for special projects, there are two givens:
Resources must be obtained, and they have the potential to be problematic. The challenge, then, is how to obtain the correct resources at
the right time and for a cost equitable for the organization, as well as
how to manage any potential problems that may occur with a given
resource. Mastering Risk and Procurement in Project Management
has been designed not only to explain basic concepts in risk and procurement management, but also to offer tools and techniques that can
be used by a project manager, project staff, and supporting departments that would be associated with risk or procurement.
1
2
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
Problems Are Inevitable
As organizations utilize resources in daily operations and within
projects, it becomes quickly evident that a variety of problems and
issues can be associated with resources. Human resources are often
the primary resources used across organizations. Given the potential
of variability in skills, individualism, reliability, and work ethic, they
can bring to the table an array of challenges and problems. An interesting component of human resources is that although people are
often the source of a variety of problems, they also have the ability to
solve them, which is typically not the case for other types of resources.
Problems can also be associated with other resources, such as
materials and supplies. They can be incorrect, get damaged, or fail as
a result of poor quality. Equipment and facilities can develop problems that can render them less effective or inoperable altogether.
Some organizations can have financial challenges that make it difficult to fund projects, constraining project managers in their need to
obtain and schedule resources for work activities.
Regardless of what type of resource is used, problems are inevitable, and the project manager must develop a system to deal with problems throughout the project lifecycle. As problems are not designed
to happen on projects, they are typically characterized as having a
potential to occur, which we commonly refer to as risk.
The second component of projects that inevitably develops problems is associated with purchasing items required for project work
activities and acquiring subcontractors. The purchasing aspect of a
project can itself introduce several types of problems and is in many
cases connected to risk management. The area of purchasing and
acquiring items for the project is commonly referred to as conducting
procurement.
What Is Risk?
Risk is generally defined within project management as a potential influence producing a positive or negative outcome. We look at
the definition of risk within the context of a project as any influence
to a work activity that generates an outcome that was not expected.
INTRODUCTION
3
EXAMPLE
A work activity is being performed outdoors,
and poor weather is imminent.
Rain, in and of itself, is not necessarily bad; Earth requires rain,
and on some days it can actually be relaxing. Rain becomes a
problem if it impacts a work activity, such as damaging materials
and supplies, rendering equipment inoperable, or simply forcing
a shutdown, causing a schedule delay. The rain therefore has the
potential to create an influence that can alter the outcome of a
work activity, thus creating a problem. The rain is not designed as
a normally scheduled part of work activity, so we consider it to be
a potential “risk.”
Bad Risk Versus Good Risk
Events or circumstances that have a potential to influence work
activity can result in either a negative or a positive outcome. As we saw
in the example, relative to a specific work activity, rain can present a
bad risk. Another form of potential risk is the use of external human
resources that have been subcontracted to perform work activity.
These individuals not being a part of the organization can present
issues such as difficulty in team environments, ignorance of organizational processes and culture, or personality conflict with management
and staff they work with directly—all typically risks associated with
a negative outcome. However, over time the same external resource
might exhibit a much higher level of ability and knowledge, therefore
completing the assigned task much more quickly and allowing the
work activity to be ahead of schedule. So, although there is a potential
risk in using subcontractors, their influence can also create a positive
outcome.
Project managers should always have a conceptual understanding
of risk—that although risks can generate negative outcomes, there
are occasions where positive things come out of what was thought to
be a potential negative risk. The project manager would then seek to
exploit these positive outcomes to yield the maximum benefit for the
project.
4
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
Risk Versus Uncertainty
As the project manager plans work activities and evaluates all the
resources that are required, he begins to see where potential problems might insert themselves. This is where the project manager can
begin to identify risks and possibly plan responses. As we have seen,
some influences can be identified as “potential” problems and therefore can be planned for and worked around, but there are also issues
and influences that cannot be anticipated and were nowhere on the
radar. These are called uncertainties. Risks are influences that can be
identified as having a potential to create a problem, whereas uncertainties are problems that happen that could not have been identified
prior to the work activity.
EXAMPLE
An uncertainty might be in the case of an earthquake that could
potentially damage a construction project. Although rain, tornadoes, lightning, mudslides, and earthquakes are often called acts
of God and are the very definition of uncertainty, they can also be
considered risks because our current technology can predict the
potential of inclement weather, and thus they can be planned for
to some degree. Uncertainty would be an influence that cannot be
foreseen and that occurs without notice. In the case of a construction project, an uncertainty could be a massive earthquake that
happens without notice, resulting in a negative outcome.
What Is Procurement?
Most projects require resources that are obtained through purchasing or subcontracting; this is called conducting procurement.
Most organizations have individuals or entire departments dedicated
to the task of purchasing what the organization needs to run its daily
operations. When a project manager has outlined all of the work activities and resources required to complete each activity, she submits a
INTRODUCTION
5
list of all items that need to be purchased and/or contracted throughout the project lifecycle. Procurements can be classified into two general categories: items that need to be purchased and resources that
must be managed through a contract agreement.
• Purchases
Items that need to be obtained for project activities are simply
purchased through suppliers or vendors. This can be accomplished by the purchasing agent selecting items through a
catalog or website, contacting the supplier/vendor, placing the
order, establishing delivery requirements, and agreeing on payment terms and conditions. As soon as the item has been delivered and it is confirmed that it meets expectations, payment
can be made and the transaction closed.
• Contracts
Another form of obtaining resources is the use of a contract
agreement. In many cases, contracts are used to acquire external human resources needed for special tasks on work activities
or perhaps the lease of equipment or facilities that will be used
on work activities. As there is a certain amount of risk for both
the buyer and seller in acquiring these type of resources, outlining the conditions of the contract is important and must cover
the following:
• Scope of work to be performed
• Specific identification of a piece of equipment or facility
• Terms of its use or environment
• Duration that the buyer plans to have the resource
• Agreed upon price
• Special terms or conditions that would address risk for the
buyer or seller
An agreement signed by both parties forms a legal binding contract requiring both parties to fulfill their responsibilities identified in the document(s).
6
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
Risks and Procurement Go Hand-in-Hand
Risks associated with various aspects of the project might include
correctly interpreting the customer’s requirements for a deliverable,
selecting projects that are appropriate for the organization, and availability of resources within the organization to carry out project work
activities, but there are also risks associated in the process of conducting procurement. Most projects require items to be purchased and/
or some form of contract agreement that will have the potential of
introducing risk. This being the case, why are risks associated with
things that have to be purchased?
• Risk Is a Threshold Within Procurement—The fundamental philosophy regarding risk is the identification of a potential
problem that might or might not happen. When the purchasing
agent is tasked with obtaining an item from a supplier/vendor,
there are three primary components that determine the transaction’s success:
• Buyer’s Responsibility—To start the transaction, the purchasing agent must ensure he has all the information required
to correctly identify what needs to be purchased. He must
also identify a seller that can provide the item in the correct
form, fit, and function; at a reasonable price; and within time
constraints. If the purchasing agent has correctly identified
a seller that can fulfill these requirements, the transaction
can be initiated. The purchasing agent, project manager, or
other staff must confirm delivery of the item and that it has
met all identified requirements. The purchasing agent must
then ensure that full payment has been made, and the transaction can be closed.
• Seller’s Responsibility—In response to an inquiry by a
purchasing agent, the seller is responsible for ensuring
she understands all of the requirements of the item that is
intended to be purchased. The seller must inform the buyer
of any special options associated with a particular item that
the company offers as well as verify her ability to get it to
the buyer. The seller must be truthful that the offered item
meets all requirements communicated by the buyer and not
INTRODUCTION
7
mislead for purposes of making the sale. The seller must
also verify pricing is correct and be upfront about any extra
fees or costs applied—such as shipping and handling, and/
or tax—to give the buyer the full actual cost of the item. The
seller must also be diligent in ensuring the item is delivered
to the intended location by the date she committed to and
packaged in such a way that the item will not be damaged
during shipment.
• Delivery Responsibility—As the purchased item leaves the
seller’s location and is in transit to the buyer’s location, the
responsibility lies with the organization contracted to deliver
it. As the seller has a responsibility to correctly package an
item for delivery, it is the delivery company’s responsibility
to ensure the item is not damaged in transit, regardless if the
item’s destination is a third party, the buyer, or the seller.
As we have seen in these primary components of successfully
managing the transaction of procuring an item and having it successfully delivered and being correct in form, fit, and function, we can
see that risk is associated with every aspect of conducting procurement. We can look at procurement as having a level, or threshold,
of risk associated with it, and this is why risk and procurement go
hand-in-hand.
In the case where the purchasing agent is using a contract agreement to obtain an external resource, there will also be a buyer/seller
relationship, and in some cases a delivery component required. The
same buyer/seller responsibilities exist within a contract and can even
include the complication of special terms and conditions the can add
even more risk in using contracted resources.
We know procurement is part of every project to some degree,
and given the nature of things that have to be purchased or contracted,
procurement can introduce a large component of risk throughout the
project lifecycle. The project manager must be aware that the procurement process can generate potential problems and that he must
work closely with those involved in procurement to manage risks associated with it.
8
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
Seeing Is Believing
As the project manager begins to develop the project plan, which
includes breaking down the project deliverables into their smallest
components, understanding all resources that are required, estimating costs, and scheduling, she begins to see where potential problems
may occur that could have impact on the project. The most important tool a project manager could have in managing projects is seeing
problems ahead of time and being prepared with responses. When
the project manager can see areas of potential problems and can plan
for these problems, she becomes a believer that risk can be managed
if planned for correctly.
Risk and Procurement—Planned?
Most project managers will agree that certain responses that were
planned ahead of time saved or protected not only a project activity,
but also the schedule or perhaps even the project’s budget. Planning
for risks allows for the project manager and staff to have a response
ready in case a problem occurs. This can mean the difference between
having the time to design the best response possible versus having no
time and making knee-jerk reactions that will simply put a Band-Aid
on the problem and generally be a more expensive solution. Project
managers, in planning for risk with well-designed responses, can actually be one of the project’s biggest assets in protecting not only the
project but also the organization from problems that could be anywhere from minor to having a catastrophic impact.
Save the Project and Organization
A project manager has a responsibility to ensure the completion
of all work activities that produce the project deliverable, which in
turn meets the expectations of the project objective. He also has the
authority to plan and manage all of the work activities, as well as the
responsibility to plan for and manage risk throughout the project lifecycle. If the project manager is seen as the individual who ensures
the outcome of the project deliverable, he can also be seen as the
INTRODUCTION
9
individual who might ultimately save the project from its own problems through risk management.
In some cases the project manager has not only saved the project
budget, schedule, and quality of the deliverable, but has protected
the organization from legal action that might have been a possibility through certain contract agreements but was managed in a risk
response. Project managers and purchasing agents within the procurement department know that the use of contracts and how they
are negotiated can be used as a risk management tool—and can
accordingly mitigate or eliminate risks associated with a bigger picture
regarding the entire organization in regard to potential legal actions.
Proactive Versus Reactive
As we’ve stated, one of the most powerful tools the project manager can have is visibility of all potential risks and a best-case-scenario
risk response planned for each of them ahead of time. Unfortunately,
as projects are developed, project managers can find themselves very
busy, and identifying and planning risk responses will either be a
lesser priority or will not be completed at all. This is unfortunate, as
we can see in Figure I.1. Failing to plan for risks can ultimately have
an impact on the project deliverable, budget, and schedule.
Project Life Cycle - Impact of Risks Based on Response Planning
Conceptual
Planning
Execution
Closure
Identifying Risks
Planning Responses
Executing Responses
Closing Responses
Effects to Budget and Schedule
Degregation in Qualtiy to Deliverable
Knowledge
of Risks
Impact of Risks
without Planned
Responses
Impact of Risks
with Planned
Responses
Figure I.1
Impact to Project with and without Risk Planning
10
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
When project managers are trying to manage work activities,
issues arise on a regular basis that he must deal with. Some are minor,
simply just making the decision of one thing over another, while in
other cases a problem has actually occurred and needs a response and
corrective action. When the project manager has no time to think of
a best-case scenario response, “reacting” to a problem indicates the
problem has already occurred and the project manager is simply performing damage control.
Project managers discipline themselves to allocate time before a
project starts to identify potential problems, predict the probability of
occurrence, analyze potential impact to the project, and use resources
available to identify best case scenario responses. This is an example
of working in a “proactive” response mode. When project managers
are proactive in response planning, they have a roadmap of potential
problems and are almost waiting for them to occur. From this position, in some cases the project manager and project staff can actually
make alterations to a work activity prior to a potential risk to simply eliminate it. Being proactive in risk identification and response
planning gives the project manager confidence throughout the project lifecycle that they can not only see problems before they happen,
but they have an opportunity to eliminate them, or, at worst, have a
response for a best-case scenario outcome that is in the best interest
of the project in the organization.
Problem Management Versus Change Management
Although project managers do the best they can in identifying
potential “problems” that may occur throughout the project lifecycle,
the one uncertainty project managers cannot plan for are any changes
that will be required throughout the project lifecycle. As we have
seen, when the project manager operates in a proactive mode, it is
because she has developed a process that outlines steps to take in certain scenarios. As we have seen, developing a risk management plan
is a process the project manager can follow to consistently deal with
potential problems. Another process the project manager can use is to
address changes required throughout the project lifecycle.
INTRODUCTION
11
Some project managers view change as a problem—and therefore a risk—that should be mitigated or eliminated. A customer might
make a request to alter something on the project deliverable before
it is completed so it will meet newly discovered conditions. As much
as we would love to have the customer understand “all” specifications
required for their deliverable at the beginning of a project, in some
situations the customer may be working within a developing environment, and alterations to the deliverable might have to be made in
order for it to work correctly in what the customer is developing. In
this case, allowing for a project deliverable to be changed on the fly
would be seen as good customer service.
In other cases, items that are procured might have to be altered
slightly depending on availability or work required by an externally
subcontracted resource. These types of changes are also inevitable
but should be seen as opportunities to perfect what the project is trying to accomplish, rather than as an obstacle. Like any other aspect
of the project, the project manager should develop a change management process to ensure changes are conducted correctly and efficiently and are implemented with minimal impact to the project. A
detailed change management process is introduced later in this book.
Project managers can use this powerful tool to control how change is
managed on projects.
Is the Project Manager a Risk?
As we have seen throughout this introduction, there are several
aspects regarding the management of project risk and procurement
that the project manager either has direct responsibility for or will be
involved in to some degree. Because the project manager has several
responsibilities, such as the development of the project work breakdown structure, estimating a budget, and developing a project schedule, we can see that the project manager can pose a risk to the project
based on his own knowledge, experience, and skill set—yes, a project
manager himself can be a risk!
In some cases, the organization does not employ professional
project managers to oversee projects but simply chooses a functional
12
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
manager or someone else within the organization to oversee project
activities. In this condition, the manager selected to oversee a project
can cause several problems as a result of mismanagement. Even professional project managers hired within the organization to officially
develop and manage projects have a wide variety of experience and
skill sets, and they can introduce potential problems throughout the
project lifecycle.
As more organizations see how the benefits of properly managed
projects far outweighs the damage control resulting from projects
with budget overruns, delayed schedules, and incorrectly developed
project deliverables, they realize how important it is to select a project manager with the skills and experience to properly develop and
manage a project. And when an organization understands that successes and failures on a project are not only the result of the project
manager’s abilities and work ethic, but is a result of everyone’s efforts,
including the project staff and supporting departments, a culture of
effective risk management can be felt throughout the organization.
This culture of risk awareness, with everyone considering risk management a part of his or her job, can be one of the strongest assets the
project can have.
Organizational Culture of Risk Planning
Organizations in which projects are a large component of the
business strategy have an understanding of the potential impact risks
can have on not only projects, but throughout the organization—and
so they often have a strong risk awareness culture. Organizations
that are structured with functional departments that carry out dayto-day operations that do not necessarily function on a project basis
and are not intimately associated with the organization’s business on
the whole, can struggle with the concept of risk management in how
problems on a project can affect an organization.
Regardless of the organization structure, a project manager
assigned to oversee a project must ensure certain project processes
are developed and will be used throughout the project lifecycle. This
is important, as processes are used to outline what is required as well
INTRODUCTION
13
as to ensure consistency in the process. As the project manager is
addressing the area of risk and procurement on a project, she must
also ensure processes are in place to manage these items.
• Risk and Procurement as a Process—As an organization
matures with the use of projects, hopefully staff within the
organization is also seeing the benefit of processes used to
manage risk and procurement throughout a project lifecycle.
The benefit of developing a process is it provides a step-by-step
instruction to conduct items, which is important to effectively
manage what the process is developed for. This book includes
processes that can be used in managing all aspects of risk, as
well as procurement on most types of projects. Although these
can be simple processes, they can be used on complex projects
and in their simplicity can be easily understood by not only a
project manager but by other project staff that may be assisting with project tasks. It is important that the development of
a process remain simple, as the fundamental steps can be used
on either simple projects or complex projects, but those using
the process will not lose sight of the overall concept of what the
process is trying to accomplish.
• PMBOK Processes—The Project Management Institute
(PMI) has published a book called A Guide to the Project Management Body of Knowledge (PMBOK Guide) that is used
worldwide as a standard project managers can follow that will
assist in the understanding of processes used throughout all
aspects of managing projects. Several processes regarding risk
and procurement management called out in the PMBOK are
used in this text for general conceptual understanding of risk and
procurement management and, in many cases, are explained in
further detail and with the use of examples in regard to specific
applications.
• Documentation—As the project manager develops the overall project management plan, there are several individual plans
included that outline all of the process steps required for each
aspect of the overall project. Other documents used in the organization that will house information regarding project activities
14
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
may include documents within the Accounting department,
Procurement department, Project Management Office (PMO),
and Human Resources, as well as general documents such as
a Lessons Learned document included with the completion of
each project. With regard to risk management and procurement management, there are two primary documents used
in the project management plan that outline all specific steps
required for each of these two areas, which include:
• Risk Management Plan—Houses all of the information
regarding how risk is to be managed throughout the project lifecycle. This includes identification of risk, analysis of
risk, response plans, documentation of risk and responses,
and any staff identified to assist in managing risk throughout
the project lifecycle. The risk management plan also includes
all of the processes used and specific steps required to correctly and effectively carry out each aspect of managing risk.
The project manager is typically the owner and manager of
the risk management plan for each project and would be the
individual responsible for developing the plan and/or any
modifications or additions to the plan throughout the project
lifecycle.
• Procurement Management Plan—Houses all of the information regarding how procurement should be conducted
throughout the project lifecycle. This plan is typically developed as a joint effort between the project manager, the
Procurement department, and sometimes the Accounting department. It houses all of the processes required to
correctly and effectively carry out procurement throughout the project lifecycle. This can include conducting purchases, negotiating contracts, any specific pricing schedules
that might be required, as well as roles and responsibilities
required to negotiate contracts and effectively conduct procurement. This document can be developed by either the
project manager or the procurement manager, and both of
these individuals will need to have a clear understanding
of the development of processes within the procurement
management plan; roles and responsibilities of management
overseeing aspects of procurement; and the management of
INTRODUCTION
15
human resources that will be conducting procurement and
accounting functions. The important aspect here is that all
processes required are included in the procurement management plan, and that everyone involved in this plan is
on the same page as to the understanding of the processes
included.
• Lessons Learned—Another important document that is used
throughout project management is the Lessons Learned
document used to record not only problems relative to risk
management and/or procurement, but successes due to
processes that were designed and implemented, resulting
in a positive outcome. The Lessons Learned document is
typically regarded as an important document within project
management, as project managers use this document at the
beginning stages of developing a project to avoid problems
that have occurred on prior projects.
Project managers can use valuable information from prior
projects in the development of the risk management plan
in identifying potential problems and successful responses
of problems that occurred on prior projects. This can save
the project manager a great deal of time (and in some cases,
guesswork) as to what a successful response to a particular
risk might be. Project managers can also use the Lessons
Learned document to gain valuable information on prior
purchases or the use of subcontractors to avoid problems or
issues seen on past projects. This can, in some cases, save
the organization a great deal of money and time in selecting
a more appropriate response to a risk over a response that
might have made more sense if other details of the risk had
been unknown. Lessons Learned documents have proven
to be a valuable source of information for the project manager in developing the project management plan and should
always be a document every project manager develops and
uses throughout the project lifecycle to record information
that would be valuable for later use.
In many ways, the success of a project manager can be boiled
down to the simple fact of how much information he has and how
16
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
he uses that information to develop and manage a project. Project
managers are the first to admit that knowledge is power, and the more
they know about their projects at the beginning stages, the better they
can plan. The two key components in planning are to correctly identify what has to be accomplished in work activities to complete a project deliverable, and how to effectively address and manage problems
that occur throughout the project lifecycle that could impact budget
and schedule.
Project managers are generally tasked with the development of
a project management plan, and how the project manager develops
this plan largely dictates its success. It is incumbent on the project
manager to view the project in a best-case scenario where simply
planning all of the activities and resources required to accomplish an
objective should be sufficient, but planning for problems is equally
as important, given their potential to destroy or delay a project. All
too often the project manager gets wrapped up at the beginning of
the project in ensuring that all of the normal activities, resources, and
purchases are in place but does not leave time to identify and plan
responses for potential problems. If the project manager has allocated
time to design a project that will be conducted correctly, ensuring a
project deliverable is completed on budget and on schedule, it is also
the project manager’s responsibility to plan for risks and responses
that will also ensure the project deliverable is completed on schedule
and on budget. The project manager, in planning risk responses and
procurement in advance of the project, is actually being proactive in
protecting the project from its own resources and activities.
Part I
Risk and Procurement Planning
Chapter 1 Risk Strategy and Planning . . . . . . . . . . . . . . . . . . . 19
Chapter 2 Identifying Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Chapter 3 Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Chapter 4
Plan Procurement Strategy . . . . . . . . . . . . . . . . . . . 93
Project managers spend a great deal of time at the beginning of
a project planning various components of a project. This can include
the assessment of risk and everything that will need to be purchased,
which is called procurement. As the project manager prepares to evaluate risk throughout the project lifecycle, she must plan the details of
all the activities to be carried out. This allows her to correctly evaluate
and effectively plan for risks on her project, creating what is called
the risk management plan. One of the most powerful tools a project
manager can have is a plan for problems that could potentially cause
a negative effect on work activity.
If the project manager is aware of potential problems at the
beginning of a project, he can analyze the probability of the problem
occurring and its potential impact on a project deliverable, budget, or
schedule, and then he can develop a response intended to reduce or
eliminate the risk. If the project manager has a list of potential risks
for each work activity and a response for each risk prepared, he can
anticipate problems before they happen and reduce or eliminate the
impact the risk could have on the work activity. This is like giving the
project manager a crystal ball and having the answers to problems
before they happen.
18
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
The key elements in developing a risk management plan are identifying risks, analyzing risks for their probability of occurrence and
potential impact to the project, and planning a response that would
be most effective in reducing or eliminating the risk. Developing this
plan puts the project manager in a proactive response mode to effectively manage the development of the project deliverable and keep
the project on budget and on schedule.
Another important component required on projects is the acquisition of all human resources, materials and supplies, equipment and
facilities, and funding necessary to carry out work activities required
to accomplish a project objective; this is called procurement. As you
will discover throughout this book, there are multiple ways to purchase items and negotiate contracts that can actually be used as a
strategy by both the project manager and purchasing agents. As relationships are developed with suppliers, vendors, and subcontractors,
there also is risk in conducting transactions. Developing a strategy for
procurement can help in reducing risk.
Although project managers typically have the bigger picture in
mind and can see where items will need to be purchased throughout
the project lifecycle, they can also work with the procurement department to make volume purchases or deals at strategic times throughout
the project lifecycle in order to, for example, take advantage of special
pricing or delivery conditions that can save either time or money. Procurement presents opportunities for both the project manager and
purchasing agents to use strategy to ensure items purchased are correct, are purchased at or below budget, and are delivered on or before
they are scheduled.
Project managers should allocate time at the beginning of a project to develop the risk management plan, and time should also be
invested in developing a procurement management plan. With regard
to planning risk, quality time spent at the beginning of the project is a
valuable investment—problems are inevitable throughout the project
lifecycle, and being prepared for problems puts the project manager
a step ahead in proactively managing the project.
1
Risk Strategy and Planning
1.1 Introduction
All projects, large or small, simple or complex, have the potential for project activities to face changes due to the reality of risk
events and their influence. There are two types of events—risks and
uncertainties. The project manager must develop a plan to address
these types of issues. The first step in addressing risk on projects is
to understand that risk events will likely happen to some degree on
every project, and a plan for dealing with risk should be developed.
The best way the project manager can accomplish this is to change the
mindset from worrying about problems that might occur to designing a risk management plan as a process that’s carried out on every
project.
As with many things that need to happen in the development
of a project, such as developing plans for managing schedules, cost,
human resources, scope, and stakeholders, a plan for risk should be
developed along with all of these. One of the best things a project
manager can do to improve his effectiveness is to develop processes
for all of the things that must be managed and use these processes as
tools on every project, like a project management template. The more
these tools (processes) are used, they can be improved and made more
effective, allowing the project manager to have more control over how
the project is designed and carried out.
When the project manager includes risk management as a process in the development of a project, she changes her way of evaluating risk from that of designing reactive responses to developing a
19
20
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
proactive mitigation or elimination plan. The primary difference with
this line of thought is to expect risk events to happen and therefore
design the project to best mitigate or eliminate risks in the planning
stages of the project development.
Practical Application
The concept of proactive planning was developed in the manufacturing environment. During the design review process, manufacturing engineers develop processes for manufacturing a prototype
product. Design engineers typically design products for best performance, whereas manufacturing engineers look at the product in
terms of potential problems that might occur in the manufacturing
of the product or in longevity as a result of design flaws in the functional assembly of the prototype that may result in failures. This created the concept of Design for Manufacturing (DFM). When project
managers evaluate the design (development) of a project and look
at each activity from a functionality standpoint as a process step, in
many cases design flaws can be found, and opportunities to improve
an activity can mitigate or even eliminate risk events before the activity starts.
This type of thinking requires the project manager to look at the
project through different eyes and think outside the box of how things
can go wrong on a project. Proactive risk planning requires understanding the processes within the project well enough to understand
how they can go wrong in order to evaluate how they can be modified
to mitigate or eliminate risk events. This chapter explores the concept
of planning a risk strategy or process, as well as tools and techniques
the project manager can employ to not only plan for risk, but also to
actually design projects to eliminate risk.
1.2 Risk Strategy Versus Risk Planning
Projects, given their structure of organized activities, have a propensity to attract problems and to change; therefore, project managers need to have a way to address how they will deal with problems
on a project. This can sometimes be a confusing phase of project
CHAPTER 1 • RISK STRATEGY AND PLANNING
21
development, as the project manager has to decipher what can be several levels of information that can be used in developing an approach
to addressing potential risks. To help avoid confusion, we must first
separate and define two major levels of how the project manager
approaches problems within a given organizational structure for a
specific project—Risk Strategy and Risk Planning.
In the role of project manager, an individual is in a position to be
involved with management level decisions and organizational strategy in addition to working closely with those involved in project work
activities. Depending on how the organization is structured, this can
put the project manager in a confusing dilemma of what true responsibilities they have within the organization and the importance of
understanding what managerial level the position actually holds. In
most organizations, higher levels of management focus more on organizational strategy—a global approach to address processes throughout the organization. Lower levels of management deal more in the
tactical areas of day-to-day activities and the responsibility of dealing with issues specific to those activities. The project manager must
understand what level he is operating at to avoid confusion in understanding his responsibility and whether he is in strategic planning or
in a more tactical level of planning for a specific project.
The primary difference between risk and strategic planning is that
risk planning has a smaller scope and is used more as a tactical tool for
addressing specific types of risks relative to specific project activities.
Risk strategy has a larger scope and addresses how the organization
is structured and the philosophy of how the organization is designed
to address problems and change. Most organizations have some form
of strategic plan for risk and change management, and it may be a
structured, well thought-out plan or just simply common knowledge
passed down through the years. Following are some of the common
general areas that might be included at each level. Later in this chapter we cover developing a risk management plan at the tactical level
in more detail.
Strategic Risk Planning
Organizations, whether they have projects or not, have to address
the reality of risk events happening that will have an impact on the
22
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
operation in some way, shape, or form. This can be risks seen within
the accounting department, engineering department, executive management decisions, as well as manufacturing, shipping and receiving,
and sales. Once organizations are established and have been in operation, they have to address risk events and ultimately must decide how
to deal with the outcomes. Most organizations do this with a reactive
approach, where they will not necessarily have planned for risk events
specifically but simply respond to them as they occur.
Senior and executive management ultimately make decisions as
to the success of various responses to risk within the organization to
assess their position for future risk events. This could be in the form
of establishing who in executive level is responsible for managing
the response to risk events, what level of risk tolerance the organization is willing to accept, and how risk management is designed and
controlled on projects conducted within the organization. This is an
important step for executive management, as this does not state how
to specifically address a particular risk event, but more the philosophy
and how the organization deals with risk events in general. Following
are examples of some of the general areas that can be addressed by
the organization on more of a strategic level.
• Organizational structure—Relative to project management and depending on the size and type of business they are
engaged in, organizations align their operation in one of three
types of structures:
• Functional—This structure is used to manage projects within
functional departments of the organization. Functional managers have authority over resources within the department
to be used on departmental activities and special projects.
In most cases, functional managers might also assume the
role of project manager within their departments. If a project manager is assigned to a special project within a department, he may have little or no authority and is used more as
an expediter. In most cases, projects conducted within functional or departmental structures use a “respond as needed”
or “reactive” approach to managing risk events because the
functional manager does not have time to outline risk planning for projects conducted within his department.
CHAPTER 1 • RISK STRATEGY AND PLANNING
23
This is unfortunate, as risk events, depending on their severity and impact to a project or department, can have a variety
of results in financial loss, time lost by human resources, as
well as any impact to equipment or materials that were damaged or must be replaced. This is largely due to the strategic
plan of projects being used internally in the form of process development or improvements, or some other function
needed within a specific department, and does not require a
full scale formalized project management approach.
• Projectized—This structure is used in organizations that
have projects as their primary business model. This is seen
in large-scale manufacturing such as aircraft, large ground
transportation, and construction that builds buildings and
bridges. These organizations are accustomed to assigning
project managers or program managers to oversee these
large endeavors, and solid risk planning is commonplace.
The project manager commands a high level of authority and
responsibility within this structure. In most cases, human
resources report directly to the project manager, and he has
full control over the development of the project.
The culture of projectized organizations takes the potential
of risk events very seriously and “designs in risk mitigation
and elimination” as much as possible to project activities. In
some cases specialized risk managers are assigned to projects
with the responsibility of risk identification, analysis, and
preplanning prior to a project starting, which puts this type
of structure into a “proactive planning” mode for optimum
effectiveness. This type of organization also realizes maximized profits are a direct result of controlling supply chain,
work activity efficiency, and the reduction or elimination of
risk events.
• Matrix—This type of organization is a hybrid or blend of
both the functional and the projectized types of structures,
using the strengths of each to improve the use of projects
within the organization. This structure still utilizes functional departments but has major projects working independently and utilizing resources from departments for specific
24
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
activities on the project. The project manager has authority over the project itself and the scheduling of resources
required for project activities, but in most cases, human
resources still reports directly to their functional managers.
The project manager typically has the responsibility of developing the entire project plan, which includes a risk management plan but does not have the added responsibility of the
human resources piece. In most cases, the project manager
has the opportunity to perform risk assessment prior to the
start of the project, allowing her the benefits of managing
risk in a “proactive planning” mode.
• Risk tolerance—This is the fundamental philosophy of how to
view a potential risk with regard to the threshold of impact that
is deemed acceptable. Depending on the type of organizational
structure (functional, projectized, or matrix), project managers usually have a rough order of magnitude idea from senior
and executive management as to the general approach to taking
risks within an organization. This might be a philosophy passed
down through the ranks of management, or this might be from
lessons learned and a general agreed upon threshold of risk that
can be accepted on any given project. The term philosophy of
risk tolerance stems from one of three basic human responses
given the potential of risk:
• Averse—Generally classified as conservative and would have
a low tolerance for risk impact, this type of person does not
want to take risks, but plans risk responses accepting outcomes that are more certain and predictable. This person
also avoids taking risks for potential advantage or gain, preferring the status quo over potential loss.
• Neutral—Classified as neutral or nominal, this individual
has a moderate tolerance for risk impact. This person might
accept small levels of risk but will generally avoid larger risks
with greater impact.
• Seeker—With a more liberal approach, allowing for risks and
having a high tolerance for risk impact, this person does not
have a problem taking risks even with uncertain outcomes
and is more inclined to take a risk for a particular advantage
or gain.
CHAPTER 1 • RISK STRATEGY AND PLANNING
25
Because these types of responses are more a function of the
personality of a particular manager or executive, most organizations determine the level of risk tolerance to be used on
projects based on the types of projects and the impact of
certain risks. The strategic level of risk tolerance is usually
the overall approach of upper management or the owners of
an organization. The tactical tolerance is that of the project
manager, given the type of projects and potential risks.
• Mitigation or elimination—This is a higher, more strategiclevel approach to how the project manager plans responses to
risks on a project. Although some of this approach stems from
the risk tolerance type of the project manager, most of this
approach is dictated by the type of project. This can be a formal
approach dictated by an organization (such as a Project Management Office [PMO]) and encompasses the general philosophy of how the project manager should address planning risks
within a particular project and thus be a strategic risk plan.
Because a project is a unique endeavor to produce an output
deliverable and risk events are imminent, the project manager
can in general terms make a decision to simply design mitigation for risks identified throughout the project or identify as
many redesign opportunities that result in eliminating risks
completely. Risk mitigation is a higher tolerance approach of
acceptance and simply requires the identification of risk and a
plan or contingency for how to deal with the risk. Risk elimination requires the project manager not only to identify risk, but
to drive the identified risk elements back to redesigning project
activities to eliminate risk. Depending on the type of deliverable, this can be an effective plan to proactively eliminate as
many risks in the design of the product and not so much the
design of the risk management plan. This is a more conservative, low tolerance approach for the project manager to take to
attempt to eliminate as many risks as possible.
• Develop risk management plans for projects—Another
important component in the strategic plan is to ensure that all
projects conducted in the organization have a risk management
plan associated with them. If an organization has a culture of
risk management, then risk management plans will already
26
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
be a component of projects no matter what type of structure
the organization is operating with. Having a risk management
plan may be dependent on the type of organizational structure
given it may be difficult for functional managers to produce risk
management plans, as this is not a normal component of their
responsibility. Projectized and matrix organizations should have
risk management plans as part of the overall project management plan process, as risk management will typically be a part
of the culture of that structure. If the organization has a PMO,
risk management plans are usually a requirement of the project
manager; if the organization does not have a PMO, this needs
to be a requirement of upper- or executive-level management
for project managers.
Tactical Risk Planning
Tactical risk planning is more at the project level and specific to
work activities on a particular project. The project manager usually
has the responsibility of developing the tactical plan for managing
risks. At this level of risk planning, the project manager will take into
consideration things like the type of project, identification of specific
risks, triggers that may indicate an imminent risk, analysis of specific
risks, and response planning. It is appropriate for the project manager
to develop the tactical risk plan because he has knowledge of specific
work activities and can derive accurate data that will not only help
identify potential risks, but how to plan for a specific risk. The elements of risk planning are common on most projects and are general
areas of risk planning at the tactical level.
• Risk for different types of projects—Two of the biggest
concerns in managing risk for any project is the severity of the
risk and the potential impact to the project and/or organization. Some of the factors that influence the severity and impact
risk can have are the general type of project as well as its size
and complexity. From a strategic standpoint, organizations
structured for projects might be in a better position to identify
and manage risk on projects as a normal part of their business
over those that are not structured for projects or do not carry
CHAPTER 1 • RISK STRATEGY AND PLANNING
27
out projects as a normal part of their business. From a tactical
standpoint, the type of project can play a role in projects having
the probability of a greater number of risks versus an inherently
smaller number of risks.
Some projects may be characterized as having a larger number
of less severe risks that are easier to manage versus other projects that may have fewer risks with greater severity and potential impact to the project. The size, duration, and complexity
of the project can also play an important role in the types of
risks and the severity and impact they can have. Large-scale
projects might have different risks than small-scale projects,
longer duration projects have risks that shorter projects do not
have, and simple projects are not subject to some of the risks
complex projects can potentially have. All of these factors can
influence what information the project manager needs to look
for in understanding potential risks and how to plan for risks on
a given project.
• Risk identification—Another area of planning at the tactical
level is the identification of risks. As the project manager gathers specific information on each work activity, this information
should yield initial indicators of possible risks. The project manager should also seek advice from subject matter experts as well
as previous projects to understand what risks may have a potential of occurring for each specific activity. The project manager
then needs to categorize risks and use tools to organize information for each risk event such as a probability of occurrence,
impact, and severity as well as contingency planning and assigning owners responsible for the risk event. This again is the job
of the project manager to understand this level of detail using
tools and techniques that are covered later in this book to help
the project manager identify risks, given all the information
available for a work activity.
• Risk trigger planning—After the project manager has identified risks for a given work activity, he also needs to analyze the
information for signs or triggers that he can key in on that will
indicate a risk event is eminent. Triggers are an important planning tool, as the project manager can in many cases mitigate
28
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
and usually eliminate a risk event before it happens. Trigger
planning is typically underestimated or not even used at all in
most risk management planning, but it can be one of the most
powerful tools a project manager can have in a risk management plan.
• Risk response planning—The next area the project manager
must address is how to respond to each potential risk event. The
risk tolerance of the organization and project manager has an
influence on how risk response planning is carried out. Depending on whether the risk tolerance is conservative or more liberal
(and allowing risk events) determines the approach the project
manager will take on any given response and can be classified
into four types of responses:
• Avoidance—Identifies the root cause of a risk event and
eliminates or alters the conditions of the activity to create
a new scenario without the potential risk. This is simply
eliminating the risk before it happens and should be the first
choice in response to a risk.
• Mitigation—Similar to avoidance in altering the conditions
of a work activity such that although it may not be able to
completely eliminate the potential risk, it can reduce the
impact or probability of its occurrence.
• Transference—Requires the reassignment of responsibility
such that the impact of the risk is absorbed by an alternate
party. In many cases, a strategic use of a contract can transfer
risk and liability to another party.
• Acceptance—The last course of action the project manager
should use in planning a response for a potential risk event
is simply accepting the outcome of the risk. There may be
some conditions given a specific work activity where specifications will not allow any alteration of the conditions to
eliminate, mitigate, or transfer the impact of a risk event, and
the project must bear the full brunt of the impact from a risk
event. This response might be acceptable as a function of
risk tolerance, as the specific risk event may have a minimal
impact to the project.
CHAPTER 1 • RISK STRATEGY AND PLANNING
29
• Risk communication—Another important general area of
tactical planning is developing the process for how information
regarding risk events are to be communicated to project staff,
management, and others that will need this information. It’s the
responsibility of the project manager to develop an effective
and efficient communication system for managing risk events,
as in many cases there may be limited time to conduct planned
responses. Information will need to be documented in a form
that is clear, concise, and easily understood to conduct risk
responses correctly and efficiently. Much of the success of the
risk response plan falls on the effective communication of the
plan.
1.3 Develop Risk Management Plan (Process)
Project managers can improve their success in managing projects when they develop processes that are carried out on each project. Developing a process requires understanding what goal is to
be accomplished, the steps required to complete the goal, and any
specialized details that may be required in accomplishing a specific
goal. In project management, some of the more commonly used processes or goals would be resource management, schedule management, budget management, risk management, and procurement. The
project manager can look at the various aspects of what needs to be
managed on a project as goals and develop a process that can be used
as a template every time that goal is required.
The advantage of designing a process to manage something is it
can be used as a template and every time it is used can be improved
on, making the process progressively better. Another advantage to
developing a project management process is that it can be used to
standardize processes throughout an organization, which then can
lead to the creation of a Project Management Office (PMO). This
chapter focuses on developing a process to manage risk called the risk
management plan. This section outlines some of the more commonly
used elements of risk management that can be used as a template in
developing a risk management plan.
30
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
Risk Identification
One of the foremost areas in the risk management plan is developing a process to accurately identify potential risks within work
activities on a project. This is a vital step and should not be taken
lightly. This is covered in more detail in Chapter 2, “Identifying Risk.”
Although the project manager is responsible for developing a risk
management plan, she doesn’t always have to perform all the actions
required within the plan, and she can solicit help from others, such as
subject matter experts and those qualified to perform risk identification and analysis. The project manager should prepare a complete
and accurate assessment of risk, so it’s in the best interest of the project to seek out as many expert individuals as possible to assist in risk
identification and analysis.
It’s important that the project manager and others who assist in
information gathering for identifying risks know the primary goal is to
identify as many risks as possible, which includes the smallest impact
risk to the obvious larger, more severe risks. The second goal of risk
identification is categorizing risks to organize them based on probability of occurrence, severity, and impact to the project. The details
of how this is performed and tools and techniques to perform these
functions are covered in more detail in Chapter 2.
Define Risk Tolerance
After the project manager has compiled a list and categorized all
risks that will need to be evaluated on each work activity, the level
of risk tolerance helps determine what course of action the project
manager and/or the organization might take. It’s important the project manager understand the general level of risk tolerance of the
organization so responses can be developed that are consistent with
the organization’s threshold for risk management. Depending on the
size and complexity of a project, this can play an important factor in
the success of an organization’s managing opportunities in allowing
certain risks while protecting organizational interests in mitigating or
eliminating other risks. If the project manager is uncertain as to the
level of risk tolerance, he should seek out the advice of upper management for the recommended approach.
CHAPTER 1 • RISK STRATEGY AND PLANNING
31
Risk Analysis
After risks have been identified and categorized, the next major
component in developing a risk management plan is to analyze each
risk to determine the probability of occurrence and the level of severity or impact the risk could have on the project. The analysis of risks is
another very important element in the overall risk plan, and because
there is a great deal of information regarding analysis tools and techniques, this is covered in great depth in Chapter 3, “Risk Analysis.”
Contingency or Redesign Planning
When risks have been identified and analyzed, a response plan
needs to be developed for each potential risk event. There are two
general ways to approach risk: developing contingency plans, which
include responses such as mitigation, transference, and acceptance;
and the redesign approach, which is the avoidance response in eliminating a potential risk. Depending on the type, size, and complexity
of a project and the type of potential risk, there is usually a combination of these response plans. This is where the project manager has
the opportunity to design risk responses or redesign the conditions of
a work activity before the project begins. This section is another very
important component of risk planning and is covered in Chapter 5,
“Risk Response Strategies.”
Risk Monitoring Process
Another step in developing processes within the risk management
plan is designing a monitoring system to capture real-time information on project work activities that might indicate a risk event is imminent or, unfortunately, has already begun. The general idea in risk
monitoring is to have tools in place that give the project manager realtime data that can be analyzed to ensure work activities are being
performed correctly and to assess any initial signs of problems or risk
events beginning to happen. Because the project manager will have
real-time information to analyze, it is advantageous to determine if
certain initial signs could be identified that would indicate a risk event
is imminent, called triggers. Triggers should be identified for as many
32
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
risk events as possible, and in the monitoring process, the project
manager would then be looking for these initial signs or triggers as a
first indicator a risk is imminent, and they would be in position to initiate a risk response as a proactive tool rather than the normal reactive
response. This section is covered in further detail in Chapter 7, “Risk
Monitoring and Control.”
Develop Risk Controls
When processes are developed in the organization, process engineers usually design in some form of controls to ensure the process
is carried out correctly. The project manager in developing the risk
management process needs to design controls that affect how risk
responses in the risk management plan are to be carried out. One
example of a risk management control is the development of the risk
register, covered in more detail in Chapter 2. The risk register is a
document that organizes all the risks by category and includes information critical to each risk event, such as the probability of occurrence, impact, response, and ownership of the risk. This can be
communicated to project staff and used to control how risks are to
be managed. Another important tool is a change management plan,
which can also serve as a risk management tool in controlling how
changes are carried out on the project.
Change Management Process
An underestimated area of risk planning within the overall project management plan is addressing change management. Much like
planning for risks, changes are inevitable, and when managed correctly have little impact to the overall project, as the change is a formal agreement in the conditions of the project schedule, cost, and the
output deliverable. The problem with change is there are certain risks
associated with change, and it’s vital the project manager understand
the importance of following a structured change management plan
to avoid costly errors and creating risk events. Change management
should be a well-defined process that is healthy. If managed correctly
and controlled, this allows the project manager to accommodate customer requests and/or project needs for change.
CHAPTER 1 • RISK STRATEGY AND PLANNING
33
Closer for Risk Events
Another important area of a risk management plan is to ensure
actions carried out with regards to a risk event have been completed
correctly and the risk event has closure. No matter what type of risk
event has occurred, it is important that all response actions have been
carried out, the risk event has run its course, whatever impact to the
work activity has been realized, and no further action is required.
Even the smallest risk events, if left incomplete, can continue to
impact a project work activity and, in some cases, cause more damage
than was originally assessed. Unfortunately, closure for risk events is
an underestimated component within the risk management plan and
can be the reason why some work activities are not as successful as
originally planned.
Communicate Risk Event Results
Project managers must understand the importance of effective
and efficient communication within all aspects of the project, and this
is especially important in communicating the results of risk events.
There are two levels of risk event communication:
• Real-time risk information—Communicating results of initial impact to project activities as risk events are unfolding.
• Post risk results—Communicating the overall outcome of a
risk event after it has closed.
Communication protocols for risk event status can also be
included in the risk register as to who is to get communication and
under what circumstances and in which format the information need
to be sent. In some cases, communication is vital during a risk event
when individuals identified to assist in the response need information
quickly and efficiently to effectively respond to a risk event. In other
cases, at the closure of a risk event, the overall impact that was realized needs to be evaluated and communicated to other project staff
and/or management. The project manager needs to take communicating risk information seriously, as the reality of how a risk event
impacts the project can ultimately affect other areas of the project
and the organization.
34
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
Lessons Learned
As part of the closure for each risk event, the project manager
should try to accurately and completely record all information of each
risk event to capture critical data that would be valuable in addressing risk events in the future. Having this information available is how
a project manager can design risk responses at the beginning of the
project, because she can see how effective responses were carried
out with similar risks on other projects. This also serves as a permanent record that shows how the risk was identified, analyzed, and how
successful that response was in addressing the actual risk event. This
information can also be used if an organization has to deal with legal
ramifications of the impact of a risk event, and this information can
clarify what actions were taken. Regardless of what the information
is used for, ultimately it is valuable for future projects where project
managers can reference this information to help in developing future
risk management plans.
1.4 Summary
Problems are an inevitable part of project activities, so project
managers need to have a plan as to how to address these problems
to reduce or eliminate any negative impact they might have on the
overall project. Project managers should think of aspects within project management, such as risk management, as processes and therefore not design a unique risk management plan for every project,
but simply utilize a risk management plan as a template that can be
implemented on every project. The process can also be refined and
improved every time it is used, thus making it a progressively more
powerful and effective tool.
One important element in developing a risk management plan
is that the project manager must understand the overall philosophy
the organization has, at a strategic level, for addressing problems. It’s
important the project manager understand his role at both a strategic
level as well as a tactical level in developing a risk management plan.
The following areas are some of the key points required at the tactical
CHAPTER 1 • RISK STRATEGY AND PLANNING
35
level in developing a risk management plan and are covered in more
detail throughout this book:
• Risk identification
• Risk analysis
• Categorizing risks
• Developing risk responses or contingency plans
• Develop risk monitoring
• Communicate risk results
• Manage closure of risk events
1.5 Review Questions
1. Discuss what is meant by risk strategy.
2. Explain what is meant by risk tolerance.
3. Discuss the difference between strategic and tactical risk planning.
4. Explain the difference between mitigation and elimination of
risk.
1.6 Key Terms
Risk strategy
Risk tolerance
Risk management plan
Change control process
Risk planning
Strategic risk planning
Risk mitigation, elimination
Tactical risk planning
Risk identification
Risk communication
36
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
1.7 PMBOK Connections (5th Ed.)
11.1 Plan Risk Management
1.8 Case Study (Use for Chapters 1, 2, 3, and 4)
RPO Construction has been hired to build a custom-made executive home in Vancouver, Washington. Two acres of property have
been purchased on the banks of the Vancouver Harbor by a retired
executive and his wife for the location of their new custom home. The
single-family residence will be an 8,500 square feet, two-story structure consisting of wood frame, cement slab foundation, and tile roof.
There will be a three-car garage attached, fully landscaped front yard
with circle-around driveway, patio, and deck off the rear of the house
overlooking the harbor. The deck will include an infinity pool and
oversized spa with outdoor kitchen appliances. A dock with a boathouse will be constructed at the water’s edge with the patio decking
connected by a wood staircase.
Concerns in the house construction consist of pouring the slab
foundation during the winter season, difficulty in location of the septic sewer system, and obtaining permits that allow for the creation of
a dock and boathouse. The owners of the house have sold their current home and will be closing escrow shortly, requiring them to stay
in a hotel temporarily. They have given the construction company the
completion date so they can minimize the cost of their hotel stay. The
construction company has told the homeowners it will take six months
to finish their home if there are no delays due to poor weather, resolving the location of the septic system, and possible delays in obtaining
permits. The homeowners have agreed to the schedule. If everything
goes as scheduled, the house will be finished on time for the homeowners to move in.
Details of cost are as follows: slab floor $32,000, total risk $9,000;
septic sewer system cost $18,800, total risk $5,100; dock and boathouse cost $82,000, total risk is $11,000. Contractor agreed to a late
completion penalty of $2,500 per day each day the project extends
beyond the completion due date.
CHAPTER 1 • RISK STRATEGY AND PLANNING
37
1.9 Case Study Questions and Exercise
1. Based on the case study, assess the risk tolerance of the homeowners.
2. Explain how the contractor might plan a risk strategy that would
address the potential risks identified in the case study.
This page intentionally left blank
2
Identifying Risk
2.1 Introduction
One of the most important components in developing a project
plan is the identification of potential problems or risks that could have
a negative impact on project work activities. Project managers are
usually busy developing the project schedule, working on the budget,
and trying to allocate appropriate resources, but in the pressure of
trying to accomplish those tasks, project risk is usually put as a lower
priority—or due to a lack of time, simply not performed at all. This is
unfortunate, as problems occur on all projects, and project managers
usually find themselves in reactive response mode, performing damage control—rather than being in control mode, having proactively
planned for problems and almost expecting them to occur.
The project manager has the capability to plan all of the things
that need to be accomplished in developing a project management
plan and can utilize other resources to help accomplish some of these
planning tasks such as risk management planning. Depending on the
size and complexity of a project, project managers can find themselves doing a larger portion of the initial planning work themselves
on smaller projects, while on larger projects they may have staff to
assist in information gathering and analysis. Project managers also
know they are going to be very busy in the development stages of a
project, and in many cases, if time is not allocated for even a minimal
amount of risk assessment, it is not completed at all.
When little or no risk assessment has been completed on a project, problems must be addressed after the fact, and solutions that
39
40
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
might have been available to eliminate or mitigate a problem are
no longer available once the project is under way, often resulting in
more costly responses and fixes. This is unfortunate for the project, as
damage control measures are usually more costly and have a greater
impact on the project schedule and potentially the quality of the project deliverable. Project managers and upper management who are
responsible for establishing some of the project timelines should realize the importance of designing at least a small portion of time for risk
identification, analysis, and response planning; it pays off in the long
run! Primary components in the identification of risk that are covered
in this chapter include
• Information gathering
• Risk identification
• Categorizing risks
• Documenting risk
In the risk identification process, a great deal of time is spent simply gathering information on work activities to understand if potential
risks are evident. This is an area where project managers might be
able to delegate some of the information gathering to other resources
if they are available. On small projects, the project manager might
be very busy performing several tasks, and information gathering for
risks would be valuable if another resource could perform that task
and the project manager could ascertain potential risks and do some
basic analysis on the risks that were identified. No matter how large
or complex a project is, the project manager must allocate some time
or resources in risk identification to be better prepared to control risk.
2.2 Information Gathering
The first step in the identification of risks is the process of gathering and reviewing information of project work activities. At this point,
the project manager is not necessarily identifying risks, per se, but
rather gathering all the information of a work activity so a complete
evaluation of what will be performed might yield areas where potential problems could be evident.
CHAPTER 2 • IDENTIFYING RISK
41
EXAMPLE
In the case where a project manager oversees the construction of a
single-family home, he might review the work breakdown structure
that takes the primary deliverable and breaks it down into its smallest components, yielding the most detailed information to review.
In this case, one of the first steps would be to review the site survey and ground preparation task where the project manager might
identify potential problems regarding the company performing the
survey, such as their reputation or having adequate experience
at identifying boundaries and ground elevation. Other elements
might be in relation to the excavation of the ground and problems
that might have to be addressed. One area would be the availability of excavation equipment and backup plans if a piece of equipment onsite were to develop a problem and need to be replaced.
Weather can also play a role in this initial stage, as well as the
availability of human resources qualified to operate the equipment.
This example shows how the project manager, in gathering and
reviewing information on the first activity, has already identified several areas where potential problems could arise. It’s important the
project manager understand that quality time spent reviewing work
activity information can yield a surprisingly greater number of potential risk events and probably more than if the project manager simply assumed the obvious risks without looking at the actual activity
information.
Who, What, and How
During the information gathering phase in risk planning, there
are three important components the project manager must consider:
Who will be gathering the information? What information should be
gathered? And what sources of information are available and reliable?
• Resources for gathering information—One of the most
underestimated but vital components of information gathering
for project work activities is who will be gathering the information. Depending on the type of organizational structure and the
42
MASTERING RISK AND PROCUREMENT IN PROJECT MANAGEMENT
size and type of a project, project managers will have to address
who will gather the information that will be vital in determining
if risks might be evident. In some cases, the project manager
performs this function alone due to the lack of resources or
the type of organizational structure where the project manager
assumes a great deal of responsibility and is tasked with much
of the initial work himself.
In other cases the project manager might have the ability to utilize other resources but must understand who these resources
are and if they are qualified to correctly gather work activity
information. The project manager might have the opportunity to train a resource on how to gather information, but that
resource must understand the level of detail that is required
to derive not only the large and more obvious risks, but the
medium and even small risks that can still have a potential
impact on the project. The person gathering information needs
to be looking at mid-level areas of information—not so much
the lowest level of detail, but critical areas that may need further evaluation, which might include the examples here:
• Were specifications interpreted correctly, maybe misinterpreted?
• Have critical resources been correctly identified (capabilities, skillsets, and so on)?
• Are there enough resources to complete the activity in the
estimated time duration?
• Will critical equipment and facilities be available when
needed?
• Does the organization have the technology to complete
the project objective?
• Can critical shipments be delayed and for what variety of
reasons?
• Are there any critical material requirements that could
be at risk?
• Is weather going to be a consideration?
CHAPTER 2 • IDENTIFYING RISK
43
• Information that needs to be collected—The next component of gathering information is to understand what type of
information is relevant and needs to be collected for review. The
best approach is to take a mid-level view of general components
of work activity. The reason being is this puts the emphasis on
categories of information that will be under a larger component
of work but also p...
Purchase answer to see full
attachment