The main goal of project risk management. Project risk management according to RMBOC. Analysis and assessment of project risks

12.04.2020

Risks arise from the uncertainties that exist in every project. Risks can be "known" - those that are identified, assessed, for which planning is possible. Risks “unknown” are those that are not identified and cannot be predicted. Although the specific risks and conditions for their occurrence are not defined, project managers know from past experience that most of the risks can be foreseen.

When implementing projects with a high degree of uncertainty in such elements as goals and technologies for achieving them, many companies pay attention to the development and application of corporate risk management methods. These methods take into account both the specifics of projects and corporate management methods.

The American Project Management Institute (PMI), which develops and publishes standards in the field of project management, has significantly revised the sections governing risk management procedures. The new version of the PMBOK (expected to be adopted in 2000) describes six risk management procedures. In this article, we offer a brief overview of risk management procedures (without commentary).

Management of risks- these are the processes associated with the identification, analysis of risks and decision-making, which include maximizing the positive and minimizing the negative consequences of the occurrence of risk events.

The project risk management process typically includes the following procedures:

- selection of approaches and planning of project risk management activities.
Risk identification- identification of risks that can affect the project, and documentation of their characteristics.
Qualitative risk assessment- qualitative analysis of risks and conditions of their occurrence in order to determine their impact on the success of the project.
Quantification- quantitative analysis of the probability of occurrence and the impact of the consequences of risks on the project.
- determination of procedures and methods to mitigate the negative consequences of risk events and use the possible benefits.
Risk monitoring and control- monitoring risks, identifying remaining risks, implementing the project's risk management plan, and evaluating the effectiveness of risk mitigation actions.

All these procedures interact with each other, as well as with other procedures. Each procedure is performed at least once in every project. Although the procedures presented here are considered as discrete elements with well-defined characteristics, in practice they may overlap and interact.

Risk management planning

Risk management planning- the decision-making process for the application and planning of risk management for a particular project. This process may include decisions on organization, staffing of project risk management procedures, selection of preferred methodology, data sources for risk identification, time frame for situation analysis. It is important to plan risk management adequate to both the level and type of risk and the importance of the project to the organization.

Risk identification

Risk identification determines which risks are likely to affect the project and documents the characteristics of those risks. Risk identification will not be effective if it is not carried out regularly throughout the life of the project.

Risk identification should involve as many participants as possible: project managers, customers, users, independent specialists.

Risk identification is an iterative process. Initially, risk identification may be performed by a part of the project managers or by a group of risk analysts. Further identification can be handled by a core group of project managers. To form an objective assessment, independent specialists may participate in the final stage of the process. Possible responses can be identified during the risk identification process.

Qualitative risk assessment

Qualitative risk assessment- the process of presenting a qualitative analysis of the identification of risks and the identification of risks requiring a rapid response. This risk assessment determines the importance of the risk and chooses how to respond. The availability of accompanying information makes it easier to prioritize different risk categories.

A qualitative risk assessment is an assessment of the conditions for the occurrence of risks and the determination of their impact on the project by standard methods and means. The use of these tools helps to partially avoid the uncertainty that often occurs in the project. During life cycle the project must be constantly reassessed risks.

Risk Quantification

Risk Quantification determines the probability of occurrence of risks and the impact of the consequences of risks on the project, which helps the project management team to make correct decisions and avoid uncertainties.

Quantitative risk assessment allows you to determine:

the probability of achieving the final goal of the project;
the extent to which the risk will affect the project and the amount of unforeseen costs and materials that may be needed;
risks requiring prompt response and greater attention, as well as the impact of their consequences on the project;
actual costs, estimated completion dates.

Quantitative risk assessment often accompanies qualitative assessment and also requires a risk identification process. Quantitative and quantitative risk assessment can be used separately or together, depending on the time and budget available, the need for quantitative or qualitative risk assessment.

Risk response planning

Risk response planning is the development of methods and technologies to reduce negative impact risks for the project.

Takes responsibility for the effectiveness of protecting the project from exposure to risks. Planning includes identifying and categorizing each risk. The effectiveness of the response design will directly determine whether the impact of the risk on the project will be positive or negative.

The response planning strategy should be appropriate to the types of risks, cost-effectiveness of resources and timescales. The issues discussed during the meetings should be adequate to the tasks at each stage of the project, and agreed with all members of the project management team. Typically, several options for risk response strategies are required.

Monitoring and control

Monitoring and control monitor risk identification, identify residual risks, ensure implementation of the risk plan, and evaluate its effectiveness against risk mitigation. Indicators of risks associated with the implementation of the conditions for the implementation of the plan are recorded. Monitoring and control accompanies the process of project implementation.

Project quality control provides information to help make decisions. effective solutions to prevent risks. Communication between all project managers is necessary to provide complete information about project implementation.

The purpose of monitoring and control is to find out whether:

The risk response system was implemented in accordance with the plan.
The response is effective enough or changes are needed.
The risks have changed compared to the previous value.
The onset of the impact of risks.
The necessary measures have been taken.
The impact of the risks turned out to be planned or was an accidental result.

Control may entail the selection of alternative strategies, the adoption of adjustments, the re-planning of the project to achieve the baseline. There should be constant interaction between project managers and the risk group, all changes and phenomena should be recorded. Project progress reports should be generated regularly.

As shown by the competition of business plans, held by the company "Corporate Finance" and the journal "Financial Director", the most common mistake of enterprises planning the implementation of investment projects is insufficient study of risks that may affect the profitability of projects 1 . Since such errors can lead to incorrect investment decisions and significant losses, it is very important to identify and evaluate all project risks in a timely manner.

As a rule, project risks are understood as the expected deterioration in the final indicators of the project's effectiveness, arising under the influence of uncertainty. In quantitative terms, risk is usually defined as a change in the numerical indicators of the project: net present value (NPV), internal norm return (IRR) and payback period (PB) 2 .

On the this moment There is no single classification of enterprise project risks. However, the following main risks inherent in almost all projects can be distinguished: marketing risk, the risk of non-compliance with the project schedule, the risk of exceeding the project budget, as well as general economic risks.

Next, we will consider the risks of the project using the example of a jewelry factory that decided to launch a new product on the market - gold chains 3 . Imported equipment is purchased for the production of the product. It will be installed in the premises of the enterprise, which is planned to be built. The price of the main raw material - gold - is determined in US dollars based on the results of trading on the London Metal Exchange. The planned sales volume is 15 kg per month. The products are supposed to be sold both through own stores (30%), some of which are located in large shopping centers, and through dealers (70%). Sales have a pronounced seasonality with a surge in December and a decrease in sales in April-May. The launch of the equipment should take place before the winter peak of sales. The project implementation period is five years. Managers consider net present value (NPV) as the main measure of project performance. Estimated planned NPV is $1,765 thousand.

Main types of project risks

Marketing risk

Marketing risk is the risk of not receiving profits as a result of a decrease in the volume of sales or the price of a product. This risk is one of the most significant for most investment projects. The reason for its occurrence may be the rejection of the new product by the market or an overly optimistic estimate of future sales. Errors in planning a marketing strategy arise mainly due to insufficient understanding of the needs of the market: incorrect product positioning, incorrect assessment of market competitiveness or incorrect pricing. Also, errors in the promotion policy, for example, the choice of the wrong way promotions, insufficient promotion budget, etc.

Yes, in our example 30% of the chains are planned to be sold independently, and 70% - through dealers. If the sales structure turns out to be different, for example, 20% - through stores and 80% - through dealers, for which more than low prices, then the company will not receive the originally planned profit and, as a result, the project performance will deteriorate. This situation can be avoided primarily through a comprehensive assessment of the market environment by the marketing department.

The rate of sales growth can also be influenced by external factors. For example, part own stores companies in case in question opens in new shopping centers, respectively, the volume of sales in them will depend on the degree of "promotion" of these centers. Therefore, to reduce the risk in the lease agreement, it is necessary to establish qualitative parameters. Thus, the rental rate may depend on the performance shopping center schedule for the launch of retail space, ensuring the transportation of buyers to the point of sale, timely construction of parking lots, launch entertainment centers etc.

Risks of non-compliance with the schedule and exceeding the project budget

The reasons for the occurrence of such risks can be objective (for example, a change in customs legislation at the time of customs clearance of equipment and, as a result, delay in cargo) and subjective (for example, insufficient study and inconsistency in the implementation of the project). The risk of non-compliance with the project schedule leads to an increase in the payback period, both directly and due to lost revenue. AT our case this risk will be great: if the company does not have time to start selling a new product before the end of the winter peak of sales, then it will suffer big losses.

Similarly, overall project performance is affected by the risk of over budget.

Determination of the real time and budget of the project

For a more accurate assessment of the project time and budget, there are special methods, in particular, the PERT analysis method ( Program Evaluation and Review Technique), developed in the 1960s by the US Navy and NASA to estimate the construction time of the Polaris ballistic missile. The methodology turned out to be effective and was subsequently used to assess not only the timing, but also the resources of the project. Currently, PERT analysis is one of the most popular and simple techniques.

The meaning of this method is that when preparing a project, three estimates of the implementation period (project cost) are given - optimistic, pessimistic and most probable. After that, the expected values are calculated using the following formula: Expected Time (Cost) = (Optimistic Time (Cost) + 4 x Most Likely Time (Cost) + Pessimistic Time (Cost)) : 6. Coefficients 4 and 6 are obtained empirically based on statistical data a large number projects. The result of the calculation is used later as the basis for obtaining the rest of the project indicators. However, it should be noted that the PERT analysis design is only effective if you can justify the values of all three estimates.

If the work is performed by external contractors, then as a way to minimize these risks, special conditions can be stipulated in the contract. So, in our example, when preparing a project, work is planned to build a room and install equipment, performed by an external counterparty. The duration of these works should be three months, the cost - 500 thousand US dollars. After completion of the work, the company plans to receive additional revenue from the production of chains in the amount of 120 thousand US dollars per month at a profitability of 25%. If the supplier causes the repair and installation time to increase by, say, one month, then the company will lose $30,000 (1 x 120 x 25%) in profit. To avoid this, the contract defines sanctions in the amount of 6% of the contract value for one month of delay due to the fault of the contractor, that is, 30 thousand US dollars (500 thousand x 6%). Thus, the size of the sanctions is equal to the possible loss.

When implementing a project only on its own, it is much more difficult to minimize risks, while the amount of losses may increase.

In our example if you install the equipment on your own, in case of a delay of one month, the loss of profit will also amount to 30 thousand US dollars. However, additional labor costs for employees during this month should be taken into account. Let in our example, such costs amount to 7 thousand US dollars. Thus, the total losses of the company will be equal to 37 thousand US dollars, and the payback period of the project will increase by 1.23 months (1 month + 7 thousand US dollars: (120 thousand US dollars x 25%)). Therefore, in this case, a more accurate estimate of the duration and cost of work is needed, as well as effective management project implementation process and its continuous monitoring.

General economic risks

General economic risks include risks associated with factors external to the enterprise, for example, risks of changes in exchange rates and interest rates, an increase or decrease in inflation. Such risks also include the risk of increased competition in the industry due to the overall development of the economy in the country and the risk of new players entering the market. It should be noted that this type of risk is possible both for individual projects and for the company as a whole.

In our example the most significant is the currency risk. When calculating a project, all cash flows are often given in a stable currency, such as US dollars. However, to better account for currency risk, cash flows should be calculated in the currency in which the payment is made. Otherwise, you can get an underestimation of the currency risk, since the fluctuation in exchange rates will not be taken into account. For example, if both inflows and investments are calculated in the same currency, and the dollar exchange rate rises, but the ruble price of the product does not change, then in fact we will receive less revenue in dollar terms. The use of different currencies for the calculation will take this factor into account, but one currency will not. This is especially true in our case, when all capital investments for the repair of the building and the purchase of equipment are made in foreign currency, and the proceeds from the sale of products - in rubles.

Project risk analysis

The procedure for assessing and analyzing project risks can be represented as a diagram (see Fig. 1).

Risk assessment is carried out during the project planning process and includes qualitative and quantitative analysis. If, based on the results of the assessment, the project is accepted for execution, then the enterprise faces the task of managing the identified risks. According to the results of the project implementation, statistics are accumulated, which allows in the future to more accurately identify risks and work with them. If the uncertainty of the project is too high, then it can be sent for revision, after which the risks are reassessed.

The procedure for managing project risks, as well as collecting and using statistical information in a particular situation, depends on the specifics of the company and the project being implemented and is not considered in this article.

Let us consider the qualitative and quantitative assessment of project risks in more detail.

Qualitative risk analysis

The result of a qualitative risk analysis is a description of the uncertainties inherent in the project, the reasons that cause them, and, as a result, the risks of the project. For the description, it is convenient to use specially designed logical maps - a list of questions that help identify existing risks. These maps can be developed both independently and with the help of consultants (see Fig. 2).

As a result, a list of risks to which the project is exposed will be formed. Further, they must be ranked according to the degree of importance and the magnitude of possible losses, and the main risks should be analyzed using quantitative methods for a more accurate assessment of each of them.

In our example analysts identified the following main risks: failure to achieve planned sales volumes due to both their lower physical volume (in physical terms) and lower prices, as well as a decrease in profit margins due to rising raw material prices.

Quantitative risk analysis

Quantitative risk analysis is necessary in order to assess how the most significant risk factors can affect the performance of an investment project. The analysis allows you to find out, for example, whether a small change in sales volume will lead to a significant loss of profit or whether the project will be profitable even if 40% of the planned sales volume is realized.

There are several main methods for conducting such an analysis: analysis of the influence of individual factors (sensitivity analysis), analysis of the influence of a complex of factors (scenario analysis) and simulation modeling (Monte Carlo method). Let's consider each of them in more detail, using the indicators of our example.

Sensitivity analysis. This is a standard method of quantitative analysis, which consists in changing the values of critical parameters ( in our case physical volume of sales, cost and sales price), substituting them into the financial model of the project and calculating project performance indicators for each such change. Sensitivity analysis can be implemented using both specialized software packages (Project Expert, Alt-Invest) and Excel. Calculations for analysis are most conveniently presented in the form of a table (see Table 1).

Such a calculation is carried out for all critical factors of the project. The degree of their impact on the final effectiveness of the project (in this case, on NPV) is more convenient to show on the graph (see Fig. 3).

Thus, the result of the project under consideration is most strongly influenced by the selling price, then the cost of production and, finally, the physical volume of sales.

Although the selling price has a large influence on NPV, the probability of its fluctuation can be very low, therefore, changes in this factor will pose little risk. To determine this probability, the so-called "probability tree" is used. First, based on expert opinions, the probability of the first level is determined - the probability that the real price will change, that is, it will become more, less or equal to the planned one ( in our case these probabilities are equal to 30, 30 and 40%), and then the probability of the second level is the probability of deviation by a certain amount. In our example the reasoning is as follows: if the price still turns out to be less than the planned one, then with a probability of 60% the deviation will be no more than -10%, with a probability of 30% - from -10 to -20% and with a probability of 10% - from -20 to -30% . Similarly, deviations in positive side. Deviations of more than 30% in any direction were considered impossible by the experts.

The final probability of the sales price deviation from the planned value is calculated by multiplying the probabilities of the first and second levels, so the final probability of a price reduction by 20% is quite small - 9% (30% x 30%) (see Table 2).

Total risk by NPV in our example is calculated as the sum of the products of the final probability and the risk value for each deviation and is equal to $6.63 thousand(1700 x 0.03 + 1123 x 0.09 + 559 x 0.18 - 550 x 0.18 - 1092 x 0.09 - 1626 x 0.03). Then the expected value of NPV, adjusted for the risk associated with a change in the selling price, will be equal to 1758 thousand USD(1765 (target NPV) - 6.63 (expected risk)).

Thus, the risk of changes in the selling price reduces the NPV of the project by 6.63 thousand US dollars. As a result of a similar analysis of two other critical factors, it turned out that the most dangerous is the risk of changes in the physical volume of sales: the expected value of this risk was 202 thousand US dollars, and the expected value of the risk of changes in the cost of 123 thousand US dollars. It turns out that a change in the retail price is not the most important risk for the project under consideration and can be neglected, focusing on managing and preventing other risks.

Sensitivity analysis is very clear, but its main drawback is that the influence of only one of the factors is analyzed, and the rest are considered unchanged. In practice, several indicators usually change at once. Scenario analysis helps to assess such a situation and adjust the NPV of the project for the amount of risk.

Scenario analysis. To begin with, it is necessary to determine the list of critical factors that will change simultaneously. To do this, using the results of the sensitivity analysis, you can select 2-4 factors that have the greatest impact on the outcome of the project. Considering more factors at the same time does not make sense, since this only complicates the calculations.

Three scenarios are usually considered: optimistic, pessimistic and most probable, but if necessary, their number can be increased. In each of the scenarios, the corresponding values of the selected factors are fixed, after which the project's performance indicators are calculated. The results are tabulated (see Table 3).

As with sensitivity analysis, each scenario, based on expert assessments the probability of its realization is assigned. The data of each scenario is substituted into the main financial model of the project, and the expected NPV values and risk values are determined. The magnitude of the probabilities, as in the previous case, must be justified.

The expected value of NPV in this case will be equal to 1572 thousand USD(-1637 x 0.2 + 3390 x 0.3 + 1765 x 0.5). Thus, unlike the previous stage of the analysis, we received one more accurate comprehensive assessment of the effectiveness, which will be used in further decisions on the project. It should be taken into account that a large gap between the planned and estimated NPV values indicates a high project uncertainty. There may be additional risk factors in the project that need to be considered.

Simulation modeling. In the case when exact estimates of the parameters (for example, 90, 110 and 80%, as in scenario analysis) cannot be set, and analysts can only determine the intervals of possible fluctuations of the indicator, the Monte Carlo simulation method is used. Most often, such an analysis is carried out to identify currency risks (fluctuations in the exchange rate during the year), as well as risks of fluctuations in interest rates, macroeconomic risks and others.

Due to its complexity, Monte Carlo calculations are always carried out using software products having the corresponding function (Project Expert, Alt-Invest, Excel). The main meaning of the calculations is as follows. At the first stage, the boundaries within which the parameter can change are set. Then the program randomly (simulating the randomness of market processes) selects the values of this parameter from a given interval and calculates the project's performance indicator, substituting the selected value into the financial model. Several hundred of these experiments are carried out (with electronic calculations, this takes several minutes), and many NPV values \u200b\u200bare obtained, for which the mean (m) and the risk value (standard deviation, d) are calculated. In accordance with the statistical rule (the so-called “three sigma rule”), the NPV value will be in the following intervals (see Table 4):

with a probability of 68.3% - in the range m ± d;
with a probability of 94.5% - in the range m ± 2d;
with a probability of 99.7% - in the range m ± 3d.

As can be seen from the table, m = 1725, d = 142. This means that the most probable NPV value will fluctuate around the value of 1725. Applying the “three sigma” rule, we find that with a probability of 99.7%, the NPV value falls within the range of 1725 ± (3 x 142), even the lower limit of which is greater than zero. Therefore, with a high degree of probability, the result of our project will be positive. If a negative result was obtained with a two- or three-fold deviation (this is possible with a low NPV of the project or high sensitivity to the factor), then using the “three sigma” rule, you can determine what the probability of this deviation is and draw a conclusion about the possibility of an unfavorable occurrence. outcome. For example, if at m ±d the value of NPV > 0, and at m -2d the value of NPV< 0, это значит, что с вероятностью до 13,1% ((94,5% - 68,3%) : 2) эффективность проекта отрицательна, он имеет довольно высокий риск и может быть пересмотрен.

In our example, the project for the production of gold chains is generally characterized by a low degree of risk, since the NPV of the project is very likely to be positive, and the calculated maximum risk in the implementation of the pessimistic scenario is 193 thousand USD (1765 thousand - 1572 thousand) . Therefore, the project can be accepted. Nevertheless, it is worth insuring against the risk of non-compliance with the launch of capacities (construction and installation of equipment), as well as the risk of increasing costs (for example, by purchasing options to buy gold). In addition, you need to pay attention to the promotion of goods: the advertising policy of the company and the choice of the point of sale. This can be done by building on previous practice or by working out lease agreements and contracts for supply chains to distributors.

In conclusion, we note that the application of the described approach to the analysis of project risks often allows, already at the first stage of project evaluation, to make a decision regarding its further development, as well as draw conclusions about possible ways risk minimization. It should be emphasized that reasonable expert assessments must be a prerequisite for such an analysis, otherwise the efficiency of the work will be low.

“The more complex the business model of the project, the more carefully it is necessary to assess the risks”

Interview with the director of the corporate finance department of the investment company ATON (Moscow) Dmitry Aleevsky

- Do you think there are differences between project and operational risks of the company?

It seems to me that there are no fundamental differences between these risks. Project risks are a logical extension of operational risks, since most of the company's projects are based on an already existing business model.

- However, companies evaluate the riskiness of a particular project, if only to understand how its implementation will affect the overall risk of the business. How carefully should the assessment of project risks be approached?

Approaches to assessing such risks should depend mainly on how typical the project is for the company, and not on the amount needed to implement it. Thus, the construction of a new retail chain store may be a high-budget project, but its implementation will already use famous companies technologies that are guaranteed to provide the store with an influx of customers and a stable income: analysis of the market capacity, determination of consumer preferences in the area and appropriate advertising.

If a company decides to diversify its business and acquire, for example, a network of gas stations to locate its stores, then it will have to face a completely different level of risk. For retailers, this business will be completely new, and they will be forced to take into account factors unknown to them: the purchase of gasoline, pricing, location of gas stations, etc. If the decision to open the next store can be made on the basis that the company needs a presence in the area , then the decision to purchase gas stations should be worked out to the smallest detail, since the risk of such an investment will be immeasurably higher due to the uniqueness of the project for this company. In addition, with the new acquisition, the core business will also change: supply chains will become more complex, managers will have to make decisions in an area unfamiliar to them. Thus, the more complex the business model of the project, the more carefully it is necessary to assess the risks.

- In what sequence are the project risk assessment activities carried out?

First, sensitivity analysis and scenario analysis are carried out, which are based on a simplified definition of the project parameters (discount rate, conditions external environment etc.). This allows you to either reject the project or decide to conduct a more detailed study and determine areas for further work. With a positive result of the study, all aspects that can somehow affect the outcome of the project are worked out. Then again a quantitative analysis is carried out on the basis of updated data and measures to eliminate (insurance) the risks identified during the work. In the end, if a decision is made to implement a project, then the total level of its risk, that is, the amount that the investor will lose in case of failure (taking into account all insurance measures), should not exceed an acceptable value, for example, 20% of the NPV of the project.

Interviewed by Anna Netesova

1 For more information about the results of the competition, see the article “How not to make mistakes when drawing up a business plan”, “Financial Director”, 2003, No. 4. - Note. editions.
2 The formulas for calculating these indicators are not given in this article, since they have already been published in our journal (see the article “Estimation of the cash flow of an investment project”, “Financial Director”, 2002, No. 4). In addition, these formulas can be found in any textbook devoted to financial management or investment appraisal. - Note. editions.
3 In order to maintain the confidentiality of commercial information, the author considers an example with conditional data, which is based on a real project from his personal experience. – Note. editions.

Project risk management includes processes related to risk management planning, risk identification and analysis, risk response, monitoring and project risk management. Most of these processes are subject to updating during the course of the project. The goals of project risk management are to increase the likelihood of occurrence and impact of favorable events and to reduce the likelihood of occurrence and impact of adverse events for the project. On fig. Figure 11-1 provides an overview of the project risk management processes, and Figure 11-1. 11-2 shows a dependency diagram of these processes and their inputs, outputs, and other processes from this knowledge area. Project risk management processes include the following:

11.1 Risk management planning- choice of approach, planning and
performing project risk management operations.

11.2 Risk identification- determining which risks may affect
for the project, and documenting their characteristics.

11.3 Qualitative risk analysis- location of risks according to their degree
priority for further analysis or processing by evaluating and
summing the probability of their occurrence and the impact on the project.

11.4 Quantitative risk analysis- quantitative analysis of the potential
the impact of identified risks on the overall objectives of the project.

11.5 Risk response planning- development of possible
options and actions to enhance favorable
opportunities and reduce threats to achieve project objectives.

11.6 Monitoring and risk management- tracking
identified risks, monitoring of residual risks,
identification of new risks, execution of risk response plans and
evaluation of their effectiveness throughout the life cycle of the project.

These processes interact both with each other and with processes from other knowledge areas. Depending on the needs of the project, one or more people or groups may be involved in each process. Each process takes place at least once during each project, and if the project is divided into phases, then in one or more phases of the project. Although processes are presented in this guide as discrete elements with well-defined interfaces, in practice they can overlap and interact with each other; such overlaps and interactions are not described here. Process interactions are discussed in detail in Chapter 3.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition

A project risk is an uncertain event or condition that, if it occurs, has a positive or negative impact on at least one of the project objectives, such as timing, cost, scope, or quality (i.e. depending on the specific project: when the project objective is defined as delivery of results according to a certain schedule or delivery of results that do not exceed the cost of an agreed budget, etc.). A risk can be caused by one or more causes and, if it occurs, can be influenced by one or more factors. For example, the risk may be due to the need to obtain permission from the local Committee for Environmental Protection or the lack of personnel involved in the development of the project. The onset of risk in these cases will be a delay in the issuance of a permit or a shortage of personnel involved in the development of the project. The occurrence of any of these unknown events can affect the cost of the project, its schedule or execution. Risk conditions may also include aspects of the organization's or project's external environment that increase risk (for example, poor project management practices, lack of common management systems, running multiple projects at the same time, or dependence on outside project participants who cannot be controlled).

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition
238 ©2004 Project Management Institute, Four Campus Boulevard, Newtown Square, PA USA

Figure 11-1. General scheme project risk management

Management to vault knowledge on management projects (ManagementPMBOK® )

Chapter 11 - Project Risk Management

The cause of risk is the uncertainty that is present in all projects. Known risks are those risks that have been identified and analyzed. Responses to these risks can be planned using the processes described in this chapter. But for unknown risks, it is not possible to plan responses. In such cases, it is prudent for the project team to allocate a general contingency reserve that will include these unknown risks, as well as all known risks for which the development of specific responses is not cost effective or feasible.

Organizations consider risks to the extent that they correlate with project threats or opportunities that increase the likelihood of project success. Risks that pose a threat to the project can be accepted if the risk is commensurate with the benefit that can be obtained by accepting this risk. For example, accepting a "fast track" schedule (Section 6.5.2.3) that could be violated is a risk taken to end the project earlier. Opportunity risks (such as speeding up work by hiring additional staff) may be accepted in order to best achieve project objectives.

The attitude towards risk on the part of individuals and, on a larger scale, organizations is conditioned by their understanding of risk and their response to the occurrence of risk. Where possible, the attitude towards risk should be expressed explicitly. For each project, a consistent approach to risk should be developed to suit the organization's requirements, and information about risk and risk management should be open and reliable. Risk responses reflect how an organization understands the balance between risk acceptance and risk aversion.

To achieve success throughout the project, the organization must take proactive and consistent risk management measures in advance.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition
240 ©2004 Project Management Institute, Four Campus Boulevard, Newtown Square, PA USA

Note: Not all process interactions and not all data flows between

processes.

Figure 11-2.Diagramdependenciesprocessesforprocessmanagementrisks

project

Chapter 11 - Project Risk Management

11.1 Planning management risks

Careful and detailed planning increases the likelihood of successfully achieving the results of the other five risk management processes. Risk management planning is the process of identifying approaches and planning operations for project risk management. Planning risk management processes ensures that the level, type and transparency of risk management is commensurate with both the risk itself and the value of the project to the organization, as well as allocating sufficient time and resources to perform risk management activities and determining the overall basis for risk assessment. The risk management planning process should be completed early in the project planning phase as it is critical to the success of the other processes described in this chapter.

Figure 11-3. Risk management planning: inputs, tools and methods,

11.1.1 Planning management risks: inputs

The risk attitude and risk tolerance of the organizations and individuals involved in the project influences the project management plan (Section 4.3). Risk attitudes and tolerance for risk can be enshrined in a statement of core principles or manifested in concrete actions (Section 4.1.1.3).

Organizations may have predetermined approaches to risk management, such as risk categories, general definitions of concepts and terms, standard templates, schemes for the distribution of roles and responsibilities, as well as certain levels of authority for decision-making.

.4 Project management plan

See section 4.3 for a description.

11.1.2 Risk management planning: tools and methods

.1 Planning meetings and review

The project team meets to develop a risk management plan. The meetings may be attended by the project manager, individual project team members and project participants, representatives of the organization responsible for risk planning and response operations, and, as appropriate, others.

At such meetings, the basic plans for conducting risk management operations are drawn up. Risk cost elements and scheduled activities are also developed and included in the project budget and schedule, respectively. The distribution of responsibility in the event of a risk is approved. The organization's generic templates for risk categories and term definitions (e.g., risk levels, risk probability by risk type, risk impact on project objectives by objective type, and probability and impact matrix) are tailored to each individual project. . The outputs of these operations are summarized in the risk management plan.

11.1.3 Risk management planning: outputs

.1 Risk management plan

The risk management plan contains descriptions of the project's risk management structure and how it will be carried out within the project. This plan is included in the project management plan (Section 4.3). The risk management plan includes the following elements:

Methodology. Definition of approaches, tools and data sources,
that can be used to manage risks in a given project.

Distribution of roles and responsibilities. List of execution positions,
support and risk management for each type of operation,
included in the risk management plan, assigning employees to these
positions and clarification of their responsibilities.

Budget development. Resource Allocation and Cost Estimation
measures necessary for risk management. This data
are included in the project cost baseline (Section 7.2.3.1).

Timing. Determining the timing and frequency of the control process
risks throughout the life cycle of the project, and
identify risk management activities that need to be
include in the project schedule (Section 6.5.3.1).

Categories of risks. The structure on the basis of which
systematic and comprehensive identification of risks with the desired
the degree of detail; this structure contributes to
efficiency and quality of risk identification. The organization can
use the previously developed classification of typical risks.
Such a structure can be developed by drawing up
hierarchical risk structure (HRS) (Fig. 11-4), but the same task
can be resolved simply by listing the various aspects of the project. AT
risk identification process, risk categories can
be reviewed. It is considered good practice to review the categories
risks during risk management planning, before these
the categories will be used in the risk identification process. Before
than to accept for use in the current project a risk classification,
based on previous drafts, it may need to be refined,
change or adapt to the specifics of the new project.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition

Chapter 11 - Project Risk Management

Determining the probability of occurrence of risks and their consequences. A conscientious and credible qualitative risk analysis assumes that various levels of likelihood of occurrence of risks and their impact are identified. Generic definitions of probability levels and impact levels are adapted on a project-by-project basis during the risk management planning process and then used in the qualitative risk analysis process (Section 11.3).

Figure 11-4. Example of a Risk Hierarchy Structure (HRS)

A relative scale can be used, on which the likelihood is descriptive, ranging from "highly unlikely" to "almost likely". You can also use a general scale on which the probability corresponds to a numerical value, for example: 0.1 - 0.3 - 0.5 - 0.7 - 0.9. Another way of grading probability involves creating descriptions of the state of the project corresponding to the risk under consideration (for example, the degree of completion of the product design).

The impact rating scale reflects the significance of the impact (negative for threats or positive for opportunities) of the risk if it occurs. The scale of impact assessment may differ depending on the objective potentially affected by the risk, the type and size of the project, the strategies adopted by the organization and its financial condition, as well as the sensitivity of the organization to specific type impacts. The relative impact scale contains only descriptive labels, such as "very low", "low", "medium", "high" and "very high", arranged in order of increasing severity of risk exposure as defined by the organization. The same can be done in another way, by assigning numerical values to these consequences. These numerical values can be linear (eg 0.1 - 0.3 - 0.5 - 0.7 - 0.9) or non-linear (eg 0.05 - 0.1 - 0.2 - 0.4 - 0.8). A non-linear scale may reflect the organization's intention to avoid high-impact threats or to exploit the most favorable opportunities, even if the probability of occurrence is relatively low. When using a non-linear scale, it is important to understand what the numbers mean and how they relate to each other, how these numbers are obtained, and how they can affect various project goals.

On fig. 11-5 is an example of definitions negative consequences, which can be used in assessing the impact of risks on the four objectives of the project. The figure shows both relative and digital (in this case, non-linear) notation. The purpose of this figure is not to show that relative and digital designations are equivalent, but to illustrate the two possibilities in one table, not two.

Matrix of probability and consequences. The prioritization of risks corresponds to the potential degree of significance of their consequences for achieving the objectives of the project. A typical way to prioritize risks is to use a look-up table or probability and impact matrix (see Figure 11-8 and Section 11.3.2.2). Typically, the organization itself determines the combinations of probability and impact that determine the degree of risk as "high", "medium" or "low", which in turn determines the significance for risk response planning (Section 11.5). These combinations in the risk management planning process can be reviewed and adapted to a specific project.

Figure 11-5. Determination of the impact rating scale for the four project objectives

Chapter 11 - Project Risk Management

Refined risk tolerance of project participants. During
risk management planning process risk tolerance
project participants can be adjusted in relation to
specific project.

Reporting forms. Describes the content and format of the risk register
(sections 11.2, 11.3, 11.4 and 11.5) and any other required reports
by risks. Contains a definition of how
documentation, analysis and exchange of information on the results of the process
risk management.

Tracking. Documents how to register all aspects
risk operations for the benefit of this project, as well as for future
projects and inclusion in the documents on the accumulated knowledge.
Documents when and how processes will be audited
risk management.

Identification risks

Risk identification involves identifying risks that can affect the project and documenting their characteristics. If necessary, risk identification activities may involve: the project manager, members of the project team, the risk management team (if any), subject matter experts outside the project team, customers, end users, other project managers, project participants, and risk management experts. Although the main role in risk identification belongs to these specialists, the participation of all personnel in this process should be encouraged.

Risk identification is an iterative process, as new risks may be discovered as the project progresses through its life cycle (Section 2.1). The frequency of iteration and the composition of the participants in the execution of each cycle in each case may be different. Members of the project team should be involved in this process so that they develop a sense of "ownership" and responsibility for the risks and for the actions to respond to them. Project participants who are not part of the project team can provide additional objective information. Typically, the risk identification process is followed by a qualitative risk analysis process (Section 11.3). Where risk identification is managed by an experienced risk manager, quantitative risk analysis (Section 11.4) may immediately follow the identification. In some cases, the risk identification itself may determine the response; these measures should be recorded for further analysis and implementation during the risk response planning process (Section 11.5).

11.2.1 Risk identification: inputs

.1 Factors in the external environment of the enterprise

When identifying risks, it may turn out useful information from open sources, including commercial databases, scientific papers, benchmarking and other research work in this area (section 4.1.1.3).

.2 Organizational Process Assets

Information on the implementation of previous projects may be available in the archives of previous projects, both in its original form and in the form of accumulated knowledge (Section 4.1.1.4).

.3 Description of the scope of the project

Project assumptions are given in the project scope statement (Section 5.2.3.1). Uncertainty in project assumptions should be considered as a potential source of project risk.

.4 Risk management plan

The key inputs to the risk identification process from the risk management plan are the role and responsibility scheme, the allowance for risk management activities in the budget and schedule, and risk categories (Section 11.1.3.1). These activities are sometimes reflected in the hierarchical structure of resources (Figure 11-4).

.5 Project management plan

The risk identification process also requires an understanding of the schedule, cost, and quality management plans that are part of the project management plan (Section 4.3). Process outputs from other knowledge areas should be analyzed to identify possible risks throughout the project.

11.2.2 Risk identification: tools and methods

1 Documentation analysis

You can perform a structured review of project documentation, including plans, assumptions, previous project history, and other sources. The quality of the plans, as well as the consistency of the plans and their compliance with the requirements and assumptions of the project, can serve as indicators of the possibility of risk in the project.

.2 Information collection methods

The following information gathering methods can be used to identify risks:

Brainstorm. The goal of brainstorming is to create a detailed list of project risks. The brainstorming session is usually conducted by the project team, often with the participation of experts from different fields who are not members of the team. The generation of ideas related to the risks of the project takes place under the guidance of the facilitator. This can be based on a system of risk categories (Section 11.1), such as a hierarchical risk structure. Further, risks are subject to identification and categorization by types, and their definitions are subject to clarification.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition

Chapter 11 - Project Risk Management

Delphi method. The Delphi method is a way to reach consensus between
experts. This method suggests that the experts
project risk take part in it anonymously. By using
The questionnaire facilitator collects ideas about the important risks of the project.
Summaries of responses are compiled and then returned to the experts.
for further comments. Consensus can be reached in a few
cycles of this process. Delphi method helps to overcome
bias in data evaluation and eliminates excess influence
individuals on the result of work.

Polls. Conducting surveys among experienced employees taking
participation in the project, among project participants and experts in this field,
can help identify risks. Poll results
are one of the main sources of information in the collection process
risk identification data.

Identification of the root cause. This identification of the most
significant causes of project risks. This allows you to give
more precise definitions of risks and group risks according to the reasons they
callers. Risk response can only be effective
when it is aimed at eliminating the root cause
occurrence of risk.

Analysis of strengths, weaknesses, opportunities and threats (analysisSWOT) This method allows you to analyze the project from the perspective of each of
of the above parties, which gives a more complete picture of the risks
project.

.3 Analysis of checklists

Risk identification checklists can be developed based on historical information and knowledge gained from previous similar projects, as well as from other sources. You can also use the lowest level of the resource hierarchy as a risk checklist. Although the checklist may be simple and easy to complete, it is not possible to create an exhaustive checklist. Special attention should be given to questions that are not reflected in the checklist. When a project is closed, the checklist should be reviewed to optimize it for use in future projects.

.4 Analysis of assumptions

Each project is conceived and developed based on a set of hypotheses, scenarios and assumptions. Assumption analysis is a tool for assessing the validity of assumptions as they are applied to the project. This analysis identifies project risks arising from inaccurate, inconsistent or incomplete assumptions.

.5 Display Methods with Charts

Methods for displaying risks in the form of charts include:

Cause-and-effect diagrams(section 8.3.2.1). These charts
also known as Ishikawa or fish-eye charts
skeleton" are used to identify the causes of risks.

System diagram or process dependency diagram. This kind
graphic display shows the order of interaction
various elements of the system among themselves and their causal
communications (Section 8.3.2.3).

Influence diagrams. Graphical representation of situations,
displaying mutual influences, temporal connections of events and others
relationships between variables and outcomes.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition
248 ©2004 Project Management Institute, Four Campus Boulevard, Newtown Square, PA USA

11.2.3 Risk identification: outputs

Typically, risk identification outputs are contained in a document that can be called a risk register.

.1 Risk Register

The main outputs of the risk identification process are the initial entries in the risk register, which becomes an element of the project management plan (Section 4.3). Ultimately, the outputs of other risk management processes are recorded in the risk register as they are completed. The preparation of the risk register begins during the risk identification process, during which the register is populated with the following information. This information is then made available through other processes related to project management or project risk management.

List of identified risks. This list contains
list and descriptions of identified risks, including the main
their causes and uncertain project assumptions.
Almost any project topic can be subject to certain
risks. Here are some examples. Several types of production work
large components that require a long time,
located on the critical path of the project. The risk may arise when
when disagreements in industrial relations in the port can
lead to a delay in the supply of components, and, consequently,
to delay construction completion. Another example might
turn out to be a situation where the project management plan provides for
staffing of ten performers, and available resources
there are only six. Lack of resources can lead to
an increase in the period of time required to complete the work and to
delay in scheduled operations.

List of potential response actions. Potential
risk responses can be identified during the identification process
risks. These actions, when defined, may be useful in
as inputs to the risk response planning process (Section 11.5).

The main causes of risk. Such reasons
represent underlying conditions or events, understanding
which can serve as a key to identifying a particular risk.

Clarification of risk categories. In the process of identification, the list
risk categories can be replenished with new categories. Perhaps on
based on the outputs of the risk identification process will need
expand or refine the hierarchical structure of resources,
developed during the risk management planning process.

11.3 Qualitative analysis risks

Qualitative risk analysis involves the prioritization of identified risks, the results of which are subsequently used, for example, in quantitative risk analysis (Section 11.4) or risk response planning (Section 11.5). Organizations can significantly improve project performance by focusing on the highest priority risks. Qualitative risk analysis prioritizes identified risks based on their likelihood of occurrence, their impact on the achievement of project objectives if these risks occur, and also taking into account a number of other factors (for example, time frame and risk tolerance inherent in project cost constraints, schedule, content and quality).

By determining the degree of probability and impact, as well as the data obtained from interviews with experts, it is possible to correct for the systematic bias of the data that often occurs during this process. In the presence of scheduled operations, the execution of which is very tightly tied to certain time intervals and exposed to risk, the degree of importance of the risk increases many times over. Assessing the quality of available information related to project risks can also help to understand the significance of a risk in a given project.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition

Chapter 11 - Project Risk Management

Qualitative risk analysis is usually a quick and inexpensive way to set priorities in the risk response planning process, and, if necessary, provides the basis for conducting a quantitative risk analysis. Qualitative risk analysis is subject to refinement throughout the life cycle of the project and should reflect all changes related to the risks of the project. Qualitative risk analysis requires the outputs of the risk management planning (Section 11.1) and risk identification (Section 11.2) processes. Once the qualitative risk analysis is complete, you can move on to quantitative risk analysis (Section 11.4) or directly to risk response planning (Section 11.5).

Figure 11-7. Qualitative risk analysis: inputs, tools and methods, outputs

11.3.1 Qualitative Risk Analysis: Inputs

Qualitative risk analysis can draw on risk data from previous projects and the knowledge base.

In standard or repetitive projects, there are more well-understood risks each time. For projects based on the latest advances in technology or for the first time using any technology, as well as for very complex projects, high degree uncertainty. The degree of uncertainty can be assessed by examining the project scope statement (Section 5.2.3.1).

.3 Risk management plan

For a qualitative risk analysis, the following elements of a risk management plan are essential: 1) distribution of roles and responsibilities in risk management, budget and planned risk management operations; 2) risk categories; 3) determination of the probability of occurrence and possible consequences; 4) probability and consequences matrix; and 5) adjusted risk tolerance of project participants (as well as enterprise environmental factors, see section 4.1.1.3). Typically, these inputs are tailored for a particular project during the risk management planning process. If these inputs are not available, they can be developed during the qualitative risk analysis process.

.4 Risk Register

A key element in the risk register for conducting a qualitative risk analysis is the list of identified risks (Section 11.2.3.1).

11.3.2 Qualitative risk analysis: tools and methods

.1 Determining the likelihood and impact of risks

Determining the probability of occurrence of a risk involves conducting research to determine the degree of probability of occurrence of a particular risk in the process of project implementation. Risk impact assessment identifies the potential effect it could have on the project objective (eg, time, cost, scope, or quality), including negative impacts for threats and positive impacts for opportunities.

Likelihood and impact are assessed for each identified risk. Risk assessment may be based on the results of surveys or joint meetings with experts selected according to the criterion of knowledge in the field of risk categorization. Interviewees may include members of the project team and possibly individuals who are not involved in the project but have broad knowledge of the field. Peer review is a necessity as there may not be enough risk information in the organizations' databases relating to past projects. The discussions may require the assistance of an experienced facilitator, as participants may not have sufficient experience in risk assessment.

Based on the results of surveys or meetings, the probability of occurrence and impact of each risk on the project objectives is determined. Explanatory information is also recorded, including the assumptions used to determine the risk levels. The likelihood and impact of risks are ranked according to the definitions provided in the project management plan (Section 11.1.3.1). In some cases, risks with a clearly low degree of probability of occurrence and impact are not included in the risk rating, but are included in the list of risks that are monitored further.

.2 Probability and Consequence Matrix

Risk prioritization for subsequent quantitative analysis (Section 11.4) and response (Section 11.5) is based on the risk rating. The assignment of a certain place to a risk occurs on the basis of estimates of their probabilities of occurrence and consequences (Section 11.3.2.2). Estimating the importance of risks, and therefore prioritization for treatment, is usually done using a look-up table or probability-and-consequence matrix (Section 11-8). Such a matrix contains combinations of likelihood and impact that assign risks a specific rank: low, medium, or high priority. Depending on the preference of the organization, the matrix may contain descriptive terms or numerical designations.

The organization should determine which combinations of probability and impact correspond to high risk (red zone), medium risk (yellow zone), or low risk (green zone). In a black and white matrix, these conditions can be indicated by different shades of gray. In the matrix shown in Fig. 11-8, dark gray area (highest numeric values) indicates high risk, medium gray area (lowest numeric values) indicates low risk, and light gray area (middle numeric values) indicates medium risk. risk level. Typically, these risk scoring rules are established by the organization before the start of the project and are included in organizational process assets (Section 4.1.1.4). The risk scoring rules can be refined on a project-by-project basis during the risk management planning process (Section 11.1).

For these purposes, a probability-and-consequence matrix is also often used, such as the one shown in Fig. 11-8.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition

Chapter 11 - Project Risk Management

Figure 11-8. Probability and Consequence Matrix

As shown in fig. 11-8, an organization can rank each risk separately for each objective (for example, cost, time, or scope). In addition, an organization may establish ways to determine the overall rating for each risk. Finally, threats and opportunities can be managed using the same matrix and definitions of different levels of consequences.

The risk rank helps you manage your risk response. For example, for risks that have a negative impact on the objectives of the project (threats) if they occur, and therefore are located in the high-risk zone (dark gray) of the matrix, preventive actions and an aggressive response strategy are required. For threats located in a low-risk area (medium gray), preventive action may not be required. It is enough that they are placed on a watch list or added to the contingency reserve.

The same goes for opportunities: those that can be obtained most easily and promise the greatest benefit (they are in the high-risk area - dark gray) should be given the highest priority. Low-risk opportunities (medium gray) should be monitored.

Assessing the quality of risk data

For qualitative risk analysis to be reliable, accurate and unbiased data is essential. Risk data quality analysis is a technique for evaluating the usefulness of risk data for project management. The analysis includes examining the depth of risk understanding as well as the accuracy, quality, reliability and integrity of risk data.

The use of low quality risk data may result in the results of a qualitative risk analysis being of little use in a project. In the absence of high-quality data, it may be necessary to collect new, higher-quality data. Collecting risk information is often difficult and requires more time and resources than originally planned.

.4 Risk classification

To identify project areas most vulnerable to uncertainty, project risks can be classified by the source of the risk (for example, using the WBS), by the area of the project affected by the risk (for example, using the WBS), or by some other criterion (for example, by project phase). An efficient system Risk responses can be developed by grouping risks according to their root causes.

.5 Assessment of risk urgency

Risks that require immediate response may be considered the most urgent to respond to. Priority indicators may include risk response time, symptoms and signs of risk, and risk rank.

11.3.3 Qualitative Risk Analysis: Outputs

The creation of a risk register begins during the risk identification process. The risk register is updated based on the information obtained from the qualitative risk analysis, and then the updated risk register is included in the project management plan. Updates to the risk register based on information from qualitative risk analysis include:

Relative ranking or risk prioritization list project. To classify risks according to their individual
significance, a probability-and-consequence matrix can be used.
The project manager can then use the risk list,
prioritized to focus on
on those that are of high importance for the project, and
risk response can give the best result. Risks may
be prioritized separately for cost, time,
content, and quality, as organizations may
evaluate the significance of some project goals in relation to others.
The description of the basis for assessing likelihood and impact should be
included in the list of assessed risks as it is important for the project.

Risks grouped by category. Grouping risks by
categories can identify the underlying causes that are common to them or those
areas of the project to which special attention should be paid.
Identification of risk concentrations improves efficiency
risk response.

List of risks requiring immediate response. Risks
requiring immediate response, and risks, the response to which
can be performed later, can be placed in different groups.

List of risks for additional analysis and response. Some risks may require additional consideration
(including quantitative risk analysis), as well as additional
response actions.

List of low priority risks that need to be monitored. Risks that, as a result of a qualitative risk analysis, have not received
high priority, may be placed on a list for further
constant monitoring of them.

Trends in Qualitative Risk Analysis Results. As you progress
repeated analyzes may reveal trends in certain risks, which
can serve as a basis for determining the urgency of responding to these
risks or need for additional consideration.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition

Chapter 11 - Project Risk Management

11.4 Quantitative analysis risks

Quantitative analysis is carried out in relation to those risks that, in the process of qualitative risk analysis, were qualified as potentially or significantly affecting the competitive properties of the project. In the process of quantitative risk analysis, the effect of such risk events is assessed and such risks are assigned a digital rating. This analysis also presents a quantitative approach to decision making under uncertainty. Techniques such as Monte Carlo simulation and decision tree analysis are used during this process; they are used for:

Determination of the number of possible outputs of the project and the degree of their
probabilities

Estimates of the likelihood of achieving specific project goals

Identify the risks that require the most attention by
quantification their relative contribution to the overall risk of the project

Setting realistic and achievable cost targets,
schedule or scope, taking into account the risks of the project

Determining the best project management solution in a situation where
some conditions or exits left undefined

Quantitative risk analysis is usually performed after a qualitative risk analysis, although experienced project managers sometimes conduct a quantitative analysis immediately after risk identification. In some cases, quantitative risk analysis is not required to develop effective risk responses. The choice of method (methods) of analysis in each specific project is determined by the availability of time and budget, as well as the need for a qualitative or quantitative statement of risks and their consequences. To determine how successfully (and successfully) the overall risk of the project has been reduced, after risk response planning, it is necessary to re-quantify the risks, as well as part of the monitoring and risk management. Trend analysis may indicate the need for a larger or smaller risk management operation. This is an input to the risk response planning process.

11.4.1 Quantitative Risk Analysis: Inputs

.1 Organizational Process Assets

Information on previous projects similar to the current one, the results of the study of similar projects by risk specialists, and risk databases, which may be available from industrial or private sources.

.2 Description of the scope of the project

See section 5.2.3.1 for a description.

.3 Risk management plan

For quantitative risk analysis, the following elements of a risk management plan are essential: 1) distribution of roles and responsibilities in risk management, budget and scheduled risk management operations; 2) risk categories; 3) hierarchical structure of resources; and 4) refined risk tolerance of project participants.

.4 Risk Register

The key elements of a risk register for quantitative risk analysis are: a list of identified risks, a relative ranking or priority list of project risks, and risks grouped by category.

.5 Project management plan

The project management plan includes:

Project schedule management plan. Schedule Management Plan
project sets the format and criteria for development and controlling
the project schedule (see the introductory part of chapter 6 for a description).

Project cost management plan. Cost Management Plan
project sets the format and criteria for planning,
structuring, evaluation, budgeting and cost controlling
project (for a description, see the introductory part of Chapter 7).

11.4.2 Quantitative risk analysis: tools and methods

.1 Data collection and presentation methods

Polls. Surveys are used to quantify the likelihood
the occurrence and impact of risks on project objectives. Required
information depends on the type of probabilistic
distribution. For example, for some widely used models
distributions, you need to collect information about the optimistic (low),
pessimistic (high) and most likely scenario, while for others
models - information about mean and standard deviations. Examples
The three-point estimates for the valuation are shown in fig. 11-10.
Documenting the rationale for risk ranking is important
component of risk surveys, as these documents may
contain information about the reliability and reliability of the analyses.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition

Chapter 11 - Project Risk Management

Figure 11-10. The range of project cost estimates based on the results of a survey on

Probability distribution. The continuous probability distribution represents the uncertainty of values, such as the duration of schedule activities and the cost of project elements. A discrete distribution may be used to represent uncertain events, such as test results or a possible decision tree scenario. On fig. 11-11 are two examples of commonly used continuous distributions. These skewed distributions describe patterns that are consistent with the data typically obtained from project risk analysis. Uniform distribution can be used in cases where there are no preferred values between the specified upper and lower bounds, which happens, for example, at an early design stage.

Expert review. Experts in the field, both internal and external (for example, engineering or statistical experts), validate the data and methods.

.2 Quantitative risk analysis and modeling techniques

The most common methods of quantitative analysis are:

Sensitivity analysis Sensitivity analysis helps
determine which risks have the greatest potential impact
for the project. The analysis determines to what extent
the uncertainty of each element of the project is reflected in the investigated
project goals, if the remaining undefined elements accept
base values. One of the typical ways to display results
sensitivity analysis is a tornado chart that is useful when
comparing the relative importance of variables with high
degree of uncertainty, with other, more stable variables.

Analysis of expected monetary value. Analysis of expected cash
cost (ODS) is statistical concept, with which
the average result is calculated for cases where the future includes
scenarios that cannot be predicted with certainty (i.e. analysis in
conditions of uncertainty). Usually ODS Opportunities
is expressed in positive terms, and risks are expressed in negative terms.
quantities. The calculation of the ODS is made by multiplying the value of each
possible result on the probability of its occurrence, and then the resulting
the values are summed up. Most often, this type of analysis is used in
decision tree analysis (Fig. 11-12). For cost risk analysis and
schedule, it is recommended to use simulation, since this method
more efficient and less prone to error
applications than an analysis of expected monetary value.

Decision tree analysis. Typically a decision tree analysis structure
is built on the basis of the decision tree diagram (Fig. 11-12), which
describes the situation under consideration, taking into account each of the available
choices and possible scenario. It combines cost
each possibility of choice, the probability of occurrence of each
possible scenario, as well as rewards for each alternative
logical path. Building a decision tree makes it possible to
analysis of the ODS (or other activities of interest to
organization) for each alternative, provided that all
rewards and related decisions are already quantified
expression.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition

Chapter 11 - Project Risk Management

Figure 11-12. Decision tree diagram

Modeling and imitation. Project modeling uses a model to determine the consequences of the impact of detailed uncertainties on the results of the project as a whole. Simulation is usually carried out using the Monte Carlo method. In simulation, the project model is calculated multiple times (iteratively), with inputs randomized from a probability distribution function (for example, cost of project elements or duration of schedule activities) selected for each iteration from the probability distribution of each variable. The probability distribution is calculated (for example, total cost or completion date).

When analyzing the cost of risk, the traditional WBS (Section 5.3.3.2) or the hierarchical cost structure can be used as a modeling model. Schedule risk analysis uses a precedence diagram (Section 6.2.2.1). The results of cost risk modeling are presented in fig. 11-13.

Figure 11-13. Cost Risk Modeling Results

11.4.3 Quantitative Risk Analysis: Outputs

.1 Risk register (updates)

The formation of the risk register begins in the process of risk identification (Section 11.2), and in the process of qualitative risk analysis (Section 11.3) it is updated. Further updating of the risk register takes place during the quantitative risk analysis. The risk register is a component of the project management plan. The main elements to be updated are:

Probabilistic analysis of the project. In the process of probabilistic analysis
the project evaluates the potential outputs of the project schedule
and cost, a list of milestone completion dates and
value, as well as this information, are assigned the appropriate
privacy levels. This output, usually expressed as
cumulative probability distribution, used in conjunction with
risk tolerance of project participants for quantitative assessment
the cost and time components of the reserve for contingencies
circumstances. Such contingency reserves
necessary to reduce to an acceptable level of risk for the organization
overspending in relation to the stated objectives of the project. For example, on
rice. 11-13 75th percentile contingency cost
is $9, or about 22% compared to $41, which
is obtained from the estimates of the highest probability.

Probability of achieving cost and time targets. When the project
faces risks with the help of quantitative analysis results
risks, it is possible to assess the probability of achieving the project goals against the background of
current planned indicators. For example, in fig. 11-13 probability
achieving a valuation of $41 (Figure 11-10) is about 12%.

Chapter 11 - Project Risk Management

List of priority assessed risks. This list includes
risks that pose the greatest threat or best
good opportunities for the project. These include risks that
require maximum funds for unforeseen circumstances and those
that are most likely to influence
critical path.

Trends in Quantitative Risk Analysis Results. As
repeated analyses, trends may become more
obvious, and this can contribute to decision-making that affects
to respond to risks.

Planning response on the risks

Risk response planning is the process of developing paths and identifying actions to increase opportunities and reduce threats to project objectives. This process begins after a qualitative risk analysis and a quantitative risk analysis. It includes the identification and appointment of one or more responsible persons ("Risk Response Officers") who are responsible for responding to each agreed and budgeted risk. Risk response planning considers risks according to their priorities; as needed, new resources and activities are added to the cost, schedule, and project management plans.

Planned risk response operations must be appropriate to the severity of the risk, cost-effective in solving the problem, timely, realistic in the context of the project and agreed upon by all stakeholders, and the implementation of the activities must be assigned to the responsible person. Choice is often required the best way response to risks from several options.

The Risk Response Planning section presents the most commonly used approaches to risk response planning. Risks include threats and opportunities that can affect the success of the project, and responses are considered for each type separately.

Figure 11-14. Risk response planning: inputs, tools and methods,

11.5.1 Risk response planning: inputs

.1 Risk management plan

Important elements of a risk management plan include: allocation of roles and responsibilities, definitions of risk analyses, risk thresholds (low-medium and high), time and budget required to complete project risk management activities.

The outputs of the risk management planning process, which are important inputs to risk response planning, include: the probabilistic analysis of the project, the probability of achieving the project's time and cost objectives, the list of priority assessed risks, and the trends found in the quantitative risk analysis results.

.2 Risk Register

Initially, the risk register is formed during the risk identification process, then updated during the qualitative and quantitative risk analysis. When developing a risk response, during the risk response planning process, it may be necessary to refer to information about identified risks, the root causes of risks, a list of potential risk response actions, a list of those responsible for risks, symptoms and signs of risks.

Important inputs to the risk response planning process include: 1) a relative rating or list of project risks, ordered by priority, 2) a list of risks requiring immediate response, 3) a list of risks requiring additional analysis and response, 4) trends in the results of a qualitative risk analysis, 5) root causes of risks, 6) risks grouped by category, and 7) a list of low priority risks that should be monitored. Further updating of the risk register takes place during the quantitative risk analysis.

11.5.2 Risk response planning: tools and methods

There are several risk response strategies. For each risk, it is necessary to choose a strategy or a combination of different strategies that seems to be the most effective for dealing with it. To select the most appropriate way to respond to risks, you can use risk analysis tools (for example, decision tree analysis). Then it is necessary to develop specific measures for the implementation of the chosen strategy. It is possible to define a primary and a backup strategy. In the event that the chosen strategy does not work or proves ineffective, and also if an accepted risk arises, a contingency plan can be developed and implemented. Often there is a provision for contingencies in terms of time and cost. Finally, contingency plans can be developed along with the conditions under which these plans are put into action.

.1 Strategies for responding to negative risks (threats)

There are three typical strategies for responding to the emergence of threats or risks that can have a negative impact on the achievement of project results. Such strategies are: evasion, transfer or reduction.

Evasion. Risk avoidance involves changing the project management plan so as to eliminate the threat caused by a negative risk, insulate the project objectives from the consequences of the risk, or weaken the threatened objectives (for example, expand the scope of the schedule or reduce the scope of the project). Some risks in the early stages of a project can be avoided by clarifying requirements, obtaining information, improving communication, or conducting due diligence.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition

Chapter 11 - Project Risk Management

Broadcast. Risk transfer involves the transfer of negative consequences
threats with responsibility for responding to the risk to a third party. Broadcast
risk simply transfers the responsibility for its management to another party; risk
it is not eliminated. The transfer of responsibility for risk is the most
effective in relation to financial risks. The transfer of risk is practically
always involves the payment of a risk premium to the party assuming
risk. Risk transfer instruments are many and varied; they
include, in particular, the use of insurance, performance guarantees
contracts, warranties, etc. Conditions for the transfer of responsibility
for certain risks to a third party may be determined in the contract. In
in many cases in a cost-benefit contract, risk costs
can be shifted to the buyer, and in a contract with a fixed price
the risk can be passed on to the seller if the development of the project is already
is in stable condition.

Decrease. Risk reduction involves reducing the likelihood and/or
consequences of a negative risk event to acceptable limits.
Taking preventive measures to reduce the likelihood of occurrence
risk or its consequences are often more effective,
rather than the efforts to eliminate the negative consequences undertaken
after the occurrence of the risk event. As examples of activities for
risks can be reduced by: implementing less complex processes,
conducting more tests or choosing a supplier,
supplies of which are more stable. To reduce risks
may require the development of a prototype, on the basis of which
a proportional increase in the probability of risk from
bench model to a process or product. If it is not possible to reduce
probability, risk mitigation should be directed to the consequences
risk, namely those links that determine their severity.
For example, developing a redundant subsystem can reduce
consequences of failure of the main system.

Strategies for responding to positive risks (opportunities) Below are three ways to respond to risks that have a potentially positive impact on the objectives of the project: use, share, strengthen.

Usage. This strategy may be chosen to respond to risks with
positive impact, if necessary, that this favorable
the opportunity would have been realised. This strategy
designed to eliminate all uncertainties associated with risk
top level, with the help of measures that ensure the emergence of this
opportunity in various forms. Direct
response to this opportunity include: involvement in
project of more talented personnel in order to reduce the time,
necessary to complete it, or to provide a higher quality,
than what was originally planned.

Sharing. Sharing positive
risk involves the transfer of responsibility to a third party,
able to make the best use of the
favorable opportunity for the project. Among the activities with
Sharing opportunities include:
formation of partnerships with joint responsibility for risks, teams,
specialized companies or joint ventures established
specifically for managing opportunities.

Gain. When applying this strategy, the "size" of the favorable
opportunities by increasing the likelihood of occurrence and/or
positive impact, as well as by identifying and maximizing
the main sources of these positive risks. To enhance this
probability, you can try to alleviate or strengthen the cause that causes
favorable opportunity, and purposefully strengthen the conditions for its occurrence.
You can also influence the sources of influence by trying to increase
sensitivity of the project to this opportunity.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition
262 ©2004 Project Management Institute, Four Campus Boulevard, Newtown Square, PA USA

.3 Overall strategy for responding to threats and opportunitiesAdoption: This strategy is used when it is unlikely to eliminate all risks from the project. This strategy means that the project team has decided not to change the project plan due to the risk, or has not found another suitable risk response strategy. This strategy applies to either threats or opportunities. It can be either active or passive. Passive adoption of this strategy does not imply any preventive measures, leaving the project team to act at its own discretion in the event of a risk event. The most common form of active adoption of this strategy is the creation of a contingency reserve, which includes time, money or resources to manage known - or, in some cases, potential and even unknown - threats and opportunities.

.4 Contingency response strategy

Some responses are designed to be used only when certain events occur. For some risks, the project team may put in place a risk response plan, which can only be put in place under predetermined conditions - if there is confidence and sufficient evidence that the plan will be successfully implemented. Events that trigger the contingency response mechanism should be identified and tracked, such as the absence of intermediate milestones or the high priority level assigned to a particular supplier.

11.5.3 Risk response planning: outputs

.1 Risk register (updates)

Initially, the risk register is formed during the risk identification process, then updated during the qualitative and quantitative risk analysis. During the risk response planning process, appropriate risk response options are selected, approved, and included in the risk register. The risk register should be compiled in such a way that its level of detail is consistent with the ranking of priorities and planned actions to respond to risks. Typically, high and medium priority risks are described in detail. Risks that are assigned a low priority level are included in the list for periodic monitoring. Elements of the risk register in this area may include:

Identified risks, their descriptions, project areas for which
they affect (for example, a WBS element), the causes of risks (for example,
ISRs component) and how they can affect the goals of the project

Persons responsible for the risks, their responsibility

Qualitative and quantitative analysis outputs, including a list of risks
project, ordered by priority, and probabilistic analysis of the project

Agreed Risk Response Strategies

Specific actions required to apply the chosen strategy
response

Symptoms and signs of risk

The budget and schedule activities required to complete the selected
ways to respond to risks

Temporary and budgetary reserves for unforeseen circumstances,
designed to ensure risk tolerance of project participants

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition

Chapter 11 - Project Risk Management

Contingency plans and conditions
at which they are put into action

Backup plans used as a response to
the occurrence of a risk if the initial response to the risk
turned out to be inadequate

Residual risks remaining after the planned risk response, and
also those that were taken consciously

Secondary risks arising from the application of response to
risks

Contingency reserves calculated on the basis of
project quantification data and organizational risk thresholds.

.2 Project Management Plan (Updates)

The project management plan is updated as planned risk response activities are added that pass the test and are arranged in a certain order in the process. general management changes (Section 4.6). Overall change control is performed as part of the Project Execution Direction and Control process (Section 4.4) to ensure that execution and control of approved activities are part of the current project. Once risk response strategies have been approved, they should be fed back to the appropriate processes from other knowledge areas, including budget and schedule.

.3 Contractual arrangements relating to risks

In order to clearly define the responsibility of each of the parties in the event of each individual risk, contractual agreements are drawn up (for example, insurance contracts, service contracts, etc.).

11.6 Monitoring and control risks

The planned risk response activities (Section 11.5) included in the project management plan are performed during the life cycle of the project, however, project activities should be continuously monitored and controlled for new and changed risks.

Risk monitoring and management (Section 4.4) is the process of identifying, analyzing and planning for newly emerging risks, tracking identified risks and those on the watch list, and reviewing and executing risk response operations and evaluating their effectiveness. The risk monitoring and management process uses a variety of techniques, such as trend and variance analysis, which require performance data collected during project execution. Monitoring and managing risks, as well as other risk management processes, are continuous process occurring throughout the life cycle of the project. Other objectives of the monitoring and risk management process are to be determined if:

Design Assumptions Still Valid

Trend analysis showed that since the initial assessment, the state
risk has changed

Management policies and procedures are properly implemented
risks

Cost and schedule reserves must be updated at the same time as
changes in project risks.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition
264 ©2004 Project Management Institute, Four Campus Boulevard, Newtown Square, PA USA

Monitoring and managing risk may include selecting alternative strategies, implementing a contingency and back-up plan, taking corrective actions, and updating the project management plan. The risk responder should report periodically to the project manager on the effectiveness of the plan, any unforeseen effects and adjustments necessary to properly manage the risk. Monitoring and managing risk also includes updating organizational process assets (Section 4.1.1.4), including project knowledge bases and risk management templates that will be needed for future projects.

Performance of work" href="/text/category/vipolnenie_rabot/" rel="bookmark"> performance of project work, for example, the results of analyzes that could affect the risk management process.

11.6.2 Monitoring and risk management: tools and methods

.1 Risk review

In the process of monitoring and managing risks, it is often necessary to identify new risks and to revise known risks using the processes described in this chapter. Risk reviews should be carried out regularly, according to a schedule. Project risk management should be one of the agenda items for all project team meetings. The volume and level of detail of repetitions depend on the progress of the project in relation to the set goals. For example, if a risk arises that is not on the risk register or on the list of risks to watch, or if its impact on the project objective is different from what is expected, then planned risk response activities may not be sufficient. In this case, risk management will require additional risk response planning.

.2 Risk audit

Risk audit involves studying and documenting the results of assessing the effectiveness of risk response measures related to identified risks, studying the root causes of their occurrence, as well as assessing the effectiveness of the risk management process.

.3 Analysis of deviations and trends

Trends during project execution are subject to validation using progress data. Earned value analysis (Section 7.3.2.4) and other methods of analyzing project variances and trends can be used to monitor overall project performance. Based on the outputs of these analyzes, it is possible to predict the potential deviations of the project at the time of its completion in terms of cost and schedule. Deviations from the baseline may indicate consequences caused by threats or opportunities.

.4 Technical measurement of performance

In the technical measurement of performance, the technical results obtained during the implementation of the project are compared with the planned ones. Deviations such as greater or lesser functionality in relation to those planned at the time of the milestone, contribute to facilitating the forecasting of the degree of success in achieving the objectives of the project scope.

.5 Reserve analysis

During project execution, risks may arise that have a positive or negative impact on the budget or on contingency reserves (Section 11.5.2.4). The analysis of reserves to determine the adequacy of the reserve balance compares the amount of remaining reserves for contingencies with the number of remaining risks as at any point in time during the project implementation process.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition
266 ©2004 Project Management Institute, Four Campus Boulevard, Newtown Square, PA USA

.6 Status Meetings

Project risk management can be one of the agenda items for periodic status meetings. Depending on the identified risks, their prioritization and the difficulty of responding, this agenda item may be time-consuming or not required at all. The more often risk management is applied, the easier it is to manage, and frequent discussions about risk make conversations about risks, especially threats, easier and more accurate.

11.6.3 Monitoring and risk management: outputs

.1 Risk register (updates)

The updated risk register includes the following:

Results of risk review, risk audit and periodic review
risks. These results may include updates on probability,
consequences, priorities, response plans, responsibility for risks and
other elements of the risk register. As a result, you can also
consider closed risks that are no longer applicable.

The actual results of project risks and the results of response to
risks that can help project managers in shaping
risk plans throughout the organization, as well as when planning future
projects. This concludes the risk management document, which
becomes an input to the project close process (Section 4.7) and part of
project closing documentation.

The use of contingency plans or workarounds often results in the need to change the project management plan in response to risk. Requested changes are prepared and submitted to the Integrated Change Control process (Section 4.6) as an output of the Monitoring and Risk Management process. Approved change requests are documented and become inputs to the project management and control process (Section 4.4) and the monitoring and risk management process.

Recommended corrective actions include contingency plans and workaround plans. The latter are not originally planned risk responses, but are necessary to manage risks that have not previously been identified or have been passively accepted. Workarounds should be properly documented and included in the process for directing and managing project execution (Section 4.4) and in the process for monitoring and controlling project work (Section 4.5). Recommended corrective actions are inputs to the Integrated Change Control process (Section 4.6).

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition

Chapter 11 - Project Risk Management

.5 Organizational Process Assets (Updates)

The six project risk management processes provide information that can be used in future projects and should be part of the organizational process assets (Section 4.1.1.4). At the end of the project, the risk management plan templates (including the probability and impact matrix) and the risk register can be updated. Risks can be documented and the resource hierarchy updated. The knowledge accumulated as a result of project risk management activities can take its place in the organization's accumulated knowledge database. You can also add information to your organization's databases about actual cost and duration of project activities. Organizational process assets also include the final version of the risk register, risk management plan templates, checklists, and risk breakdown structures.

.6 Project Management Plan (Updates)

If approved change requests affect risk management processes, then the relevant parts of the project management plan should be updated and a new version prepared to reflect these approved changes.

Management to vault knowledge on management projects (ManagementPMBOK® ) Third Edition
268 ©2004 Project Management Institute, Four Campus Boulevard, Newtown Square, PA USA

The analysis of project risks begins with their classification and identification, that is, with their qualitative description and definition - what types of risks are inherent in a particular project in a given environment under existing economic, political, legal conditions.

Risk analysis - procedures for identifying risk factors and assessing their significance, in fact, an analysis of the likelihood that certain undesirable events will occur and adversely affect the achievement of project objectives. Risk analysis includes risk assessment and methods for reducing risks or reducing the adverse effects associated with them.

Risk assessment is a quantitative or qualitative determination of the magnitude (degree) of risks.

Project risk analysis is subdivided into qualitative (description of all expected risks of the project, as well as a cost estimate of their consequences and mitigation measures) and quantitative (direct calculations of changes in project efficiency due to risks).

The analysis of project risks is based on risk assessments, which consist in determining the magnitude (degree) of risks. Methods for determining the criterion for quantitative risk assessment include:

· statistical evaluation methods based on the methods of mathematical statistics, i.e. dispersion, standard deviation, coefficient of variation. To apply these methods, a sufficiently large amount of initial data and observations is required;
methods of expert assessments based on the use of expert knowledge in the process
analysis of the project and taking into account the influence of qualitative factors;
· methods of analogies based on the analysis of similar projects and the conditions for their implementation to calculate the probabilities of losses. These methods are used when there is a representative basis for analysis and other methods are unacceptable or less reliable, these methods are widely practiced in the West, since in the practice of project management, project evaluations are practiced after their completion and significant material is accumulated for subsequent use;
Combined methods include the use of several methods at once.

Methods for constructing complex probability distributions (decision trees), analytical methods (sensitivity analysis, break-even point analysis, etc.), and scenario analysis are also used.

Risk analysis is the most important stage in the analysis of an investment project. As part of the analysis, the problem of reconciling two practically opposite aspirations is solved - profit maximization and project risk minimization.

The result of the risk analysis should be a special section of the business plan of the project, including a description of the risks, the mechanism of their interaction and the cumulative effect, measures to protect against risks, the interests of all parties in overcoming the danger of risks; assessment of the risk analysis procedures performed by the experts, as well as the initial data used by them; description of the structure of risk distribution between project participants under the contract, indicating envisaged compensation for losses, professional insurance payments, debt obligations, etc.; recommendations on those aspects of risks that require special measures or conditions in the insurance policy.

One of the areas of investment project risk analysis is a qualitative analysis or risk identification.

A qualitative analysis of project risks is carried out at the stage of developing a business plan, and a mandatory comprehensive examination of an investment project allows preparing extensive information for analyzing its risks.

The first step in risk identification is to specify the risk classification in relation to the project being developed.

In the theory of risks, the concepts of a factor (cause), type of risk and type of loss (damage) from the occurrence of risk events are distinguished.

Risk factors (causes) are understood as such unplanned events that can potentially come true and have a deviating effect on the intended course of the project, or some conditions that cause uncertainty in the outcome of the situation. At the same time, some of these events could have been foreseen, while others could not have been predicted.

The type of risks is the classification of risk events for the same type of reasons for their occurrence.

Type of loss, damage - classification of the results of the implementation of risk events.

Risk analysis is carried out in terms of:

sources, causes of this type of risks;
probable negative consequences caused by the possible realization of this risk;
specific predictable measures to minimize the risk under consideration.

On fig. 1. The relationship between project risks and the projected profit from its implementation is illustrated.

Rice. one.

The higher the risk of the project, the lower the level of expected profit.

The main results of a qualitative risk analysis are:

Identification of specific risks of the project and their causes;
· Analysis and cost equivalent of the hypothetical consequences of the possible implementation of the noted risks;
Proposal of measures to minimize damage and, finally, their cost estimate.

In addition, at this stage, the boundary values (minimum and maximum) of a possible change in all factors (variables) of the project, checked for risks, are determined.

The mathematical apparatus of risk analysis is based on the methods of probability theory, which is due to the probabilistic nature of uncertainty and risks. The tasks of quantitative risk analysis are divided into three types:

straight lines, in which the risk level is assessed on the basis of a priori known probabilistic information;
· inverse, when an acceptable risk level is set and the values (range of values) of the initial parameters are determined, taking into account the restrictions imposed on one or more variable initial parameters;
· tasks of research of sensitivity, stability of effective, criterion indicators in relation to variation of initial parameters (probability distribution, areas of change of these or those values, etc.).

This is necessary due to the inevitable inaccuracy of the initial information and reflects the degree of reliability of the results obtained in the analysis of project risks.

The development of a business plan is not limited to calculations of future income and expenses. At various stages of work - from the appearance of the initial idea to the analysis of the final results - it is necessary to calculate the possible risks of the investment project, which will allow them to be leveled to an acceptable level for the company. Existing Methods risk identification and analysis can be conditionally divided into three groups

Qualitative methods make it possible mainly to carry out a logical analysis of possible events and their consequences (see Table 1). Them strong point is that they are applicable already at the earliest stages of project development, from the moment the concept is created. The main drawback is the inability to rank risks based on any methodology. Of course, the ranking can be carried out intuitively by the analyst and expressed in the fact that he will pay more attention to the analysis of some risks than others.

QUALITATIVE RISK ANALYSIS METHODS Table 1

		Comment
analogy method	It involves a comparison of a number of signs of a planned project with previously conducted projects	Requires historical information and a clear understanding of its applicability to a particular situation
Due Diligence	It involves the collection and detailed study of information about the proposed counterparty or the place of the project	Requires significant managerial will from management as it often involves information and external service costs, as well as longer lead times
Causal Analysis	It involves the heuristic identification of risk events, a formal logical analysis of their possible causes and the development of anti-risk measures	Applicable at the earliest stages of project analysis. Allows you to critically consider decisions taken, stimulates the search for options and "improving the reliability of the project" in general
Event-consequence method (HAZOR, Hazard and Operability Research)	It involves dividing the project (system) into elements, determining their results and identifying risks using a special algorithm and a set of keywords	Applicable to identifying, in principle, any specific risks. Very laborious

Quantitative-qualitative methods are based on the use of expert assessments, expressed either in points or in categories, such as "moderate", "significant", "acceptable" (see Table 2). A strong point is the introduction of priorities in qualitative analysis. Disadvantage - "tendency to discretization", the result of the analysis is either an order of preferences, or a judgment about belonging to any category.

QUANTITATIVE AND QUALITATIVE METHODS OF RISK ANALYSIS Table 2

		Comment
Expert Additive Models	It involves determining the composition of the evaluation parameters, their weighting coefficients and evaluating one or more projects using a weighted amount, based on the value of which a decision is made on the degree of risk	Let's apply already at a stage of development of the concept of the project. Allows you to rank and select projects and their options at an early stage of analysis
Risk Profile, Risk Chart	It involves project risk assessments for a number of parameters and their reflection on a group of appropriate scales. The scales can be parallel or form a ray diagram. As a result of the graphic connection of the obtained estimates, a “profile” is obtained, which is compared with an “acceptable” or “reference” profile	It is a tool for visualizing the risk structure of a project and formally assessing whether the project complies with the organization's risk policy. Requires that this policy in the organization actually exists, in which case it is a mandatory tool to use
Risk map	It involves positioning the project in various risk coordinates and developing an appropriate risk management policy in the project	Similarly

Quantitative methods give not point, but interval and probabilistic estimates of project parameters, in particular, its effectiveness (see Table 3). This is their absolute advantage. However, if they are not based on qualitative analysis, their application may amount to a formal manipulation of numbers, which can be misleading.

QUANTITATIVE METHODS FOR RISK ANALYSIS Table 3

Projects are carried out in conditions of uncertainty.

Beneath the uncertainty the incompleteness or inaccuracy of information about the prerequisites, conditions or consequences of the project, including the associated costs and results, is understood.

Its causes can be: ignorance, chance and opposition.

Uncertainty leads to risks and corresponding consequences.

Risk(as the dictionary defines it) is the possibility or likelihood of danger, loss, or other adverse consequences.

The PMBOK project management standard and other standards give slightly different definitions.

The risk is:

- an uncertain event or condition that, if it occurs, positively or negatively affects the project;

– a combination of the likelihood (qualitative or quantitative) that the project will experience undesirable events such as cost overruns, schedule delays, security lapses, or failure to achieve a required technological breakthrough;

– consequences (impacts or problems) if an undesirable event occurs;

– the possibility of creating a loss.

The main risk characteristics are as follows:

♦ the risk is situational (there is no consensus on how to reduce the risk or avoid it);

♦ risks are interconnected (one risk event may lead to others);

♦ the degree of risk is relative (the more significant the end result, the greater the risk is acceptable);

♦ the significance of the risk is subjective:

a) individual attitude to risk;

b) attitude to risk at the corporate level;

♦ risk is a function of time (risk always refers to the future tense), time affects risk assessment;

♦ risk can be controlled.

There are two types of risk - static and dynamic. Static Risk corresponds to "pure" uncertainty, therefore it is called "pure risk", and dynamic risk- "speculative uncertainty" and has another name "speculative risk".

Net risk is the probability of irreversible loss of assets due to irreparable damage to an economic entity caused by unforeseen changes in numerous factors of the external and internal environment. Speculative risk is associated with the occurrence of unforeseen changes in the value of the object under consideration under the influence of environmental factors, as well as inadequate management decisions.

By area of risk, there are:

♦ project risks: factors that may lead to project failure;

♦ business risks: The impact on the organization if the project fails.

Project management implies not only a statement of the fact of the presence of uncertainty, risk, their analysis, but also risk management.

Project risk management- a set of methods for analyzing and neutralizing risk factors, including processes that ensure the identification, analysis, risk planning, development of responses and control throughout the entire life cycle of the project.

The objectives of project risk management are to increase the likelihood and impact of positive events and reduce the likelihood and impact of negative events on project outcomes and objectives.

The main stages of the risk management process are shown in fig. 5.5.

Rice. 5.5 Steps in the risk management process

Let us consider in more detail the stages of the risk management process.

1. In progress risk management planning a single approach to risk management is developed and fixed for the entire team.

Risk Management Plan should describe the procedures that will be used to manage risk during project execution.

In addition to documenting the results of the risk identification processes, the plan should address:

– responsibility for management in various areas of risk;

– procedures for monitoring project risks;

– distribution of the probability and impact of risks over the life cycle of the project;

– risk “containment” strategy;

– strategy costs;

- schedule of events.

Risk Management Plan can be formal or informal, detailed or general, according to the needs of the project, i.e. this plan is part of the overall project plan.

Thus, the result of the process is risk management plan, which does not yet list specific risks and actions to manage them, but only stipulates the rules that will be applied in the rest of the risk management processes.

2. Purpose of the process risk identification – identify risks , that may affect the project and document their characteristics.

As a result, a risk register appears, which is not only a list of risks, but also Additional information on them (on the magnitude of the risk, risk owners, possible response measures, etc.).

The composition of the parameters characterizing the risk and reflected in the register is determined in the Risk Management Plan.

Risk identification- not a one-time action, it should be carried out periodically during the project.

To identify project risks, there are various methods and tools:

Review and analysis of all existing documentation;

Collection of additional data;

Brainstorm;

Interviewing based on a (non)standard questionnaire;

SWOT analysis;

Graphical methods - for example, "Ishikawa diagram".

As a result of the process risk identification the project team should receive:

List of risks;

List of alarm signals ("triggers").

3. A process is applied to prioritize identified risks. qualitative risk analysis .

The list of risks, grouped by priority, is used further for quantitative risk analysis and for identifying risks that require the development of a response plan.

The result of the entire risk management process is a risk register, which is updated with data from a qualitative risk analysis.

A qualitative risk analysis should ultimately lead to the following results (Fig. 5.6).

Rice. 5.6 Ratio of levels of expected profit and risk of the project

4. Quantitative Analysis considers risks that, in the process of qualitative risk analysis, have been qualified as potentially or currently significantly affecting to achieve the goals of the project.

Quantitative risk analysis is performed:

To determine the possible options for completing the project and the degree of their probability;

assessment of the likelihood of achieving specific project goals;

identifying the risks that require the most attention by quantifying their relative contribution to the overall risk of the project;

setting realistic and achievable cost, schedule or scope targets, taking into account the risks of the project;

· determining the best project management solution in a situation where some conditions or outputs are left undefined.

5. After assessing the importance of risks, it is necessary to develop response methods on them. One of the methods is risk response planning .Its purpose is to develop measures that need to be taken to increase the likelihood and impact on the project of positive risks and reduce the likelihood and impact on the project of negative risks.

The main output is a risk register, complemented by selected ways to respond to risks.

For each risk, a responsible person is appointed who will carry out the planned activities.

Monitoring the implementation of the risk response plan and assessing its effectiveness should be carried out throughout the life cycle of the project.

6. Risk monitoring and control (control) behind them .

Once a response method has been chosen, it is important to control its implementation through monitoring, as well as to monitor the emergence of new risks. If the risk has occurred, the project team should identify this event and apply planned impact. Risk management strategies are developed to reduce or prevent risks.

Risk Management Strategies:

risk aversion - this is the choice of such a design solution from possible alternatives, which almost completely eliminates the occurrence of a risk event. This strategy includes actions to change technical solutions or an alternative way of implementing the project that does not have this risk;

risk transfer. The risks are transferred to another party (usually for a fee). They are reflected in the contract documentation (to assign responsibility associated with the risk to the customer or another party involved in the project) or transferred to a third party not involved in the project (insurance);

risk reduction (reduction of impact and/or consequences). To reduce the risk, measures are taken to reduce the likelihood and / or unpleasant consequences from the occurrence of a risk event to an acceptable level. Such activities include the preparation of alternative work plans, additional testing, duplication of suppliers, invitation of experts, additional training of project participants, etc.;

risk taking - this is the recognition of the existence of risk and the rejection of active countermeasures because of their impossibility or inappropriateness. The adoption of this strategy assumes in the future only monitoring the situation for the timely detection of changes in the threat level (based on "triggers"). When choosing this strategy, it is necessary to prepare a "RE-active plan".