introduction
Control Risks is the process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project.
The key benefit of this process is that it improves efficiency of the risk approach throughout the project life cycle to continuously optimize risk responses.
Control Risk Actions
Actions involved at process control risk :
- look at occurrence of risk trigger
- monitor residual risk
- identify new risk (secondary risk)
- evaluate effectiveness of risk management plan
- develop new risk response if old one is NOT effective
- collect and communicate risk status
- communicate with stakeholder about coming soon risk
- determine if assumptions are still valid
- re-visit watch list to see if new risk response need to be determine
- re-evaluate risk identification , qualitative and risk quantitative if project deviate from project baseline
- look at change to see if they are leading to new risk identification
- update project management plan and project documents based on risk result
- use contingency reserve and management reserve
Risk Register update
Risk Register update during risk control process :
- outcome of risk assessment and risk audit
- result of implementing risk response
- closing risk that NO longer applicable
- detail what happen when risk occurred
- lesson learned
Common Mistakes at Risk Management :
Common Mistakes at Risk Management include the following but NOT limited to : :
- risk identification is completed without knowing enough about project
- project risk is evaluating only using questionnaire , interview , expert which does NOT expose some deep risks
- padding is used rather than using real risk management process
- risk identification finished too soon , only list of 20 risk is enough rather than hundreds
- identified risk is general word rather than specific (communication rather than poor communication )
- some issues considered to be risk are NOT uncertain , its fact NOT risk
- only one method used to plan response
- risk management is NOT given enough attention
- project manager don’t explain risk management to team during project planning phase
Process Inputs - Techniques - Outputs
Inputs
- pm plan
- risk register
- work performance data
- work performance reports
Techniques
- risk assessment
- risk audit
- variance and trend analysis
- technical performance measurement
- reserve analysis
- meeting
Outputs
- work performance information
- change request
- update PM plan
- update Project documents
- Update OPA
Process Inputs
Monitor Risks: Inputs
Project Management Plan
The risk management plan is the component that is mainly used as an input. This will give guidance on
- how often risks should be reviewed
- which policies and procedures for the organization should be followed when doing the review
- the roles and responsibilities of the people doing the monitoring process
- formats for reporting the results of the process (with risk reports)
Project Documents
Here are the project documents considered as inputs for the process.
- Issue log–this will be used to see if there are any open issues that have been updated which may affect the risk register
- Lessons learned register–lessons related to risk that were recorded earlier in the project will be reviewed to see if they apply to later phases in the project.
- Risk register–the key inputs will include
- identified individual project risks
- risk owners
- agreed-upon risk responses
- specific risk response implementation actions
- control actions for assessing the effectiveness of the risk respones plans
- symptoms and warning signs of risk
- residual and secondary risks
- watch-list of low-priority risks
- Risk report–assessment of the current overall project risk exposure as well as the agreed-upon risk response strategy, as well as the major individual risks with planned responses and risk owners.
Work Performance Data
This contains data related to risk such as:
- risk responses that have been implemented
- risks that have occurred
- risks that are active
- risks that have been closed out (because the risks associated with certain project activities did not occur)
Work Performance Reports
Information from performance measurements can be analyzed to provide project work performance information such as:
- Variance analysis
- Earned value data
- Forecasting data
Process - Techniques
Monitor Risks: Tools and Techniques
Data Analysis
- Technical performance analysis–technical performance measures such as weight of the item being produced, transaction times, number of delivered defects, storage capacity, etc. (depending on the type of project) can be analyzed to see if there is deviation, which can indicate the possible existence of underlying risk.
- Reserve analysis–reserve analysis compares the amount of contingency reserves remaining to the amount of risk remaining at any time in the project in order to determine if the remaining reserve is adequate. So this is monitoring risk not directly, but indirectly through the contingency reserves which are used to pay for risk responses. If risks do not occur, then the contingency reserves which were meant to pay for those risks can go back into the “pool” of reserves and strengthen this ratio.
Risk Audits
- Risk audits consider the effectiveness of the risk management process. Although the project manager is responsible for ensuring that risk audits are performed, PMI suggests that risk audit meetings be held separately from the risk review meetings in order to separate the “quality control” (focusing on the results) vs. the “quality assurance” (focusing on the process) aspects of risk management.
- The format for the risk audit needs to be defined in the risk management plan before the audit is conducted. The “quality control” part of the risk review is reviewing the effectiveness of the risk responses themselves, and this is done as part of the risk review meetings (see paragraph below).
Meetings
meetings should discuss the following topics:
- Documenting the effectiveness of risk responses in dealing with overall project risk and identified individual project risks
- Identification of new individual project risks (including secondary risks that arise from agreed-upon risk responses)
- Reassessment of current risks (are they are any risks on the watch list, for example, that have increased in either probability and/or impact such that they now merit a risk response)
- Closing of risks that are outdated (and return of the contingency funds for the associated risk responses to the overall contingency reserve)
- Issues that have arisen as the result of risks that have occurred
- Identification of lessons to be learned for implementation in ongoing phases of hte current project
Process - Outputs
Monitor Risks: Outputs
Work Performance Information
- The risk register is reviewed and any changes to the previously agreed-upon risk responses for individual project risks are noted.
- These changes are reviewed to indicate the effectiveness of the response planning and response implementation processes
- Any changes in either the planning or the implementation should be made through a change request
Change Requests
- The process of reviewing the risk register may result in changes to risk response planning and/or the implementation of those risk responses.
- If these changes in turn require changes to the cost and/or schedule baseline (to account for the additional cost and/or time required to implemented those changed responses), then all of these changes need to be made through a change request.
- These changes may be made with respect to individual project risks or to address the current level of overall project risk.
- These requests are sent to the Perform Integrated Change Control process in order to make the decision to accept or reject them.
- If rejected, they go into the change log with the reasons for the rejection.
- If they are accepted, then the changes are made to the project management plan
Project Management Plan Updates
- If the change requests mentioned in the last paragraph are accepted, the project management plan is updated accordingly, especially if the changed risk responses require changes to the cost and/or schedule baseline
- The changed risk responses themselves will be recorded in the risk register
Project Document Updates
- Assumption log–in the process of monitoring risks, new assumptions may be uncovered, and existing assumptions may be revisited and changed. The assumption log is updated with this new information.
- Issue log–issues uncovered in the process of monitoring risks, usually related not to the contents of the risks themselves but in the handling of those risks, are recorded in the issue log.
- Lessons learned register–if there are lessons learned as a result of the risk reviews done in this process, then these are recorded in the register so that they can be used on later phases of the project.
- Risk register–the following are changes that might be made as a result of the Monitor Risks process:
- Adding new risks that were not picked up during the original risk assessment but were noticed during the review
- Updating outdated risks, so that if a risk triggered by a particular activity or task does not occur, then this risk can be considered outdated or obsolete. This is important because the contingency reserve for the risk response associated with that risk may now be returned to the project budget, since it is now no longer needed for the outdated risk.
- Updating risks that were realized to compare the amount of money actually spent with the amount put aside from the contingency reserve to pay for the response. Besides reviewing the contingency reserve for those responses, the actual risk response needs to be reviewed to compare it with the expectation of how it should have occurred. This may indicate that the effectiveness of the response planning and/or response implemtnation process needs to be changed.
- Monitoring the risks on the “watch list” (those with low impact/low probability) to see if any of them need to be taken off the watch list, i.e., if their impact and/or probability has increased to the point where you need to add a risk response to account for them.
- Risk report–another important part of the Monitor Risk process is letting the shareholders know what is going on with respect to risk. This is done through the risk report, which is updated with the following based on the results of this process:
- Current status of major individual project risks, including details of the top individual project risks, the agreed-upon risk responses and risk owners for those risks
- Current level of overall project risks
- Conclusions and recommendations for changes to the risk responses themselves
- Conclusions from risk audits on the effectiveness of the risk management process
Organizational Process Assets Updates
The Monitor Risks process may result in changes to the following organizational process assets:
- Templates for the risk management plan, risk register, and risk report
- Risk breakdown structure (shows the source of risk on the project by category)
