UNIVERSITY OF JOHANNESBURG RISK MANAGEMENT MODELS FOR USE BY THE PROJECT MANAGER A research paper submitted in partial fulfilment of the requirements for the subject PJB4088 – Project Management at the UNIVERSITY OF JOHANNESBURG Student Name: Lusanda Njenge Student Number: 201109115 Date: 15th October 2012 Table of Contents ABSTRACT2 1. INTRODUCTION2 2. LITERATURE REVIEW2 2. 1What is a Risk2 2. 2Risk Management3 3. RISK MANAGEMENT MODELS4 3. 1Risk Cube4 3. 2Risk Burndown Chart5 3. 3GANTT Chart and Milestone Chart5 3. 4PERT or CPM6 3. 5PRA7 3. 6SWOT Analysis7 3. 7GAP Analysis7 3. Value Chain Analysis8 3. 9FMEA or FMECA8 3. 10Decision Tree Analysis9 3. 11Sensitivity Analysis9 3. 12Monte Carlo Simulation9 3. 13Other Risk Management Models9 4. FINDINGS AND RECOMMENDATIONS10 5. CONCLUSION10 BIBLIOGRAPHY11 ABSTRACT Risk management models are tools that are used to manage project risk, whether the risk is technical, organisational, schedule, cost, etc. Various models are available to the project manager, although most are generic in nature and require the project manager to have prior knowledge of past failure trends in order to make a more informed decision.
In order to achieve more accurate results, a project manager can tailor-make a risk management model to suit his specific project. 1. INTRODUCTION Projects, by their very nature, involve risks because they are unique. Risk has two components, namely probability and consequence. The aim of risk management is to reduce the probability of the risk occurring as well as putting safety measures in place so that the consequence of the risk can be minimal. The aim of this paper is to investigate risk management models available to the project manager. Risk management models are tools that have been developed to manage project risks.
They help the project manager to evaluate the risks at hand and make appropriate decisions. There are a vast number of risk management models to address the different types of risk. The paper starts off with a literature review, which defines risk, discusses different categories of project risk, and discuses the meaning and method of risk management. The paper then continues to discuss different risk management models and some of their shortcomings. Due to the large number of risk management models, this paper is by no means exhaustive of the subject.
It discusses mainly the generic models that are available, and it acknowledges that the best models are ones that are tailor-made for a specific project. 2. LITERATURE REVIEW 3. 1 What is a Risk A risk is defined as the likelihood and effect of not achieving a set project goal . In project management, risk can be categorised using the Risk Breakdown Structure (RBS). According to the Project Management Body of Knowledge (PMBOK), a project can have technical risks, external risks, organizational risks, and project management risks, as can be seen in Figure 2. 1 . | | | Project | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Technical| | External| | Organizational| | Project Management| | | | | | | | | | | | | | | Requirements| | Subcontractors and Suppliers| | Project Dependencies| | Estimating| | | | | | | | | | Technology| | Regulatory| | Resources| | Planning| | | | | | | | | | Complexity and Interfaces| | Market| | Funding| | Controlling| | | | | | | | | | Performances and Reliability| | Customer| | Prioritization| | Communication| | | | | | | | | | Quality| | Weather| | | | | | | | | | | | | Figure 2. : Example of a Risk Breakdown Structure components  Project risk can also be broken down into three components, namely schedule risk, cost risk and scope risk . These three components make up the so-called triple constraints. As the definition implies, risk involves both probability and consequence. The goal in project management is to reduce the probability as well as the impact of the risk by identifying hazards and putting safety measures in place. 3. 2 Risk Management Risk management is “the systematic process of identifying, analyzing, and responding to project risk”.
Risk is managed using seven subprocesses, namely (1) risk management planning, (2) risk identification, (3) qualitative risk analysis, (4) quantitative risk analysis, (5) risk response planning, (6) risk monitoring and control, and (7) the risk management register [  ]. Risk management planning entails planning a strategy to manage risk in the project. Risk identification is done to recognize the risks that the project can encounter as well as documenting them. A qualitative risk analysis is done to prioritise the risk’s influence on project goals.
A quantitative risk analysis is done to approximate the likelihood and effect of risk and their impact on the project. Risk response planning is done in order to develop methods to decrease threats and increase the chances of project success. Project monitoring and control is done to identify new risks, carry out risk reduction plans and monitor their effectiveness. The risk management register is a permanent documentation of identified risks and methods that were used to alleviate or remove them [  ]. As implied by the seven risk management subprocesses, risk management is more than just identification of risks.
It also involves coming up with strategies to resolve the risk [  ]. 3. RISK MANAGEMENT MODELS Certain tools or models have been developed to help the project manager to decide what to do for certain types of risks. Examples of risk management models are the risk cube, the Risk Burndown Chart, GANTT chart, Milestone chart, Program Evaluation and Review Technique (PERT) or Critical Path Method (CPM), Probabilistic Risk Assessment (PRA), SWOT (Strengths, Weaknesses, Opportunities and Threats ) analysis, GAP analysis, Value Chain analysis, Failure Mode and Effect Analysis (FMEA), Decision Tree Analysis, and Monte Carlo Simulation.
Risk management software such as Active Risk Manager, Risk Matrix, and Risk+ is also used [  ] [  ] [  ]. Risk management models are not applied universally across all types of risks. Certain models are meant for certain types of risks and the project manager should use previous experience and good judgement in using the models [  ]. This is one of the shortfalls is risk management models because different people can interpret the same thing differently [  ]. 4. 3 Risk Cube A risk cube helps the project manager to make a decision based on the probability of the risk as well as the consequence.
Depending on these two factors, the project risk can be green (low risk), yellow (medium risk), or red (high risk). This model can be used in any almost with any type of risk [  ]. The shortfall if such a model is that a factor such as consequence depends on the judgement of the project manager and can differ from one person to another. A risk cube is illustrated in Figure 3. 1. Figure 3. 1: A risk cube  4. 4 Risk Burndown Chart A Burndown Chart compares the actual progress against the planned reduction of risk exposure. Figure 3. 2: A Risk Burndown Chart  4. GANTT Chart and Milestone Chart These charts are used to manage schedule risk. Also known as bar charts, they show activity start and end times and their length. An example is illustrated in the Summary Schedule section of Figure 3. 3. Similar to GANTT charts are Milestone charts. Instead of showing all activities, these charts only show the main deliverables and important external interfaces. A Milestone chart is illustrated in the Milestone Schedule section of Figure 3. 3 . Figure 3. 3: GANTT chart and Milestone Chart  4. 6 PERT or CPM PERT is a tool used to manage schedule.
It looks at project milestones, their sequence, their start and completion times and is used to find the best path to follow to complete the project in time. An example of a PERT chart can be seen in Figure 3. 4. The advantages of this method is that it makes it easy to find the critical path and the dependencies and sequence of events can be clearly seen. However, this method can fall short if the network and interdependencies of the activities are too complex . Figure 3. 4: Example of PERT The disadvantage of GANTT, PERT, and CPM is that they do not take into account the coordination and communication overhead.
These models embody sequential interdependencies and therefore cannot perform well when activities occur concurrently. The consequence is that these models are exceedingly positive [  ]. 4. 7 PRA Probabilistic Risk Assessment is used mainly in complex engineering projects to evaluate risks. It asks probing questions such as: What can go wrong? What is the severity of the consequences? What is the probability of the occurrence of the consequences? Event Tree analysis, Fault Tree analysis, Human Reliability analysis and Monte Carlo Simulation are used to accomplish the PRA. The results of the PRA are a numeric value [  ].
The PRA method is not perfect. It assumes a sequence of events, which means that it does not take into consideration unexpected failures that do not occur in a certain order. Sometimes in complex systems failures do not occur because of a sequential chain of events. This method is also not good at predicting common-cause failures. In addition, since Human Reliability analysis forms part of PRA, more uncertainty is introduces since there can be no accurate model predicting human behaviour [  ]. This necessitates that a project manager considers the actual historical risk before making decisions based on the PRA numbers [  ]. . 8 SWOT Analysis This technique examines risk by looking at the strengths, weaknesses, opportunities and threats of a project [  ]. 4. 9 GAP Analysis This analysis uses two axis and four quadrants. The labelling of the axis are not limited, and can be anything that the project manager wishes to investigate. The project manager fills in each quadrant according to occurrence of a variable, with a dot that is of proportional size. Any gap in a quadrant or an over-population can either indicate an opportunity or a threat [  ]. An illustration of this analysis can be observed in Figure 3. 5. Figure 3. : GAP Analysis [  ] 4. 10 Value Chain Analysis Value chain analysis is done to assess the value added to the customer by the business or project functions [  ]. Figure 3. 6: Value Chain Analysis [  ] 4. 11 FMEA or FMECA This method of failure analysis looks at historical failure data to identify potential failure modes. This information is incorporated to new product design in order to improve their reliability. This model addresses technical risks and is used by product development teams, system engineering teams, reliability engineering teams and operations managers [  ]. 4. 12 Decision Tree Analysis
This analysis is done using a decision tree diagram, which is illustrated in Figure 3. 7. Each diagram shows a number of possible paths and the implications of each decision made. The financial implications of each decision are also shown in the diagram, which gives the expected monetary value (EMV) of each choice [  ]. Figure 3. 7: Decision Tree Diagram  4. 13 Sensitivity Analysis This analysis is done using tools like the tornado diagram. It examines different risks for the project to determine which one affect the project the most. Appropriate and prioritised action can then be taken by the project manager [  ]. 4. 4 Monte Carlo Simulation This is a computer simulation which uses numerous iterations with random variables. It can be used in project cost or project schedule to calculate a distribution of the total cost and project end date [  ]. 4. 15 Other Risk Management Models Many companies create their own risk management models in order to suit their specific needs instead of using the traditional generic models. For example, CalTOX is a model used by the California Department of Toxic Substances Control to evaluate the risk waste introduces to the environment. DREAD is a model used by Microsoft to evaluate computer security risks [  ]. . FINDINGS AND RECOMMENDATIONS There is a large number of risk management models available to the project manager to manage many different types of risk. However, the shortcomings of most models is that their generic nature means that they don’t fit properly into all projects. For example, the PRA is a good model, however, it fails when the multiple failures are due to a common-cause. Although historic knowledge of the field can help the project manager to make more informed decisions, a model that is tailor-made for that specific project would be a good alternative to the generic models that are available. . CONCLUSION The paper looked at various types of project risks. They are technical risk, external risk, organisational risk, project management risk, cost risk, schedule risk and scope risk. The project manager can use various models to manage these risks. For example, the scope risk can be managed with a Risk Matrix, the cost risk can be managed with an Expected Monetary Value analysis, schedule risk can be managed with PERT or GANTT chart, and technical risk can be managed with FMEA. Each model is not necessarily limited to addressing one type of risk and there is no universal model for all types of risk.
It is evident, however, that most models require the project manager to have some knowledge of the historic risks of the area in which he operates because often times the project manager has to make judgement calls. The project manager must therefore familiarize himself with historic trends of the project in which he operates.