Identifying and Managing Project Risk

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Identifying and Managing Project Risk
Identifying and Managing Project Risk (bookcover).jpg
Hardcover edition (2009)
Author Tom Kendrick
Country United States
Language English
Genre Business, Project Management, Risk Management
Publisher American Management Association
Publication date
25 April 2003
Media type Print (Hardcover)
Pages 335 pp.
ISBN 0-8144-0761-7
OCLC 50803496
658.4/04 21
LC Class HD61 .K46 2003

Identifying and Managing Project Risk by Tom Kendrick is a book about identifying and managing risks on projects. It was published on April 25, 2003 by American Management Association. The book is geared to be used by a junior Project Manager and Kendrick aligns the chapters of the Book to the Project Management Institute's (PMI) Guide to the Project Management Body of Knowledge, (PMBOK) 2000 edition.

That being said, there is a newer edition (2009) of this book, with significant modifications that bring it up to date with the current PMBOK. Much of this article no longer applies.

This text is designed to be used as a supplemental source of information when studying for the Project Management Professional (PMP) certification exam.


Kendrick's coverage of risk, and more prominently uncertainty, is complete in a general fashion focusing a majority of his discussion on risk in projects due to poor planning and change management processes.

He uses a collection of project elements from various projects his clients have conducted. He uses this data, Project Experience Risk Information Library (PERIL) database, to quantify and rank classes of risk. In the early part of his book he uses this significantly and the Appendix lists approximately 120 of the element's descriptions.

The book is structured to follow the PMBOK stages of a project — initiation, planning, controlling, executing and closure. Each chapter discusses a set of concepts and concludes with a bulleted "Key Ideas" section and an anecdote from the two attempts to construct the Panama Canal.

Although the book is written in a very generic manner, it has a decidedly high-tech flavor. This partly because the author worked at Hewlett-Packard for twelve years.


The introductory two chapters lay the groundwork for people that are new to project or risk management. He starts with the definition of risk as the "loss multiplied by the likelihood" and expands from there. He explains that this relates to uncertainty in estimates for duration and cost. He identifies the benefits as:

  • Lowering cost and confusion
  • Prioritization and stakeholder support
  • Input for portfolio management
  • Mitigation
  • Setting expectations and establishing reserves
  • Communication and control

Project Risk Planning[edit]

Key Ideas: Project Risk Planning
Risk should be a primary driver for project selection
Project planning and definition are the foundation to controlling risk
Risk management should be maintained in a Project Risk Plan

He continues the introduction by justifying project planning and the challenges one might encounter in an organization that feels a project planning methodology is not needed. He describes ways one can address the need to set up a planning process and that the implementation should be scaled to the size of the projects being performed.

The PERIL database is described and qualified while some of the biases in it are enumerated. Within the three primary constraints on a project, the database shows the risk elements in the order of frequency of occurrence as 1) schedule, 2) scope and 3) resource. Implicitly the reader can determine the database classifies each risk with a description, Project type (IT, Product development, etc.), schedule impact, cost impact, class (scope, resource, schedule) and subcategory.

Scope Risk[edit]

Key Ideas: Scope Risk
Clearly define deliverables
Ensure the value of the deliverables exceeds the scope of work
Define a work breakdown structure small enough to ensure work is understood
Assign ownership and determine reasons any items are not accepted
Note all risks, including non-quantifiable risks due to size or complexity of project

Using the PERIL database Kendrick cites that even though the number of risks classified as scope related are one-third of the entries, they account for approximately half of the cumulative schedule delay. He enumerates the ranked sources as:

  1. Scope creep
  2. Hardware defect
  3. Software defect
  4. Scope gap (ill defined scope)
  5. Dependency change (unexpected legal, regulatory, etc.)
  6. Integration defect (change due to unexpected behavior)

Kendrick describes a variety of methods for arriving at and defining deliverables and hence defining the scope. He suggests using the "is/is not" method of bounding the scope.

Three high-level risk assessment tools are discussed — Risk Framework, Risk Complexity Index and Risk Assessment grid. Risk Framework looks at the project's technology, the market and the manufacturing effects and uses the relative change to each of these to determine the risk level of the project. Risk Complexity Index looks at the technical aspects of the project (technology, architecture and system) and generates a number from 0-99 to quantify risk. Risk Assessment creates a grid of technology, structure and size to estimate the risk.

The risk issues addressed by a work breakdown structure (WBS) are then discussed. Often considered only a project planning task Kendrick points out the uncertainty and risk introduced into a project when the WBS is not fully defined and understood. A WBS at too high a level can leave scope ill defined not allowing for proper estimates or definition of work to be performed. Often WBS elements that are defined at too high a level indicate work that is not understood and indicates significant risk due to uncertainty on the project.

Schedule risk[edit]

Key ideas: Schedule risk
Estimates with wide variations should be investigated for thorough understanding
Identify source of estimates, especially if not empirical
Identify high risk dependencies
Compare estimates to historical values looking for large variations
Pull risk forward to allow time to react
Identify all potential critical paths
Note project duration risk

Schedule is the second level of risks effecting project duration in the PERIL database. The top five (the book lists ten) categories are:

  1. Project Dependencies
  2. Parts Delays
  3. Estimation errors
  4. Decision Delay
  5. Hardware Delay

Dependency on external parties is the largest sub-categorization of schedule risk in the database (editors note: as might be expected since it is always safe to blame the other party) followed by poor estimations.

To assist in reducing these risks, Kendrick explains that the process should start with the WBS and apply estimates for effort and resources. This is an iterative process. A number of things should be kept in mind:

  • Historical data should be used where applicable.
  • Resources planning (done next) will affect these estimates so these processes will need to be iterative.
  • Be cognizant of people hesitating to give estimates, it may imply additional uncertainty.
  • If the durations are greater than two weeks they should be broken down further.
  • Make sure to incorporate holidays, vacations and other non-project time.

He summarizes a number of estimating techniques:

He spends significant time throughout the book discussing the PERT method and clearing up misconceptions on the PERT process. He explains that the PERT method of estimation generates the expected duration of a task by adding the pessimistic, optimistic and four times the most likely durations and dividing them by six. The standard deviation is determined by taking the difference of the pessimistic and optimistic durations and dividing them by six. The standard deviation is a reflection of the uncertainty in the estimates.

After determining the durations and sequencing the critical path can be determined. The Critical Path is the longest contiguous path of tasks with no lag. The easiest way to do this is by using one of the many computerized tools on the market. He cautions that an increase in critical and near-critical paths will bias or significantly increase the probability that the project will not complete by the projected time. This is due to the statistical probabilities of multiple paths causing failure.

As with many sections of the book, he provides lists of general items to use when planning.

Resource Risk[edit]

Key Ideas: Resource Risk
All skills required to finish the project must have a named resource
Do not over commit staff
Identify tasks with unreliable resource estimates
Identify all understaffed tasks
Document all outsourcing risks
Build in funding for training, equipment and travel
Determine the complete project cost

The final category of risks are the resource risks. The top five (ten are provided in the book) are:

  • Outsourcing delays
  • Lack of funds
  • Attrition of resources
  • People joining the team late
  • Scarcity of skills

When planning one must determine the skill set required and to identify and reserve the people with those skills. As with schedule sequencing he recommends a computerized tools to properly look at staff loading. The loading will need to be compared to other project's needs and resource availability. Conflicts need to be resolved and documented since this also indicates inherent risk in the project.

Outsourcing, the primary cause of resource induced delay in the database, is mitigated best by thorough planning, proper RFP (Request for Proposal) generation, a clear and succinct contract and monitoring the subcontractor for progress. Although incoming inspection is required, this is too late to mitigate risk.

Funding issues were small in the PERIL database but the sources of error are due to overlooked staffing, travel, training and equipment costs. Funds for all of the anticipated financial outlays must be defined and planned for early in the project planning cycle.

Throughout the sections that discuss scope, schedule and resource risk, Kendrick repeats that analyzing these items must be an iterative process since they are the primary constraints and changes in one will affect the others.

Key Ideas: Constraint Management and Risk Discovery
Align project plan and objective
Document project priorities
Identify project alternatives (mitigation)
Explore Project Opportunities
Remove unnecessary project scope
Document risk and impact of proposed changes
Use all means to identify unknown project risk

Constraint Management[edit]

When controlling project constraint it must be understood that only two of the three constraints can be defined, the third will be determined by the other two. It should be determined which of the three (resource, scope or schedule) is the controlling constraint and which is the most acceptable to change. Determining this and insuring the stakeholders understand the consequence of this is of utmost importance.

If scope is the least important, determine methods to achieve the most for the customer while using less resources, trim low priority scope, suggest alternative solutions to the problem being addressed, look for reusable components from other projects.

For resource constraints look at cross-training staff or training new people. Outsourcing is an option but introduces significant risk.

If schedule constraints are an issue, it is possible to use schedule float. Also carefully analyze the schedule for tasks that can overlap, If they exist, look at defining the tasks with more granularity. Lastly, if the funds are available, add more resources to try to compress the schedule. All of these introduce their own risk.

Continually analyze the project for other risks. Kendrick provides a general list of risk categories to assist in brainstorming, analyzing historical data or previous projects.

Quantifying and Analyzing Activity Risk[edit]

Key Ideas: Quantifying and Analyzing Activity Risk
Determine probability and impact for each risk
Use qualitative methods to prioritize risk
Apply quantitative analysis to specific risks
Do not over complicate PERT analysis

The key to assessing risk is determining the probability and impact of the risk and knowing when these values cannot be determined. Trying to make quantitative decisions from qualitative data is not sensible. To this end, Kendrick describes some standard and accepted methods of presenting non-quantifiable risks for the project. A majority of his time in spent discussing two methods in of quantitative analysis — two dimensional bubble charts and PERT analysis. As in previous areas on the book he presents beta-distributions of for risks and he lays the groundwork for the understanding of why simulation products are important when analyzing risk in complex projects. He presumes a modicum of knowledge of statistics but no knowledge of beta-distributions is required.

Managing Activity Risk[edit]

Key Ideas: Managing Activity Risk
Do root cause analysis
Use one of the three methods of handling risk — mitigate, avoid, transfer
Develop contingency plans for all risk
Publicly display risks
Look for ways to prevent risk

Risks fall into three broad categories — controllable known, uncontrollable known and unknown. For the former two, one must understand the risks before they can determine how to manage them. This is done using root cause analysis. As the name implies its goal is to look for the root cause on the problem and solve it at that point. Kendrick briefly discusses the use of fishbone diagrams as a tool to assist in this process. Even unknown elements should be handled in this manner, but obviously do it as they are incurred.

The four ways of handling risk are:

  • Avoidance - Take action to avoid the risk
  • Mitigation - Define actions to take when the risk occurs
  • Transfer - Have someone else handle the risk i.e. insurance
  • Acceptance - Identify the risk as acceptable and let it happen.

Determining which option to choose is primarily financial, but schedule and manpower may be involved. As a tool, Kendrick provides a number of "checklist" opinions for looking at each of these options.

Contingency planning is briefly discussed for scope, resource and schedule.

Quantifying and Analyzing Project Risk[edit]

Key Ideas: Quantifying and Analyzing
Generate a formal survey project risk
Determine project uncertainty based on prior estimates
Use effort months to determine project size.

Kendrick highlights the common project level risks as (citing Capers Jones as the original source):

  1. Estimates that are excessively inaccurate
  2. Too aggressive a schedule
  3. Poor management
  4. Scope creep (poor change management)
  5. Large projects not staffed appropriately

Kendrick provides a suggested survey where all responses are on a scale of one-to-three and using the a weighted average (1:3:9) of the responses to determine the risk of the project biasing the negative impact. Results in the 2.51 - 6.00 range are considered medium and anything above high risk.

He then returns to the PERT modeling data generated by task and explains the use, limitations and additional theory. He uses simulations to generating an approximation of the logical outcomes.

He describes two less rigorous approaches for the looking at project risk compared to other project. Project Scale compares the total effort months of the project to other projects, the higher the ratio the more risky. Project Appraisal uses a process similar to appraising a house to determine risk based on other completed projects.

The remainder of this section is devoted to measuring projects and determining whether a project is tracking to plan or deviating in a negative manner. He discusses a number of soft techniques (qualitative judgements) and hard techniques (financial base on actuals) to determine the "health" of the project.

Managing Project Risk[edit]

Key Ideas: Managing Project Risk
Start the project with a kick-off workshop
Determine the appropriate metrics
Set the project reserve
Validate and adjust the objectives
Implement and use a Change Management Process

This section is an assortment of activities that Project Managers may do to align the project team and the stakeholders for the upcoming project. These items include:

  • A recommended list of documentation that summarize general best practices for a project, cautioning that quality, not quantity, is the measure.
  • A project start-up workshop; including its preparation and execution. The goal is to align people to the goals and educate them on the challenges.
  • Determining the appropriate metrics for the project, ensuring they are not burdensome and affect behavior in a positive manner. Too often, metrics change behavior to provide better metrics not better performance.
  • Setting the amounts and conditions for use of the project reserves.
  • Negotiating the final objectives of the project with stakeholders to improve the chances of project success.
  • Validate that all team members and stakeholders accept the plan of record.
  • Describe to all team members and stakeholders the change management process and how it will be enforced.

Monitoring and Controlling Risky Projects[edit]

Key Ideas: Monitoring and Controlling Projects
Be religious on collecting status information ensure that it is only the status you need
Monitor status and trends continuously
Promptly address problems
Communicate, communicate, communicate

Execution of the project entails the Project Manager applying the plan, leading the team and monitoring the project status looking for trends that can indicate variations (good and bad) in the project execution. Results of the analysis need to be communicated and adjustments made through a change management and/or issue resolution process.

Communication is imperative. Kendrick describes a variety of tools to aid in communication and notes where challenges may be become more difficult (remote projects, multiple languages, large number of stakeholders with differing goals). He also provides the obligatory how-to-run-a-meeting discussion.

Project traceability is important and Kendrick outlines the needs and requirements of a Project Management Information System. This system should be a repository for all project documents and appropriately accessible to all people.

For longer projects Kendrick suggests a periodic project review and assessment. He provides a checklist of the items this should include and show to conduct the meeting.

Closing Projects[edit]

Key Ideas: Closing Projects
Document the project results
Recognize contributors
Conduct a retrospective

Proper closure of a project has significant benefits for reducing risk on future projects. Whether the project is considered a success or a failure the results should be documented and reviewed. These data can then be used in future planning processes to improve planning and reduce risk.

A project retrospective should be conducted and actions taken on the suggestions to improve processes for the future. Lack of action will reduce participation in subsequent retrospectives.


Further reading[edit]

  • Lam, J., Enterprise Risk Management: From Incentives to Controls (2003). Wiley; 1 edition, ISBN 0-471-43000-5
  • Peter Simon and David Hillson, Practical Risk Management: The ATOM Methodology (2012). Management Concepts. Vienna, VA, ISBN 978-1567263664
  • Lev Virine and Michael Trumper, Project Decisions: The Art and Science (2007). Management Concepts. Vienna, VA, ISBN 978-1-56726-217-9
  • Lev Virine and Michael Trumper, ProjectThink: Why Good Managers Make Poor Project Choices (2013). Gower Pub Co, ISBN 978-1409454984
  • Wideman, R.M. Project and Program Risk Management (1992). Newtown Square, PA: Project Management Institute. ISBN 978-1-880410-06-6