PMP and CAPM Exam Prep Simplified!

BrainBOK - PMP and CAPM Exams, ITTOs, Flashcards, Formulas, Quizzes, Contact Hours
Deep Fried Brain PMP CAPM PMI-ACP Certification Blog
37 comments

  20 Common Project Risk Management Terms Explained

PMP Blogger Cooling Off on Beach
Image credit: Flickr / sektordua
I need a break from blogging to cool-off my brain, which as you rightly guessed, has got deep fried. I'm planning to go to Bali for vacation. I've heard it's a great place and I have never been there before. But, I need your help in planning my trip, and particularly on Risk Management. Let's first give this project a name. How about we call it "The Deep Fried Brain Project"? As we plan the trip, we are going to identify the risks involved in the project, analyze the risks and plan risk responses. Also during the course of planning, we are going to explore some common Project Risk Management terms and see how they fit into our project. I'm quite excited about this project and looking forward to your support. So, shall we begin?



Step-by-step Guide to PMP

How to Become a PMP in 6 Steps


Project Cost Estimate I'm going to fly to Bali, stay in a hotel, see a lot of places, do plenty of shopping and have loads of fun. The main cost components for the vacation (project) include:
  • Airfare - $500
  • Hotel accommodation - $1000
  • Car rental - $500
  • Food & leisure - $2000
  • Shopping - $1000
All these costs "roll up" to $5000. This is my project cost estimate.

Risk I've never been to Bali before, and as a foreigner in a country, there's always a level of uncertainty or risk involved.

PMBOK Guide 5th Edition defines risk as an uncertain event or condition that, if it occurs, has an effect on at least one project objective. Objectives can include scope, schedule, cost, and quality. A risk may have one or more causes and, if it occurs, it may have one or more impacts. A cause may be a requirement, assumption, constraint, or condition that creates the possibility of negative or positive outcomes.

It's not all negative

Note the keywords negative or positive. The dictionary definition of the word 'risk' has a negative connotation. Therefore, it's a bit counter-intuitive to think that risks can be positive too.

Deep Fried Brain PMP Think Positive
Image credit: Flickr / tango48

Negative Risks or Threats What are some of the things that can go wrong during my trip? Let's list them down. I might:
  • Fall sick
  • Get robbed or mugged
  • Lose my wallet, passport, luggage or other valuables
  • Run out of money
  • Get kidnapped or high-jacked (if that adds any humor)
  • Become shark food on Bali beach
  • Drown or get killed
  • Call-off the vacation prematurely due to an emergency
  • Run into unfavorable weather
  • Get caught in a natural calamity
Positive Risks or Opportunities Well, if I'm lucky, things may turn out better than I expect. What are the opportunities that lie ahead? I may:
  • Discover a great business opportunity
  • Meet an old friend
  • Get a good deal on hotel room and car rental
  • Win a lottery or lucky draw
  • Discover a hidden treasure at one of the remote beaches of Bali
Strategies for Negative Risks or Threats Which are the risks I should really spend effort and resources on? Are there any risks that I can completely eliminate (avoid)? Can I do something to reduce the impact or probability (mitigate) of certain risks? Can I transfer the risk to someone else? Let's see.
  • Fall sick
    • Get health insurance to cover the medical costs (transfer cost risk to the insurance company)
    • Get vaccinated (avoid - prevention is better than cure)
    • Carry a first aid kit along (mitigate)
    • Keep telephone numbers of local hospitals and emergency services handy (mitigate)
  • Get robbed or mugged
    • Get travel insurance (transfer cost risk to the insurance company)
    • Keep local emergency numbers handy (mitigate)
    • Not carry valuables along (avoid)
  • Lose wallet, passport, luggage or other valuables
    • Get travel insurance (transfer cost risk to the insurance company)
    • Keep copies of all my important documents. Perhaps, I can store scanned copies in a secure online file storage system, so that I can access them from anywhere as long as I have an internet connection. This will reduce the impact if this risk event occurs (mitigate).
  • Run out of money
    • Use credit card.
  • Become shark food on Bali beach
    • Wear shark-repellent body-spray (mitigate)
  • Unfavorable weather
    • Plan the trip around a time when weather forecast is good (mitigate)
  • Natural calamity
    • Make sure that life insurance premiums have been paid.
Strategies for Positive Risks or Opportunities Can I increase the chances of getting a good deal on hotel room and car rental? What will I do with the treasure if I ever discover one? Let's see.
  • Get a good deal on hotel room and car rental
    • Try to plan the trip during off-season (enhance)
    • Make reservations early (enhance)
  • Win a lottery or lucky draw
    • Buy a lottery everyday and fill up every lucky draw coupon that I can get my hands on (exploit)
  • Discover a hidden treasure at one of the remote beaches of Bali
    • Donate treasure to the needy (share)
Residual Risks Residual Risks comprise of:
  • Risks that remain after applying risk response strategies have been implemented.
  • Risks that are not worth dealing with upfront (probably the cost involved in dealing with them is less than the cost to address their outcome). We simply accept them.
Examples:
  • Early end to the vacation due to an emergency: There's nothing I can (or want to) do upfront to avoid/mitigate/transfer this risk.
  • Unfavorable weather: Someone said that weather is like woman's mood, you never know when it will change. Therefore, even though we'll plan the trip around a time period when weather forecast is good, there's still a risk of bad weather. We'll also add this risk to the list of Residual Risks.
In order to deal with the outcome of residual risks, we put "Contingency Plans" in place.

PMP Risk Management Residual Risks
Image credit: Flickr / sflovestory
Contingency Plans Contingency Plans are plans specifying the action to be taken when the risk event (positive or negative) occurs. These plans are specifically for the Residual Risks. For example:
  • Early end to the vacation due to an emergency: I'll reserve $500 for purchasing a potentially more expensive flight ticket back home. This is "cost" contingency reserve.
  • Unfavorable weather: I'll keep two "reserve days" in my vacation plan. This is "time" contingency reserve. I'll also keep additional $500 to cover for the expenses for these two days. This is also a "cost" contingency reserve.
Contingency Reserves These are time and cost reserves that account for "known-unknowns" or simply "knowns". They cover the "Residual Risks" on the project. In our Bali vacation project, we have $1000 and 2 days of contingency reserve. Project Manager is authorized to approve the use of contingency reserves.

Risk Triggers Triggers are indications that a risk has occurred or about to occur. We can think of them as events, conditions, early warning signs that trigger the contingency response. For example, if the temperature shoots above 103 deg F, I'll call an ambulance.

Risk Tolerance I can go for bungee-jumping but skydiving is not my cup of tea.

PMP Risk Management Risk Tolerance
Image credit: Flickr / divemasterking2000
Risk Threshold If I lose $200 in the casino, I'll stop gambling and go back to my hotel room. Losing $200 in gambling is my risk threshold.

Fallback Plan This is the so-called "Plan B" for the Residual Risks. If the contingency plan doesn't work, we move to "Plan B". For example:
  • If the weather turns hostile and flights stop operating, I will check-out of the hotel room and move to Denpasar International Airport departure terminal.
Watchlist These are low priority (non-critical / non-top risks).
  • Meet an old friend: I'll be on a lookout for known faces.
  • Discover a great business opportunity: This is not my priority during vacation, but if something comes my way, then why not?
  • Drown or get killed: I'll be more careful near the water and will try not to venture into isolated places.
  • Get kidnapped: Highly unlikely, but I'll give my father-in-law's contact number to kidnappers, just in case they ask for ransom.
Secondary Risks These are new risks that emerge as a result of applying risk response strategies. For example, the swine flu vaccine shot leads to serious side-effects and jeopardizes my vacation.

Workaround Workarounds are "corrective actions" taken to deal with a risk event that has occurred. Unlike contingency plans, these are "unplanned responses" to a risk. For example, I had planned to spend a day at the beach, but it was raining heavily. So, I went and watched a movie. Movie was not on my plan.

Management Reserves These are time and cost reserves that account for "unknown-unknowns" or simply "unknowns". What if something unforeseen happens, that I cannot think of right now? Usually the management reserves a certain amount (say 5% of the project cost baseline) for such unforeseen events. The Project Manager is NOT authorized to approve the use of management reserves. "Management" approval is required to use such funds.

For example, I spent all the cash and also used up the limit on my credit cards. I called my credit card company for help. They extended another $500 of credit for me to pack my bags and return home.

Project Cost Baseline Project Cost Baseline = Project Estimate + (Cost) Contingency Reserves

For this project,

Project Cost Baseline = $5000 + $1000 = $6000

Note that Project Cost Baseline is usually not a single big lump-sum amount. It's a time-phased budget (or costs by calendar period) and usually represented in the form of an S-curve.

Cost Budget If we add the Management Reserves to the Project Cost Baseline, we get the Project Cost Budget.

Project Cost Budget = Project Cost Baseline + Management Reserves

For this project,

Project Cost Budget = $6000 + $500 = $6500

Refer to the diagram below to see graphical representation of the Contingency Reserves and Cost Budget.

PMP Risk Management Reserves and Cost Budget
Image credit: Flickr / bookis
Risk Averse If you have been following this blog, you might have noticed that this is the first ever post on Risk Management on this site. This shows how risk averse I am.

Summary Let's summarize the main points:
  • Risks are not always negative. Positive events or opportunities are considered risks too.
  • Residual Risks comprise of a) risks that remain after applying risk response strategies, and b) risks that we simply accept - if it happens, it happens, and we have a plan to deal with it.
  • Contingency Plans deal with the outcome of Residual Risks on the project.
  • Contingency Reserves cover the outcome of Residual Risks, and account for the "known unknowns".
  • Fallback plans are employed for Residual Risks when Contingency Plans fail.
  • Secondary Risks are new risks that emerge as a result of Risk Response planning.
  • All non-critical / non-top risks are put on the Watchlist and monitored ("watched") regularly.
  • Project Cost Baseline includes the Project Cost Estimates and Cost Contingency Reserves.
  • Management Reserves account for the "unknown unknowns".
  • Project Cost Budget is derived by adding Management Reserves to the Project Cost Baseline.
  • Project Manager can authorize the use of Contingency Reserves, but not Management Reserves. "Management" authorizes the use of Management Reserves.
I hope you enjoyed this exercise. Thanks for helping me out with the project. I'll post the snaps soon. Let me know if you have any questions, tips or suggestions for me.

PMP Certification FAQs

100+ FAQs about PMP Certification


Related articles:

37 comments:

  1. Really good article and above all very nice presentation in very simple language. The only thing which I found missing was about accepted risks. Like what takes care of it

    ReplyDelete
  2. When secondary risks are found whether iterative process of qualitative,quantitative and response planning is carried out??

    ReplyDelete
  3. 12 questions on Risk Management
    http://thepminstructors.com/pmirmp.html

    ReplyDelete
  4. In response to:

    "Really good article and above all very nice presentation in very simple language. The only thing which I found missing was about accepted risks. Like what takes care of it"

    I did mention that Residual Risks are the "accepted" risks and we put Contingency Plans in place to deal with them. Does that answer your question or am I off-target?

    Feel free to ask more questions.

    ReplyDelete
  5. In response to:

    "When secondary risks are found whether iterative process of qualitative,quantitative and response planning is carried out??"

    That's a very good question.

    The short answer is 'Yes'. A lot depends upon the nature of the risk too. If you find that the risk has a low probability / low impact, you might just skip Quantitative risk analysis and add it to the watch list. In some cases, you may simply "accept" it and plan a contingency for it.

    Thanks.

    ReplyDelete
  6. In response to:

    "12 questions on Risk Management
    http://thepminstructors.com/pmirmp.html"

    The questions are quite good. I'll share it as a Daily tip tomorrow.

    Thanks for sharing it !

    ReplyDelete
  7. Hi Harry.. Excellent presentation and content. Thanks for the detailed explanation. Btw, when are you planning for Bali?? did you inform GP? :)

    ReplyDelete
  8. Brilliant ||||, you should have your PMP training academy...

    ReplyDelete
  9. Hi Harwinder,

    As per your article: One of the risk is to Fall sick
    ------------------------
    * Fall sick
    Get health insurance to cover the medical costs (transfer cost risk to the insurance company)
    o Get vaccinated (avoid - prevention is better than cure)
    o Carry a first aid kit along (mitigate)
    o Keep telephone numbers of local hospitals and emergency services handy (mitigate)
    ----------------------
    Here - the risk is : to get sick while on vacation


    Now we may have the following strategies for the risk (per my understanding):

    - Accept , means do not do anything to avoid or minimize the probability of the risk and deal with it if it occurs
    - Mitigate, means to do something to minimize the probability of the risk or to do something to minimize the the impact of the risk if the risk actually occurs..
    - Avoid - do something so that the risk should not happen
    - Transfer - means transfer the risk to somebody else (usually by paying him)

    Contingency Plan:

    Usually Contingency Planning involves:
    Deciding how to combat the risk when/after it occurs.

    Fallback Plan:

    A Fallback plan is an additional contingency plan to use in the event that the first contingency plan fails.

    Now in your article, when one falls sick--

    1) Get health insurance to cover the medical costs (transfer cost risk to the insurance company)

    -- Is it really transferring the risk ? i mean transferring of the risk could be said that somebody else false sick in place of me !!! and ofcourse which can not happen even if i pay a large amount to someone.

    What i was thinking that here the risk can't be really transferred..

    by doing the insurance, ofcourse i would get the money what i spent on the medication/ treatment etc, but still i am not transferring the risk of getting sick...

    2) Get vaccinated (avoid - prevention is better than cure) --

    I think, getting vaccination is more of mitigation rather than avoid since by getting vaccinated, we are minimizing the probability of getting sick .., but still by vaccination, the risk of getting sick can't be avoided 100% . Only the way to completely avoid this risk is to cancel the trip !!

    3) Carry a first aid kit along (mitigate)

    I would agree that it can be said as mitigate i.e. to do something to minimize the impact of the risk if it occurs.

    4) Keep telephone numbers of local hospitals and emergency services handy..

    - basically i am a bit confuse if it could be said as mitigation or contingency planning.

    It looks to me that it is more of Plan-B or the plan when risk actually occurs..

    So, if we fall sick then we are getting admitted ourselves to the hospital by calling to the nearing hospital. So, it means that.., the risk has actually happened and now it is the time to do something to fight with it..

    So, it looks more of a contingency plan than mitigation..

    Please mention your comments.

    Thanks

    ReplyDelete
  10. Hello Vikas,

    Those are very thoughtful comments. I think you have a very sound understanding of the risk management terms.

    Rather than answering all your questions point by point, I'll just one point, which should answer most of your questions.

    There are vaccinations that can help "practically avoid" the disease. That's how I looked at it. There's no point going into too many technicalities of vaccination and divert from the topic.

    I realize that there could be multiple ways to look at the same thing. That's why I tried to give multiple examples wherever possible, but I may have left some room for misinterpretation. I do take your feedback positively and will try to be more explicit in my future posts.

    Thanks for your comments.

    ReplyDelete
  11. Do you have or can you recommend good information on decision tree formulas? I know on of them is (risk cost*percent chance of occurrence) + initial cost.

    Thanks,

    CC

    ReplyDelete
  12. i started reading you blogs 2 days back and not your blogs are part of my pmp preparation.Nice job buddy and keep it up.

    ReplyDelete
  13. Thank you, Anonymous. I tend to concentrate more on content and less on marketing. I'm not sure how you discovered my blog, but lot of people manage to pass (or even fail) the exam without ever knowing about this site.

    So if you like some articles on this site, do spread the word by sharing the links with your social and professional networks.

    All the best.

    ReplyDelete
  14. Mr. Harwinder,

    No word to express. Simply a great and detail presentation. I been going through lots of reference docs, but non given this clear explanation and easy understanding. You’re doing great for this community. Knowledge is power, just transferring this become super power. Keep up the great work.

    ReplyDelete
  15. Hi Harwinder,

    I love the way that you use an example to explain the idea. It makes things easier to understand. Some people do cover the explanation of "Contingency plans" and
    Contingency reserves". So far, I found your explanation most "creative" and solid. Well, thanks a lot!!!! Keep it up. :)

    ReplyDelete
  16. Great article! Honestly this is one of the best articles I came across on risk management. Great contribution to the PM body of knowledge.

    ReplyDelete
  17. Hi Harwinder,
    Wonderful Articles and BrainBOK! Its really helping me in my PMP preparation.
    I still have a question,as the contingency reserve is for the residual risks, where the cost of planned risk will go.In your example, the cost of travel insurance, will it be part of cost estimation of any particular activity or cost estimation of the project or the contingency reserve? Please explain.
    Thanks
    Amit

    ReplyDelete
  18. Hello Amit,

    If I'm buying travel insurance, then the cost of insurance would go into my project cost estimate, not the contingency reserve. By buying travel insurance, I'm transferring the risk to the insurance company and hence doing "something" about the risk, instead of simply "accepting" it.

    Therefore, if I actually decide to buy health insurance, travel insurance, first aid kit etc. to respond to negatives risks, the cost of those actions would go into the Project Cost Baseline (over and above the original $5000). Remember that the planning processes are iterative and I can go back and update the project cost and schedule estimates after planning risk responses.

    Since you brought up this point, I think it would be good to update the article to reflect this, and I'm going to do that soon.

    Hope it makes sense. BTW, it's an excellent question. Thanks for your feedback.

    BR.

    ReplyDelete
  19. Thanks Harwinder for details explanation. It absolved all my Risk really doubts.
    Again, it is an awesome article and I keep on referring it my fellow PMP aspirants.

    Thanks
    Amit Mittal

    ReplyDelete
  20. Harwinder,

    Good Job! This is the one of the best article covered high level of project risk management, Worth to bookmark.

    Ray

    ReplyDelete
  21. Thank you very much. You clarified Residual Risks for me

    ReplyDelete
  22. Sunny,

    I can't approve your comment with Rita Mulcahy's question. But I agree with you. Actually both A and C look correct to me. Do not worry about one or two such questions. If you have a good understanding of the concepts, you are likely to get it right on the exam.

    Good luck for your exam on Monday.

    ReplyDelete
  23. I was wondering if they didn't choose C because they indicated that they had finished the Plan Risk Responses process. And creating a contingency plan is part of this process so it should have already been created for the residual risks.

    But then as part of the Plan Risk Process process you should have already updated/documented the risk register with your residual risks.

    So now I am wondering if B should be the answer because when residual risks actually occur, you deal with them (via a contingency plan)

    ReplyDelete
  24. Harwinder, thanks a ton for the clear and concise coverage of this confusing topic. I have learnt a lot by looking at every corner of your web site. You have done a great job with the content - your web site layout, however, needs a little more work to become user-friendly though, just my thought......But for some awesome free content on the subject of PMP, I can live with that. Thanks again.

    ReplyDelete
  25. The Best Explanation of Risk, i have ever read is this. thanks Harvinder paaji.

    ReplyDelete
  26. Dear Harwinder,

    thanks for your article.

    Can we say that secondary risk is a special case of residual risk where the primary risk is addressed by tranfering it?

    ReplyDelete
    Replies
    1. Hello Syed,

      Secondary risks are "not" necessarily residual risks. A Secondary risk may be serious enough for it to warrant a risk response.

      Best regards.

      P.S.: Excuse me for the late response, as I'm currently on vacation.

      Delete
  27. Hi Harwinder,
    I know contingency reserves are created for active risk acceptance. For passive acceptance of Risks do we create contingency reserves? If we don't create contingency reserves for passive acceptance risks, do we need to use management reserves when these risks happen?

    Thanks,
    Sri

    ReplyDelete
  28. Unfavourable weather

    Dear Harwinder,
    On the negative risk you've mentioned this threat and mitigation is to plan it when whether is good. Does it not mean that you are avoiding the threat by planning it when the weather is good rather than mitigating ?

    Regards,
    Riyaz

    ReplyDelete
  29. Unfavourable weather

    Dear Harwinder,
    On the negative risk you've mentioned this threat and mitigation is to plan it when whether is good. Does it not mean that you are avoiding the threat by planning it when the weather is good rather than mitigating ?

    Regards,
    Riyaz

    ReplyDelete
  30. Hi,

    Why contingency reserve is 1000 ? As per contingency plan 1000(for 2 day stay) + 500(Return Flight Ticket) = 1500$.

    Please explain logic behind calculating contingency reserve.

    Regards,
    Ashpaq

    ReplyDelete
  31. Harwinder, I have a question on CR too. CR, as we all know, are the reserves used to cover the costs of known-unknowns. It is said that CR is calculated using EVM, which is a part of Perform Quantitative Analysis process of Risk Management. Now, we also know that this process is optional – if the cost of doing Perform Quantitative Analysis is high, it can be skipped altogether. Does it mean that calculating CR without doing a quantitative analysis a guesswork?

    ReplyDelete
  32. Hello Harwinder,
    Your blog adds a lot of value to my preparation and you make it so interesting with your wit and wisdom! Thanks a million!

    ReplyDelete

Please do not include URLs (links) in your comments as any comment with links would be deleted automatically.

Other interesting posts