-

Quantitative Risk Analysis

This process is the second step in risk assessment. The purpose of this process is to numerically evaluate risks that need additional analysis after performing qualitative analysis. This evaluation is objective and the result is numerical but it depends on calculations and it lacks of human sense. It means that these results tend to be the most accurate if revised by human sense after running the calculations.

1 – Probability Distribution

Quantitative analysis utilizes computer software to model probability distribution. This can be depicted graphically using continuous distribution or discrete distribution.

Figure-1 Shows some types of continuous distribution.

Figure-1 : Continuous distribution

In discrete distribution, data can be represented as bars. Each bar represents a possible outcome and each outcome is assigned a probability. Figure-2 Shows a model of discrete distribution.

Figure-2 : Discrete Distribution

The difference between continuous and discrete distribution can be following comparison in table-1.

Table-1 : Comparison between continuous and discrete distributions

2- Quantitative and Modeling Techniques

Quantitative analysis utilizes simulation and modeling techniques such as sensitivity analysis, expected monetary value, and Monte Carlo.

2-1 Sensitivity Analysis

This technique shows the range of outcomes for a risk by changing only one element each time (what-if analysis) and measuring its impact. This is being done several times to evaluate the range of outcomes. It’s possible to change multiple elements by designing of experiment (DOE). Table-2 shows an example on sensitivity analysis. A common way to display these results is tornado diagram as shown in figure-3.

Table-2 : Sensitivity Analysis

Figure-3 : Tornado Diagram

2 -2 Expected Monetary Value

This technique calculates outcomes considering both probability and impact. It’s used to make decisions after gathering data on two or more alternatives. It depends basically on the impact of each decision and the probability that it may happen.

Multiplying impact by its probability will result the expected monetary value.

Comparing these values will facilitate taking decision. This technique uses the decision tree analysis as a graphical method to represent alternatives and their impact/probability. Figure-4 shows an example of decision tree analysis.

Figure-4 Decision Tree Analysis

2-3 Simulation & Modeling

This technique utilizes Monte Carlo technique as a simulation tool. Project model is computed several times with the input of cost estimates or activity durations that are being choose at random for each time from the probability distributions of these variables. A chart of total cost or total duration is then drawn. Figure-5 shows an example of this chart.

Figure-5 : Monte Carlo Simulation for Project Cost

3 – Risk Register Update

At this point, the risk register will be updated with the followings
1- Probabilistic analysis of the project
2- Quantified probability of meeting project objectives
3- Prioritized list of quantified risks
4- Overall project risk (Risk Exposure)

Qualitative Risk Analysis

This process is the first process in risk assessment. The purpose of this process is to evaluate each risk you have evaluated in the last process. This evaluation is subjective and the result is not numerical. However, ths evaluation is almost accurate because it depends on human sense that is buit up on experience. The output of this process is the probability and impact assessement of each identifie risk.

While performing this analysis, you may use some tools and techniques such as risk categorzation and probability and impact matrix. Risk categorzation utilises the risk categories that have been developed in risk planning process. Probability and impact matrix defines combinations of probability and impact that lead to rating risks as low, moderate, and high priority. Figure-1 shows an example of probability and impact matrix.

Figure-1 Probability and impact matrix

The subsequent decision of analyzing a risk through this process could be one of the following:
1- This risk is a minor risk and it should be put in a watch list.
2- This risk needs more analysis and it should be analyzed quantitatively.
3- This risk is urgent and it should go quickly to response planning.
4- The qualitative analysis of this risk is enough and no need for further analysis.
Hence this risk should go to response planning.

Figure-2 shows a diagram expressing the work flow of these steps.

Figure-2 Risk Assessment Mechanism

By the end of this process, risk register is being updated with the results from qualitative analysis. This may include ranking, grouping by category, risks require quick response, risks require additional analysis, and low priority risks that will be listed in watchlist.

Table-1 shows an example of risk register up to this point.

Table-1 Risk Register (Updated after qualitative analysis)

Risk Identification

The next planning effort in risk management after risk planning is risk identification. The purpose of this process is to identify all potential risks in the project regardless of their probability or their impact. Assessment will be done later in a following process.

Identification is being done using various techniques such as information gathering techniques, documents review, checklist analysis, assumption analysis, and SWOT analysis.

The output of this process is a table contains all identified potential risks with initial information concerning every item of them. This table is known as risk register. Through the following clauses, we are going to discuss these techniques and the risk register.

1 – Information Gathering Analysis

Examples of data gathering techniques are brainstorming, Delphi technique, interviewing, root cause analysis, and mind mapping. Figure-1 shows an example of mind mapping

Figure-1 : Mind Mapping for Potential Project Risks

2- Documentation Review

One of the most effective methods to identify a significant number of potential risks is to review project documents. This method allows you to explore and discover most areas of project activities starting from the very early milestones of project initiation passing with all the phases, decisions, evaluations, and studies of the project. These documentation includes project charter, project management plan and its subsidiary plans, WBS, time schedule, activity duration estimates, activity cost estimates, stakeholder register, contracts, and procurement documents. The following chart is a hierarchy of potential project documents.

3 – Checklist Analysis

This checklist is a list contains predefined risks that you can check them if they are potential in your project. It can be developed based on historical information from past projects. The lowest level of RBS can be used as a checklist as in Figure-2. It’s very quick to use it and you will have a lot of risks identified. However, it should not be the only tool that is being used for this purpose. The reason behind this advice is that usually there are risks that are not listed in this checklist. Hence if you only depend on this checklist, other risks will be neglected.

Figure2 : Risks Checklist

4- SWOT Analysis

SWOT analysis is a famous technique that is being used to identify and evaluate the strength and weakness in the project and organization in order to find out expected opportunities and threats. Table-1 shows an example of SWOT analysis.

Table-1: SWOT Analysis

5 – Risk Register

Risk register is an ouput of all risk management processes that come after risk planning. It’s a dynamic database that contains all the identified risks and is being filled with the information regarding these risks such as description, category, propability, impact, planned response, assigned person for action, risk status, retained reserve for this risk, …etc

Through the process of identify risks, this table is being filled with risks in addition to the root cause and initial proposed response. Table-2 shows an example of risk register till this point.

Table-2 : Risk Register (Initial View)

Risk Planning

Usually, risk plan is the first effort that is being done through project risk management.
However, in some projects, the top management in the organization identifies high level risks in the project charter and these high level risks are the input for the project manager that clarify an image of what risks are significant and important for the top management.

Risk plan is a subsidiary plan of project management plan that describes how risk management activities will be managed throughout the project phases. This plan performs as a guide of how you will accomplish all the activities of risk management. It defines the tools and approaches that will be used, roles and responsibilities, estimated budget for these activities, risk categories, risk definitions, reporting formats, and auditing procedures.

Through the next paragraphs, we will show examples for some of these components of risk management plan.

1 – Tools & Approaches

Risk management activities may be done manually or using computer software programs. These software programs expedite, facilitate, and fully control the of risk management activities. These programs can be integrated with other organization systems such as scheduling, costing, and ERP systems. The capabilities of these programs are not only for calculation and assessment; however it can track and communicate responsibilities to the team assigned for these tasks and also for the management to be able to follow the status and take actions.

2 – Roles and Responsibilities

Table-1 shows an example for the roles and responsibilities.

Team member Name	Role	Responsibilities
Ahmed Arafa	Risk Manager	1. Develop the risk management plan 2. Manage the risk management team. 3. Follow up that risk management activities are being done with the valid manner in the right time. 4. Monitor contingency reserve and maintain the sufficiency of monetary in reserve fund. 5. Report on risk management activities.
Ayman Nagy	Risk Software Admin	1. Administrate the risk management program. 2. Maintain and monitor the privilege of users.
Wael Samy	Risk Engineer	1. Share in the identification of risks. 2. Develop the qualitative and quantitative analysis.

Table-1 : Roles and Responsibilities

3 – Timing and Frequency

Risk management activities are being done according to a time scheduling that is being developed by the risk manager and in conformity of project management vision.

Figure-1 is an example of risk management activities time scheduling.

Figure-1 : Risk Activities Time Schedule

Risk management meetings could be determined to be as a separate meeting and held on weekly, bi-weekly, or monthly basis. The common practice is that risk management activities are being discussed in the progress status weekly meeting.

4 – Risk Categories

Risk Categories can be illustrated in a list or a risk breakdown structure. Figure-2 is an example of risk breakdown structure.

Figure-2 : Risk Breakdown Structure

5- Risk Definition

This is the classification criteria that will be used further in order to qualitatively assess risks. Table-2 shows an example of these limits.

Table-2 : Risk Classification Limits

6 – Risk tracking and Reports format

This defines how risks will be tracked during project phases; and the formats of risk reports that will be used to communicate risk information through vertical and horizontal communication channels.

Risk Processes

Association for the Advancement of Cost Engineering (AACE) structured the risk management steps as “(1) Planning, (2) Identification, (3) Assessment, (4) Analysis, (5) Mitigation, and (6) Follow-Up” (Skills & Knowledge of Cost engineering, Fifth Edition Revised, 2007, Page 31.2).

Project Management Institute (PMI) defines the risk management processes as “(1) Planning, (2) Identification, (3) Qualitative Analysis, (4) Quantitative Analysis, (5) Planning Response, (6) Monitor and Control.” (PMBOK Guide, 2013, Page 312)

What is Risk Management

The “Risk Management” phrase is used in several fields with different significance. The most common use of this expression is the “Pure Risk” which is used in the aspects of safety and health referring to the pure risk. The risk management in RMP-PMI is another type which is referred to as “Business Risk”. The difference between those two types can be shown as follow:

• Pure Risk: The risk of loss (fire, theft, injury… etc.) that is insurable.
• Business Risk: The risk of gain or loss that is concerned to business threats or opportunities.

Project Management Institute (PMI) defines risk as “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality”. (PMBOK Guide, 2013, Page 310) where the uncertainty is lack of knowledge that reduces confidence in conclusions.

The common factors of risk management are:
– Probability: How much percent risk may occur
– Impact: The range of possible outcomes such as time, money …etc.
– Timing: When the risk is expected to take place.
– Frequency: How often this risk is expected to happen

Through risk management you try to increase probability and impact of opportunities, while decrease probability and impact of threats. This action depends on the risk culture of the decision taker which is referred to as risk tolerance. Risk tolerance defines the thresholds that when a risk exceeds, it becomes unacceptable. The most known tolerances are:

• Risk Averse: Someone who doesn’t want to take risks.
• Risk tolerant: Someone who doesn’t perform a great effort to search for risk, however when the risk comes to him, he exploit it.
• Risk Seeker: Someone who spends a lot of time searching for risks.