Disclaimer

This document is part of teaching materials for ICT PROJECT

MANAGEMENT under the Pokhara University syllabus for Bachelor in
Computer Engineering IV/I and Bachelor in Information Technology
Engineering IV/I. This document does not cover all aspect of learning
ICT PROJECT MANAGEMENT, nor are these be taken as primary
source of information. As the core textbooks and reference books for
learning the subject has already been specified and provided to the
students, students are encouraged to learn from the original sources
because this document cannot be used as a substitute for prescribed
textbooks..

Various text books as well as freely available material from internet

were consulted for preparing this document. Contents in This document
are copyrighted to the instructor and authors of original texts where
applicable

C@MUKUNDA PAUDEL 2022

ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

Unit 11: Project Risk Management

Project Risk Management includes the processes of conducting risk management planning,
identification, analysis, response planning, response implementation, and monitoring risk on a
project.
 The objectives of project risk management are to increase the probability and/or impact
of positive risks and to decrease the probability and/or impact of negative risks, in order
to optimize the chances of project success.
A risk is anything that could potentially impact your project’s timeline, performance or budget.
 Risks are potentialities, and in a project management context, if they become realities,
they then become classified as “issues” that must be addressed with a risk response plan.
 So Risk management, then, is the process of identifying, categorizing, prioritizing and
planning for risks before they become issues.
 Project Risk Management aims to identify and manage risks that are not addressed by the
other project management processes.
 All projects are risky since they are unique undertakings with varying degrees of
complexity that aim to deliver benefits. They do this in a context of constraints and
assumptions, while responding to stakeholder expectations that may be conflicting and
changing.
KEY CONCEPT
 Risk exists at two levels within every project.
 Project Risk Management processes address both levels of risk in projects, and these are
defined as follows:

1. Individual project risk

 An uncertain event or condition that that can affect the achievement of project
objectives, if it occurs, has a positive or negative effect on one or more project
objectives.
2. Overall project risk
 The effect of uncertainty on the project as a whole, arising from combination of
all sources of uncertainty including individual risks, representing the exposure of
stakeholders to the implications of variations in project outcome, both positive
and negative.
Individual project risks can have a positive or negative effect on project objectives if they occur.
Project Risk Management aims to exploit or enhance positive risks (opportunities) while
avoiding or mitigating negative risks (threats).
Unmanaged threats may result in issues or problems such as delay, cost overruns, performance
shortfall, or loss of reputation. Opportunities that are captured can lead to benefits such as
reduced time and cost, improved performance, or reputation.

1|Page
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

Negative Risk and Positive Risk

Negative Risk
 Implies something unwanted that has the potential to irreparably damage a
project, positive risks are opportunities that can affect the project in beneficial
ways.
 For Example:
 Project cost overrun
 Delay in completion (schedule risk)
Positive Risk
 May considered as opportunity if handled properly.
 There are many examples of positive risks in projects:
 You could complete the project early
 You could acquire more customers than you accounted for
 You could imagine how a delay in shipping might open up a potential
window for better marketing opportunities, etc.
 It’s important to note, though, that these definitions are not etched in stone. Positive risk
can quickly turn to negative risk and vice versa, so you must be sure to plan for all
eventualities with your team.

11.1 Reviewing Risk and Its Types

In project management, risk review is the process of identifying, analyzing, and evaluating
potential risks to a project. The goal of risk review is to understand the likelihood and impact of
each risk, so that the project team can develop strategies to mitigate or eliminate the risks, or at
least minimize their potential impact.
There are several types of risk that can be reviewed in a project, including:
Technical risks: These are risks related to the technical aspects of the project, such as the
reliability of technology, the complexity of the project, and the availability of necessary
resources.
Schedule risks: These are risks related to the timeline of the project, such as delays, missed
deadlines, and unexpected events that may disrupt the project schedule.
Cost risks: These are risks related to the budget of the project, such as cost overruns, unexpected
expenses, and changes in the economic environment that may affect project costs.
Quality risks: These are risks related to the quality of the project deliverables, such as defects,
errors, or omissions that may impact the project's quality standards.
Resource risks: These are risks related to the availability and allocation of resources, such as
personnel, equipment, and materials.

2|Page
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

External risks: These are risks that are outside the control of the project team, such as
regulatory changes, market conditions, or natural disasters.

11.2 Risk Management Processes

The Project Risk Management processes are (as per PMBOK)
1. Plan Risk Management:
 Process of defining how to conduct risk management activities for a project.
2. Identify Risk:
 Process of identifying individual project risks as well as sources of overall project
risk, and documenting their characteristics.
3. Perform Qualitative Risk Analysis:
 Process of prioritizing individual project risks for further analysis or action by
assessing their probability of occurrence and impact as well as other
characteristics.
4. Perform Quantitative Risk Analysis:
 Process of numerically analyzing the combined effect of identified individual
project risks and other sources of uncertainty on overall project objectives.
5. Plan Risk Responses:
 Process of developing options, selecting strategies, and agreeing on actions to
address overall project risk exposure, as well as to treat individual project risks.
6. Implement Risk Responses:
 Process of implementing agreed-upon risk response plans.
7. Monitor Risks:
 Process of monitoring the implementation of agreed-upon risk response plans,
tracking identified risks, identifying and analyzing new risks, and evaluating risk
process effectiveness throughout the project.

11.3. Planning Risk Management

 Plan Risk Management is the process of defining how to conduct risk management
activities for a project.
 This Process it ensures that the degree, type, and visibility of risk management are
proportionate to both risks and the importance of the project to the organization and other
stakeholders.
 This process is performed once or at predefined points in the project
 The Plan Risk Management process should begin when a project is conceived and should
be completed early in the project.
 It may be necessary to revisit this process later in the project life cycle, for example at a
major phase change, or if the project scope changes significantly, or if a subsequent
review of risk management effectiveness determines that the Project Risk Management
process requires modification.

3|Page
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

Inputs, Tools & Techniques and Outputs of the process: Plan Risk Management

Figure: Inputs, Tools & Techniques and Outputs of the process: Plan Risk Management

Risk Management Plan:

 The risk management plan is a component of the project management plan that describes
how risk management activities will be structured and performed.
 The risk management plan may include some or all of the following elements:
1. Risk strategy
2. Methodology
3. Roles and responsibilities
4. Funding
5. Timing
6. Risk categories
7. Stakeholder risk appetite
8. Definitions of risk probability and impacts
9. Probability and impact matrix
10. Reporting formats
11. tracking

Risk Categories:

 A common way to structure risk categories is with a risk breakdown structure (RBS),
which is a hierarchical representation of potential sources of risk.
 An RBS helps the project team consider the full range of sources from which individual
project risks may arise. This can be useful when identifying risks or when categorizing
identified risks.
 The organization may have a generic RBS to be used for all projects, or there may be
several RBS frameworks for different types of projects, or the project may develop a
tailored RBS. Where an RBS is not used, an organization may use a custom risk
categorization framework, which may take the form of a simple list of categories or a
structure based on project objective.

4|Page
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

Figure: Extraction of different risk by Sample Risk Breakdown Structure (RBS)

5|Page
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

Definitions for Probability and Impacts

The project may generate specific definitions of probability and impact levels or it may start with
general definitions provided by the organization. The number of levels reflects the degree of
detail required for the Project Risk Management process, with more levels used for a more
detailed risk approach (typically five levels), and fewer for a simple process (usually three)

Figure: Example of Definitions for Probability and Impacts

Probability and Impact Matrix

Figure: Example Probability and Impact Matrix with Scoring Scheme

6|Page
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

11.4. Reviewing Risk Identification

 You can’t resolve a risk if you don’t know what it is.

 There are many ways to identify risk. As you do go through this step, you’ll want to
collect the data in a risk register.
 One way is brainstorming with your team, colleagues or stakeholders.
 Next way is find the individuals with relevant experience and set up interviews so
you can gather the information you’ll need to both identify and resolve the risks.
 Think of the many things that can go wrong. Note them. Do the same with historical data
on past projects. Now your list of potential risk has grown.
 Make sure the risks are rooted in the cause of a problem. Basically, drill down to the root
cause to see if the risk is one that will have the kind of impact on your project that needs
identifying.
Identify Risks is the process of identifying individual project risks as well as sources of overall
project risk, and documenting their characteristics.
 This process is the documents existing individual project risks and the sources of overall
project risk.
 It also brings together information so the project team can respond appropriately to
identify risks.
Participants in risk identification activities may include,
 Project manager,
 Project team members,
 Project risk specialist (if assigned),
 Customers,
 Subject matter experts from outside the project team,
 End users,
 Other project managers,
 Operations managers,
 Stakeholders, and
 Risk management experts within the organization.

 Identify Risks is an iterative process, since new individual project risks may emerge as
the project progresses through its life cycle and the level of overall project risk will also
change.
 The frequency of iteration and participation in each risk identification cycle will vary by
situation, and this will be defined in the risk management plan.

Inputs, Tools & Techniques, and Outputs of the process: Identify Risks

7|Page
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

Figure: Inputs, Tools & Techniques, and Outputs of the process: Identify Risks

11.5. Reviewing Risk Analysis

 Analyzing the Risk.
Risk analysis provides guidance on where the greatest vulnerabilities lie. Because risk analysis is
fundamentally perception based, it is important for the project professional to engage
stakeholders early to identify risks.
To make sense of differing perceptions, it is important to describe risk events clearly, separating
causes (facts now), from risk events (situations that may occur), from effects (that have an
impact on one or more of the project measures). This enables subsequent analysis and
management of risks.
 Analyzing risk is hard.
 Company can have the best practices and framework for the risk analysis process by
gathering a lot of data.
Once you identify risks, you can begin to analyze them.

8|Page
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

 Many implications, such as avoiding future lawsuits, addressing regulatory difficulties,

complying with new legislation, lowering project risk, and minimizing its impact, can be
proactively addressed.
Risk analysis is a process that is used to identify and analyze potential problems that could
negatively impact the project.
 This step includes analyzing the likelihood / probability, severity, and response plan for
each risk you have found.
 While determining project risks' severity it is important to consider how the risk will
affect the project's goals, can it cause a delay in its completion, undermine the budget or
other resources, etc. For that reason, the best option is to include the opinions of a project
team or key stakeholders in this step.
 The response plan you come up with for each risk is what the project team will use when
the risk arises to quickly address it.
So, how do you analyze risk in your project?
 Through qualitative and quantitative risk analysis, you can determine how the risk is
going to impact your schedule and budget.

11.6. Qualitative and Quantitative Risk Assessment Processes

 An important aspect of managing risk is performing risk assessments at regular intervals.
 Risk assessments are essentially a single point in time in your larger risk management
process, and to ensure an accurate, responsive process, each assessment should be
undertaken with precision and thorough planning.
 Each assessment is an audit of company’s threat landscape. They should examine if any
new threats have developed since the previous assessment, if any old threats still linger,
and what methods can be taken to mitigate these threats.
Qualitative Risk Assessment Process
 Qualitative risk assessment focuses on the probability of a threat occurring and how it
will impact the project (such as financially, legally, in reputation, etc.)
 This is Subjective Process.
 i.e. Process of prioritizing individual project risks for further analysis or action by
assessing their probability of occurrence and impact as well as other characteristics.
 It focuses efforts on high-priority risks (i.e. the goal is to determine severity) and
Results are then recorded in a Risk Assessment Matrix (or any other form of an
intuitive graphical report) in order to communicate outstanding hazards to
stakeholders.
 Perform Qualitative Risk Analysis also lays the foundation for Perform Quantitative Risk
Analysis if this process is required (i.e. qualitative risk analysis process always preceded
the quantitative risk analysis process.)

9|Page
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

Many businesses prefer to use the qualitative risk analysis method solely for smaller projects
because the quantitative risk analysis approach is resource and time-intensive.
In qualitative risk analysis, risks are rated according to how serious and likely they are to have
an impact on various stakeholders. This process aims to generate a list of prioritized risks to
focus on.

Qualitative risk analysis examines the risks for severity and likelihood of occurrence during the
course of the project. After that, you will find the risk ratings using the risk assessment matrix.
The risk rating can be high, serious, medium and low.

You will order the risks on a risk assessment matrix as shown below.

Figure: Risk Assessment Matrix (RAM) for Qualitative Risk Assessment Process [IS: Internet]
How?
 Qualitative risk assessments work best when they are based on the personal experiences
of your subject matter experts. Because the accuracy of these kinds of assessments is
dependent upon a subjective rating system.

10 | P a g e
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

 It is important for assessors to have industry expertise, knowledge of your business

including strengths, weaknesses and potential threats, and risk management experience.
 The success of the process also depends on having a well-established and understood
system for recording assessments and interpreting their results.
Example-1:
Initially, the absence of a team member is considered a low-rank risk, but when her absence
starts causing trouble, the project managers increase the risk rating. This is an example of a
change in perception of risk.
Example-2:
The project was running in full swing, and suddenly, the rain started. This was an identified risk,
but due to rain, some areas became slippery and caused several near-misses. This risk was not
identified, so the project manager noted this as a new risk. This is an example of new risk
identification.
Inputs, Tools & Techniques, and Outputs for the process: Qualitative Risk Analysis /
Assessment:

Figure: Inputs, Tools & Techniques, and Outputs for the process: Qualitative Risk Analysis /
Assessment.
Quantitative Risk Analysis process
 The quantitative risk analysis process is objective because it uses mathematical
calculations and verifiable data to analyze the effects of risk in terms of cost overruns,
scope creep, resource consumption, and schedule delays

11 | P a g e
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

 Calculating risk using objective data is known as quantitative risk analysis.

 You will use verifiable data to examine the impact of risk on your project
objectives during this process such as schedule baseline, cost baseline, scope baseline,
etc.
After performing a qualitative risk analysis, the quantitative risk analysis process is carried
out. Organizations utilize this procedure for significant and complicated initiatives since it
demands resources and time.
Perform Quantitative Risk Analysis is the process of numerically analyzing the combined effect
of identified individual project risks and other sources of uncertainty on overall project
objectives.
 The key benefit of this process is that it quantifies overall project risk exposure, and it
can also provide additional quantitative risk information to support risk response
planning
 Quantitative assessments are particularly useful for a complex risk management process
that involves looking at a large project or company area.
 It leads to more objective results by attaching numerical values, such as money or time,
to the risk.
 By using historical data to determine the probability of a risk scenario occurring and
numerical values such as money, time or lost assets to determine risk impact, a
quantitative risk assessment provides an accurate reflection of your threat landscape.
 Quantitative risk analysis usually requires specialized risk software and expertise in the
development and interpretation of risk models.
 It also consumes additional time and cost. The use of quantitative risk analysis for a
project will be specified in the project’s risk management plan.
It is most likely appropriate for large or complex projects, strategically important projects,
projects for which it is a contractual requirement, or projects in which a key stakeholder
requires it. Therefore it is not done for every project.
 Quantitative risk analysis is the only reliable method to assess overall project risk through
evaluating the aggregated effect on project outcomes of all individual project risks and
other sources of uncertainty.
Example:
Your organization gets a project to build a Cricket Stadium. This is a large and multi-year project
and is estimated to be completed in five years. For risk analysis of this project, you have started
collecting data. It took two months for you to collect the data. Now you have started the
quantitative risk analysis process. This is an example of large data on the risk and its impact.
You have completed qualitative risk analysis and see that many risks have a high rating score
above seven (up to a rank scale of 10). Therefore, you want to perform a quantitative risk
analysis to calculate the risk impact and get resources from the management. This is an example
of qualitative risk analysis that needs to be validated.

12 | P a g e
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

Inputs, Tools & Techniques, and Outputs of the process: Quantitative Risk Analysis /
Assessment Process

Figure: Inputs, Tools & Techniques, and Outputs of the process: Quantitative Risk Analysis /
Assessment Process
Which Risk Assessment process is better for Risk Management?
 The quantitative approach to risk analysis is better for managing the risk of modern
projects. (especially in case of large and complex project )
 It provides a better means of understanding how risk and uncertainty affect project
outcomes.
But, that doesn't mean that qualitative risk analysis is totally useless. For smaller project
qualitative analysis is sufficient.
 By ranking severity in broader terms, qualitative risk analysis is useful for gauging
probability and prioritizing risk in a way that’s easy for non-project controls people to
understand. This can help with stakeholder buy-in by offering a small sample of the
wider risk landscape.
 Quantitative risk analysis relies on accurate statistical data to produce actionable insights
Difference between Qualitative and Quantitative Analysis
S.N Qualitative Risk Assessment Quantitative Risk Assessment
1. Qualitative risk assessment should help Qualitative risk assessments utilize
you prioritize and manage risk better as knowledge and experience to determine risk
well as utilize your time and resources probability.
more wisely.

13 | P a g e
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

2. It is more useful and sufficient for small It is more useful for a large and complex
projects. But used in all size projects. projects.
3. Qualitative assessments lack a level of A quantitative risk assessment will deliver
accuracy that must be understood going more accurate information but can be
into the process; these are not objective, impractical if you don’t have the
numerical data but opinions and infrastructure to obtain high quality data and
judgments of those with knowledge of perform analyses.
your company and the industry.
4. It relies on the expertise level of involved Quantitative risk assessment relies on
individual in risk analysis. objective, measurable data to provide
insights into your risk management process
5. Should done first Should done after performing qualitative
analysis
6. Risk scale and scores are qualitative Risk scale and scores are quantitative -often
specified in monetary and duration terms
7. Does not require a software tool Software tools facilitate the process
8. Provides quick information Provides detailed information

11.7. Risk Response Planning

 Risk response planning is the process of developing options and determining actions to
enhance opportunities and reduce threats to the project`s objectives.
 It includes the identification and assignment of individuals or parties to take
responsibility for each agreed risk response.
 This process ensures that identified risks are properly addressed.
 Before you respond to risk, you have to identify it. Identifying risks is only the beginning.
 It’s part of the larger risk management plan that is subsequently part of any project
management plan.
 The effectiveness of response planning will directly determine whether risk increases or
decreases for the project.
 Effective and appropriate risk responses can minimize individual threats, maximize
individual opportunities, and reduce overall project risk exposure.
 Unsuitable risk responses can have the converse effect.
 Once risks have been identifiedanalyzedand prioritizedresponse plans should be
developed by the nominated risk owner for addressing every individual project risk the
project team considers to be sufficiently important, either because of the threat it poses to
the project objectives or the opportunity it offers. T
 he project manager should also consider how to respond appropriately to the current level
of overall project risk
Risk response planning must be appropriate to the severity of the risk, cost effective in meeting
the challenge, timely to be successful, realistic within the project context, agreed upon by all
parties involved, and owned by a responsible person.
 You may need project management software to manage those risks.
14 | P a g e
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

Inputs, Tools & Techniques, and Outputs of process: Risk Response Planning

Figure: Inputs, Tools & Techniques, and Outputs of process: Risk Response Planning
Risk Response Strategies:
 Several risk response strategies are available. The strategy that is most likely to be
effective should be selected for each risk.
 For Negative risk and positive risk, there can be different strategies.
Response strategies for Negative Risk (THREATS) includes Following.
1. Avoid Risk:
 Risk avoidance is changing the project plan to eliminate the risk or condition or to
protect the project objectives from its impact.
 Although the project team can never eliminate all risk events, some specific risks
may be avoided.
 Some risk events that arise early in the project can be dealt with by clarifying
requirements, obtaining information, improving communication, or acquiring
expertise.
For Example: Reducing scope to avoid high-risk activities, adding resources or time,
adopting a familiar approach instead of an innovative one, or avoiding an unfamiliar
subcontractor etc.
Example: suppose your project is to design a Telecommunication Tower. Let's say
that during the design phase someone identified a risk of corrosion in the frame used

15 | P a g e
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

of the Tower. If this corrosion were severe enough, it could cause a failure in the
frame. This failure could cause serious loss at the time of failure.
The strategy exercised by the project team on this project is to redesign the
components that are corrosion problems and use a corrosion resistant material such as
stainless steel. This avoids the problem of corrosion in the tower frame identified as
risky.
The avoidance strategy cannot completely eliminate the risk. In this example, even
though the tower is redesigned in stainless steel, after twenty it might still corrode
enough to fail due to various environmental factors, but the probability becomes so
small that the risk is, for all practical purposes, eliminated.
2. Transfer Risk:
 Risk transfer is seeking to shift the consequence of a risk to a third party together
with ownership of the response.
 Transferring the risk simply gives another party responsibility for its
management, it does not eliminate it.
 Transferring liability for risk is most effective in dealing with financial risk
exposure.
 Risk transfer nearly always involves payment of a risk premium to the party
taking on the risk.
 It includes the use of insurance, performance bonds, warranties, and guarantees.
Contracts may be used to transfer liability for specified risks to another party.
3. Mitigate Risk:
 Mitigation seeks to reduce the probability and/or consequences of an adverse risk
event to an acceptable threshold.
 Taking early action to reduce the probability of a risk´s occurring or its impact on
the project is more effective than trying to repair the consequences after it has
occurred.
 Mitigation costs should be appropriate, given the likely probability of the risk and
its consequences.
 Risk mitigation may take the form of implementing a new course of action that
will reduce the problem. For Example: Adopting less complex processes,
conducting more seismic or engineering tests, or choosing a more stable seller.
 It may involve changing conditions so that the probability of the risk occurring is
reduced. For Example: Adding resources or time to the schedule. It may require
prototype development to reduce the risk of scaling up from a bench-scale model.
 Where it is not possible to reduce probability, a mitigation response might address
the risk impact by targeting linkages that determine the severity. For example:
designing redundancy into a subsystem may reduce the impact that results from a
failure of the original component.
4. Accept Risk:

16 | P a g e
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

 Risk acceptance acknowledges the existence of a threat, but no proactive action is

taken.
 This strategy may be appropriate for low-priority threats, and it may also be
adopted where it is not possible or cost-effective to address a threat in any other
way.
 Acceptance can be either active or passive.
 The most common active acceptance strategy is to establish a contingency
reserve, including amounts of time, money, or resources to handle the threat if it
occurs.
 Passive acceptance involves no proactive action apart from periodic review of the
threat to ensure that it does not change significantly.
Risk Response Strategy for Positive Risk (OPPORTUNITY) are following
1. Exploit Risk:
 Do some extra work or change the project plan to make an opportunity happen:
 Plan risky work packages for the most experienced team members.
 Suggest a better approach to reduce the required efforts.
 Suggest a solution to get a new contract from the client.
 Finish the current project earlier to get another project.
2. Enhance Risk:
 Do something to increase the chances or impact of an opportunity:
 Buy the equipment beforehand when the price is lower.
 Negotiate the transfer of exceptional expert to your team as early as possible.
 Promise incentives to the team to finish a project beforehand to start a new one.
 Examples of enhancing opportunities include adding more resources to an
activity to finish early.
3. Share Risk:
 Share benefits with another party for an opportunity to happen for both of you.
 Create a partnership with a third party to achieve your goals.
4. Accept Risk:
 Accepting an opportunity acknowledges its existence but no proactive action is
taken.
 This strategy may be appropriate for low-priority opportunities, and it may also be
adopted where it is not possible or cost-effective to address an opportunity in any
other way.
 You can actively and passively accept opportunities as well as threats.
5. Escalate Risk:
 This risk response strategy is appropriate when the project team or the project
sponsor agrees that an opportunity is outside the scope of the project or that the
proposed response would exceed the project manager’s authority.
 Escalated opportunities are managed at the program level, portfolio level, or other
relevant part of the organization, and not on the project level.

17 | P a g e
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

 The project manager determines who should be notified about the opportunity and
communicates the details to that person or part of the organization.
 It is important that ownership of escalated opportunities is accepted by the
relevant party in the organization.
 Opportunities are usually escalated to the level that matches the objectives that
would be affected if the opportunity occurred.
 Escalated opportunities are not monitored further by the project team after
escalation, although they may be recorded in the risk register for information
Note: Overall Risk Response Strategy includes, all the strategy of positive and negative risk.
Exam Capsule:
Strategy for Threats
 Avoid: Remove the threat completely
 Transfer: Find a third party who can manage the threat on our behalf
 Mitigate: Make the probability and/or impact smaller
 Accept: Take no proactive action, but prepare a contingency plan in case the
threat occurs
Strategy for Opportunity
 Exploit: Ensure the opportunity definitely occurs
 Share: Involve a third party in managing the opportunity
 Enhance: Increase the probability and/or impact
 Accept: Take no proactive action, but prepare a contingency plan in case the
opportunity occurs

Implement Risk Response:

Implement Risk Responses is the process of implementing agreed-upon risk response plans. The
key benefit of this process is that it ensures that agreed-upon risk responses are executed as
planned in order to address overall project risk exposure, minimize individual project threats, and
maximize individual project opportunities. This process is performed throughout the project.
Proper attention to the Implement Risk Responses process will ensure that agreed-upon risk
responses are actually executed. A common problem with Project Risk Management is that
project teams spend effort in identifying and analyzing risks and developing risk responses, then
risk responses are agreed upon and documented in the risk register and risk report, but no action
is taken to manage the risk.

Only if risk owners give the required level of effort to implementing the agreed-upon responses
will the overall risk exposure of the project and individual threats and opportunities be managed
proactively.

18 | P a g e
Pokhara University BE-Computer & BE-IT, IV/I
ICT Project Management Er. Mukunda Paudel
Paudelmuku@[Link]

11.8. Monitor / Controlling Risk

 Risk monitoring control is the process of keeping track of the identified risks, monitoring
residual risks and identifying new risks, ensuring the execution of risk plans, and
evaluating their effectiveness in reducing risk.
 The key benefit of this process is that it enables project decisions to be based on current
information about overall project risk exposure and individual project risks. This process
is performed throughout the project.
 In order to ensure that the project team and key stakeholders are aware of the current
level of risk exposure, project work should be continuously monitored for new, changing,
and outdated individual project risks and for changes in the level of overall project risk
by applying the Monitor Risks process.
The Monitor Risks process uses performance information generated during project execution to
determine if:
 Implemented risk responses are effective
 Level of overall project risk has changed
 Status of identified individual project risks has changed
 New individual project risks have arisen
 Risk management approach is still appropriate
 Project assumptions are still valid
 Risk management policies and procedures are being followed
 Contingency reserves for cost or schedule require modification
 Project strategy is still valid.

Inputs, tools and techniques, and outputs of the process: Monitor / Controlling Risk

Figure: Inputs, tools and techniques, and outputs of the process: Monitor / Controlling Risk

**End of Unit 11**

19 | P a g e
Pokhara University BE-Computer & BE-IT, IV/I