Advanced Risk Management

PMKI Index
the PMKI
Location:  PMKI > Project Controls and Scheduling > Advanced Risk Management. 
 The PMKI Library
An in-depth look at risk management topics that extend well beyond the basic requirements for the PMP examination.

Topics included in Advanced Risk Management:

- Practical Risk Management Overview
- Risk Assessment & Management
- Probability, Standard Deviation & Statistics
- PERT and Monte Carlo
- Contingencies, Reserves & Averages
- Practical Risk Management Tools & Courses
- Industry Perspectives
- Complexity & People
- Useful External Web-links & Resources.

Other related sections of the PMKI:

- Risk Management (basic PMBOK)

Practical Risk Management Overview

Each risk is something in the future which may, or may not, occur. This concept is vital to a proper understanding of risk and planning its management. Risks do not yet exist, indeed they may never exist at all. This makes them quite different from things which have happened in the past or which currently exist in the present. They are different from issues, problems or constraints; past and present events can be analyzed and measured, but future events can only be imagined or estimated by people and these estimates will be influenced by the people's perceptions and past experiences. To manage risk effectively you need to deal with both the positive and negative uncertainties that matter by following a structured process that takes into account the affected people's risk tolerance. The PMBOK® Guide focuses on the probability of a risk occurring and the likely impact if it happens. Practical risk assessments expand on these basic elements to define a more complete range of criteria and the effect of cognitive bias on peoples ability to make rational assessments of any potential gain or loss.

It is a simple fact of life that all project work operates in the presence of uncertainty and uncertainty comes in only two forms:

  • Epistemic uncertainty, which is reducible, meaning we can take specific actions to reduce the uncertainty that creates. Those risk handling activities are placed in the project, budgeted, scheduled, and tracked for their progress to their planned reduction.
  • Aleatory uncertainty, which is irreducible, meaning we can only provide margin to protect the project from the risk created by this uncertainty. The amount of margin needed is modeled with Monte Carlo Simulation, assigned to appropriate points in the project and tracked through a margin burndown chart.

In addition to these known unknowns that can be assessed, there are also two types of unknown unknowns; knowable unknowns and unknowable unknowns:

  • Knowable unknowns can be identified and brought into an effective risk management process.
  • Unknowable unknowns are intrinsically unmanageable. There will always be some unforeseeable surprises ranging from minor annoyances through to Black Swans waiting to surprise you. Resilience is needed to deal with the consequences as the risk unfolds.

The ultimate aim of risk management is to manage the risk affecting your project, not to simply list and analyze them. The resources on this page focus on practical risk management. We define this as applying sufficient effort to achieve a realistic modification in the risk exposure of your project (or program) whilst recognizing it is impossible to remove all risk and any effort spent on risk minimization should be offset by an increase in the expected value of the project.


Manage RiskPP: The Meaning of Risk in an Uncertain World. Risk management is one of the least appreciated aspects of modern management. Most organizations are excessively risk averse, and in their attempts to avoid ‘all risk’ expose themselves to more adverse outcomes than if they actively embraced and managed risk. No client can avoid the ultimate risks associated with its project such as the liquidation of its prime contractor; these major events inevitably impact the client and by attempting to quarantine itself from ‘all risk’, the client simply passes the benefit of any favorable outcomes to its contractor. The example used in this paper of the impossibility of avoiding, or contracting out of, ‘all risk’ is the 'new' Wembley Stadium, delivered years late and $millions lost. Contrast Wembley with BAA’s Terminal 5 project at Heathrow and the need for an effective risk attitude by organizations becomes obvious.

British Airports Authority’s management set out to actively manage ‘all risks’ in the Terminal 5 project and delivered one of the most successful major construction projects in Europe. By effectively engaging in its project, BAA could help mitigate adverse risk events and collect benefits from favorable risk outcomes. In this context, ‘effective engagement’ included both having the right risk attitude, as well as being a knowledgeable client that could partner effectively with its contractors to proactively manage project risk. Unfortunately the proactive engagement with managing risk did not flow through to the opening of T5.....

This paper describes the key aspects of risk management needed from the client, the contracting organization and the project to optimize overall risk management and places risk management within a 'Complexity Theory' and stakeholder management framework. Particular focus is on reducing the variability in projected outcomes (closing in on the Mean) to minimize the contingencies needed to compensate for expected variability, and the competencies required at each level to manage risk events to optimize project outcomes in a complex environment.

Prs: Portfolio governance and risk – it’s all about the stakeholder. There is no such thing as a ‘risk free’ project and the art of portfolio management is to balance the risks and rewards of investing in projects, whilst keeping the overall risk exposure at a level that is acceptable to the organization, and still generate the expected rewards.

Blg: The language used to define risks can contribute to failure. A corporate culture that prevents the honest description of a risk or allows imprecise definitions is a significant threat to pragmatic risk management.



Risk Assessment & Management

To manage risk effectively you need to deal with the uncertainties that matters by following a structured process that takes into account the people aspects (eg, risk tolerance).

WP: Risk Management. Managing risks is important because it focuses attention on the uncertainties that matter. This paper looks at the core elements of risk management.

WP: Types of Risk. Risks fall into four broad categories and are created by a variety of factors outlined in this paper.

WP: Risk Assessment. Risks always involve uncertainty, and matter because they have the potential to affect objectives. This means that each risk must be linked to at least one objective and its potential impact assessed objectively.

Art: Risk Reassessment - the role of ‘sentinels’. An element in most risk processes is identifying ‘risk triggers’ or early warning indicators that tell management a risk event is likely to occur before the main impact hits.

WP: Issues Management. An issue is a current problem that will negatively impact the successful delivery of the project if it is not managed effectively, but issues are not all equally important.

WP: Root cause analysis. Some valuable techniques for understanding the root cause of a problem or an issue in complex situations.

Blg: Black Swan Risks. The key definition of a ‘black swan’ proposed by N.N. Taleb is that the ‘black swan’ was unpredicted and unpredictable, but in hindsight it appears that it should have been foreseeable.

Blg: Resilience v Risks. Resilience is the ability of a system to return to its original state after being disturbed. Build resilience into you business unit or project team and you have the capacity to deal with the consequences of unforeseen risks.



Probability, Standard Deviation & Statistics

WP: Probability. Modern risk management practices have developed analytical methodologies to determine the probability of events occurring (or not occurring) that allows contingencies to be calculated based on mathematical certainties.

Art: Probability -v- luck - Should we give up our day-job?  Good processes help build success but you should not confuse luck with skill. Persistence will generate more opportunities for you to be lucky, and skill or capability will shift the odds in your favour but randomness rules!

Art: Standard Deviation for Project Managers. The concepts behind Standard Deviation and how it is used.

Blg: What’s the Probability??  A quick look at probability and its affect on schedule completion.



PERT and Monte Carlo

Art: Predicting Future Project Outcomes - The power of uncertainty. Understanding the way Monte Carlo, Latin hypercube and Sampling work to inform risk management decisions.

PP: Scheduling in the Age of Complexity. This paper suggests that a radically different approach is needed to make scheduling relevant and useful in the 21st Century.

WP: Understanding PERT. PERT is the oldest and arguable the least effective / least accurate way to model the uncertainty associated with every estimate used in a schedule.See why!

Art: Sensitivity Analysis. The application of sensitivity analysis to schedule activities.



Contingencies, Reserves & Averages

Art: Distributed -v- Consolidated Contingencies - The power of Portfolios. The effect of combining uncertainties into a ‘portfolio’ of risks is to reduce the overall level of uncertainty in the portfolio.

Art: Risks don't add up. Understanding that there difference between an individual project risks, the overall risk of a project and the risks associated with a portfolio of projects is complicated but essential for effective risk management.

Blg: The flaw of averages. The flaw of averages defined in a book of the same name states that any plan based on average assumptions is wrong on average!

Blg: Averaging the Power of Portfolios. The interaction between dependent risk and independent risk is interesting and will significantly change the overall probability of success or failure of an endeavour or organization.

Blg: A Long Tail. The difference between 'bounded' and 'unbounded' populations in determining the reliability of an 'average'.



Practical Risk Management Tools & Courses

Practical Risk Management Tools

Risk RegisterRisk Register - Excel Template.

A practical template for identifying and prioritizing the risks associated with a project or program.

For each risk you can:
- Define the risk category and allocate a short name.
- Describe the risk using an effective 'risk meta language'. All you have to do is 'fill in the gaps'.
- Prioritise the risk using a powerful qualitative assessment process developed for a US1 billion oil
- Determine the optimum response.

The spreadsheet compiles the risk data for transfer into the risk management plan. The spreadsheet contains a comprehensive 'help' page focused on implementing effective risk management (included in the Sample). This is a very robust, easy to use tool that ensures that all of the identified risks are effectively managed (maximum number of risks per spreadsheet = 200).

Download a free sample: Download Sample Spreadsheet

Buy the full version. Spreadsheet price: Australian $20.00

Risk Management PlanRisk Management Plan - Excel Template.

A practical template for pro-actively managing the risk treatments outlined in the risk register.

For each risk you:
- Copy the information from the risk register focusing on the urgent and important risks.
- Define the actions needed to implement an effective risk treatment.
- Allocate a responsible manager for each action (as well as for the overall risk).
- Monitor the status of the action including the transfer of appropriate information into the project
   schedule and cost plan.
- Keep notes to track decisions and sequence actions.

This is a simple tool that provides the critical link between identifying risks in the Risk Register and implementing the actions needed to treat the risks.

Download a free sample: Download Sample Spreadsheet

Buy the full version. Spreadsheet price: Australian $10.00


Risk ManagementThe Standard for Risk Management in Portfolios, Programs, and Projects

The Standard for Risk Management in Portfolios, Programs, and Projects is an update and expansion upon PMI’s popular reference, The Practice Standard for Project Risk Management.. The standard focuses on the “what” of risk management (i.e., the key considerations for effective risk management). It is primarily written for portfolio, program, and project managers, but is a useful tool for leaders in risk management, business consumers of risk management, and other stakeholders of the portfolio, program, and project management professions.

It helps:
- Identify the core principles for risk management,
- Describe the fundamentals of risk management and the environment within which it is carried out
- Define the risk management life cycle, and
- Apply risk management principles to the portfolio, program, and project domains within the context of
   an enterprise risk management approach

Buy the Standard - Australian sales only


Risk Management Software

Visit our project controls software page


Mosaic's Risk Training

Risk TrainingMosaic's 1 Day Risk Management Workshop will provide trainees with the framework needed to effectively manage risk in a project environment. This course includes calculations based on Decision Trees, EMV, PERT, etc and an in-depth analysis of the case study using Mosaics Excel templates for the Risk Register and Risk Management Plan.

View the Course Details.




Industry Perspectives

PP: Construction - A Risky Business. This paper identifies some of the factors creating risk in the Australian construction industry and suggests ways to better align risk and reward.

PP: Risk Attitudes in the Construction Industry - Avoidance Does Not Work. Most client organizations are excessively risk averse, and in their attempts to avoid ‘all risk’ expose themselves to more adverse outcomes than if they actively embraced and managed risk.

Blg: The Schedule Compliance Risk Assessment Methodology (SCRAM). SCRAM focuses on schedule feasibility and root causes for slippage. It makes no judgment about whether or not a project is technically feasible.



Complexity and People

Prs: Risk Management and Complexity Theory - The Human Dimension of Risk. The key aspects of risk management from the perspective of complexity theory and human interactions, with a view to optimizing the overall risk management for a project and its host organization.

PP: A Simple View of ‘Complexity’ in Project Management.  Complexity theory helps understand the social behaviours of teams and the networks of people involved in and around a project. This paper traces the development of ‘Complexity Theory’ from its origins in Chaos Theory and develops a range of practical suggestions for improving the effectiveness of both communication practice and risk management practice within project management practice based on insights derived from ‘complexity theory’.

Blg: Stakeholders and Risk. One of the interesting similarities between stakeholder management and risk management is the challenge of knowing what we know and more importantly understanding what we don’t or can’t know.

Blg: Stakeholder Risk Tolerance. The skills that a mature organization brings to the art of ‘risk management’ is to focus effort on managing risks that can be managed, providing adequate contingencies for those risks that cannot be controlled and deciding how much residual risk is sensible.

Blg: Stakeholders and Reputational Risk. Your reputation is created in the minds of other people - creating it, managing it, and protecting it is hard work.



Useful External Web-links & Resources

M_o_R - Management of Risk. A route map for risk management:

ATOM Risk Management - Active Threat & Opportunity Management, a practical method for managing risk on projects (book):

Risk Doctor - Papers, books and advice on project risks by Dr David Hillson -



Self-paced PMI-SP Training

Risk management template

Self-paced PMI-SP Training

Stakeholder management tools

Self-paced EVM Training

Risk management template

Self-paced PMI-SP Training

Stakeholder management tools

Self-paced EVM Training

Self-paced PMI-SP Training

Self-paced EVM Training

Self-paced PMI-SP Training