APPENDIX X6
TECHNIQUES FOR THE RISK MANAGEMENT FRAMEWORK

Many techniques are in widespread use to support risk management processes. This appendix provides examples and highlights some of the most common and effective techniques that support the risk management life cycle. This information is not intended to explain the techniques in detail but to list their most important characteristics. Those who are interested in learning more are encouraged to seek additional sources of information.

There are three major types of techniques: templates and lists, process techniques, and quantitative techniques. Templates and lists are designed to reflect industry and internal benchmarks and best practices as well as lessons learned. Process techniques make it easier to manage the risk management process and range from basic documents and spreadsheets to automated processes. Quantitative techniques support the analytical aspect of considering options and consequences in definitive terms.

The following sections describe some of the more popular techniques for each stage of the risk management framework. This list is not exhaustive, and several techniques are useful for more than one stage. Section X6.8 maps techniques to risk management stages where they may be useful. Some techniques are useful for more than one stage.

X6.1 RISK MANAGEMENT PLANNING

Plan Risk Management defines the approach to be followed for managing risks throughout the life cycle of the corresponding portfolio, program, or project. Planning sessions are recommended in order to build a common understanding of the risk approach between stakeholders and to gain agreement on the techniques to be used for managing risk. The risk management planning phase is usually supported by templates. The results of risk management planning are documented in the risk management plan. An overview of the key areas of focus is provided in Figure X6-1.

Depending upon the size and complexity of the work, some or all of the following elements are present in a risk management plan:

• Introduction,
• Portfolio, program, or project description,
• Risk management methodology,
• Risk management organization,
• Roles, responsibilities, and authority,
• Stakeholder risk appetite,
• Criteria for success,
• Risk management techniques and guidelines for use,
• Thresholds and corresponding definitions,
• Templates,
• Communications management plan,
• Strategy, and
• Risk breakdown structure.

There are several software tools available to assist with risk management planning. While not discussed here, many of the techniques listed in the following sections are incorporated in risk management software.

X6.2 IDENTIFY RISKS

Risk identification is carried out in order to develop a comprehensive list of all known uncertainties that could have an effect on the portfolio, program, or project. All risk identification techniques have strengths and weaknesses. Best practices suggest using more than one technique to identify risks to compensate for any one technique's shortcomings and to increase risk identification rates. The main assumption in identifying risks is that biases and an array of human behavior patterns stand in the way of identifying unknown risks, identifying the wrong risks, or emphasizing or prioritizing the wrong risks. Some risk identification techniques are more helpful in identifying threats than opportunities or vice versa. It is important to balance the techniques used to target both threats and opportunities.

Whichever risk identification techniques are used, it is important that identified risks are unambiguously described in order to ensure that the risk process is focused on the actual risks and not distracted or diluted by nonrisks. Use of structured risk descriptions can ensure clarity. Risk metalanguage offers a useful way of distinguishing a risk from its cause(s) and effect(s) by describing each risk using a three-part statement in the following form: “As a result of cause, risk may occur, which would lead to effect.” The relationship between cause, risk, and effect is shown in Figure X6-2.

Risks can be identified based on checklists and templates, individual assessments, group risk assessments, external risk identification, etc. Individual assessments are performed by a single individual, whether an expert, stakeholder, or other participant. Individual risk assessments can be combined to create the overall risk register. Outside risk assessments can be generated by the enterprise risk management (ERM) function within the organization or provided by an outside source, such as a customer or supplier.

Sections X6.2.1 through X6.2.14 describe some of the common techniques for risk identification. Refer to Section X6.8 for other risk management framework stages where the technique may prove useful as well.

X6.2.1 ASSUMPTIONS AND CONSTRAINTS ANALYSIS

Assumptions are used to determine risk impact. They are statements accepted as true but need to be validated and continually reviewed during the iteration process and throughout the risk management work related to portfolio, program, and project life cycles. This technique requires three steps: (1) list; (2) test the validity; and (3) identify impacts on project, program, or portfolio. An example is shown in Figure X6-3.

Another way of approaching assumption and constraint analysis is to use the following logic sequence:

• List the assumption or constraint.
• Test the assumptions or constraint by asking two questions:

• Could the assumption/constraint be false?
• If it were false, would one or more objectives be affected (positively or negatively)?

• Where both questions are answered “Yes,” generate a risk, for example, in the form: <Assumption/constraint> may prove false, leading to <effect on objective(s)>.

X6.2.2 BRAINSTORMING

Brainstorming is a technique for generating spontaneous ideas either individually or from a group of people. When brainstorming is used as a group risk identification method, the ideas and thoughts of one individual serve to stimulate ideas in the other participants.

X6.2.3 CAUSE AND EFFECT (ISHIKAWA) DIAGRAMS

The cause and effect diagram or fishbone diagram (see Figure X6-4) is used to display root causes of risk visually, allowing deeper understanding of the source and likelihood of potential problems. The content is organized into a branching diagram where the causes may themselves have multiple potential sources so that the overview on risk stimulates additional thinking. The cause and effect diagram is also used to identify quality-related problems.

X6.2.4 CHECKLISTS

Risk identification checklists can be developed based on historical information and knowledge that has been accumulated from previous, similar portfolios, programs, or projects and from other sources of information. The lowest level of a risk breakdown structure can also be used as a risk checklist. An example of a checklist is shown in Figure X6-5.

While a checklist can be quick and simple, it is impossible to build an exhaustive one. Care should be taken to explore items that do not appear on the checklist. The checklist should be reviewed during closure to improve it for use in the future.

X6.2.5 DELPHI TECHNIQUE

The Delphi technique uses a facilitated anonymous polling of subject matter experts to identify risks in their area of expertise. The facilitator gathers the experts’ initial responses and circulates them without attribution to the entire group. The group members may then revise their contributions based on those of others. The process often generates a consensus of the experts after a few iterations.

X6.2.6 DOCUMENT REVIEW

A structured review may be performed of documentation, including plans, assumptions, prior portfolio, program, or project files, and other information. The quality of the plans, as well as consistency between those plans and the assumptions, can be indicators of risk.

X6.2.7 EXPERT JUDGMENT

Expert judgment is the contribution provided to risk identification based on expertise in a subject area, industry segment, organizational processes, etc.

X6.2.8 FACILITATION

Facilitation is the ability to effectively guide a group event to a successful decision, solution, or conclusion. A facilitator ensures that there is effective participation and that all contributions are considered.

X6.2.9 HISTORICAL INFORMATION

Historical records and data from past projects, programs, and portfolios help to identify common risks and prevent repeating mistakes.

X6.2.10 INTERVIEWS

Interviewing experienced project, program, or portfolio participants, stakeholders, and subject matter experts can identify risks. Interviews are one of the main sources of risk identification data gathering.

X6.2.11 PROMPT LISTS

Prompt lists enumerate risk categories with the purpose of detecting the most relevant to the project, program, or portfolio. A prompt list can be useful as a framework for brainstorming and interviews. Categories of risks include:

• Technical risks,
• Organizational risks, and
• External risks.

There are different types of prompt lists. Figure X6-6 provides examples of some of the better-known ones.

X6.2.12 QUESTIONNAIRE

Questionnaire techniques encourage broad thinking to identify risks; however, it requires quality questions to be effective.

X6.2.13 ROOT-CAUSE ANALYSIS

Root-cause analysis helps to identify additional, dependent risks. The identified risks may be related because of their common root causes. Root-cause analysis can be the basis for development of preemptive and comprehensive responses and can serve to reduce apparent complexity. One way of diagramming root cause is shown in Figure X6-7.

X6.2.14 SWOT ANALYSIS

SWOT (strength, weakness, opportunity, and threat) is a technique that examines the initiative from each of the SWOT perspectives to increase the breadth of considered risks. It ensures equal focus on both threats and opportunities. This technique focuses on internal (organizational strengths and weaknesses) and external (opportunities and threats) factors. A method for structuring the results of a SWOT analysis is shown in Figure X6-8.

X6.3 QUALITATIVE RISK ANALYSIS

Qualitative risk analysis prioritizes the undifferentiated list of risks that have been identified in the Identify Risks process for further evaluation or for handling. Organizations tend to apply resources to those designated as high risk based on their priority, often indicated by the risks’ probability and impact characteristics. Qualitative risk analysis techniques are usually based on probability and impact but can also include additional prioritization variables. It is recommended to have a consistent, well-defined prioritization technique to maintain consistency among raters. An example of a rating definition schema is shown in Figure X6-9.

Sections X6.3.1 and X6.3.7 describe some common techniques for qualitative risk analysis.

X6.3.1 AFFINITY DIAGRAMS

An affinity diagram is used to organize specific ideas or factors that contribute to a risk. It helps to sort risks by similarities or generic risk categories.

X6.3.2 ANALYTIC HIERARCHY PROCESS

Analytic hierarchy process (AHP) is a matrix method-based technique used to support a multicriteria decision-making process. It can also be used to identify risks. Even though there is an objective ranking where the subjectivity is minimized, the grouping is arbitrary. An example is shown in Figure X6-10.

X6.3.3 INFLUENCE DIAGRAMS

An influence diagram is a diagrammatic representation of a situation showing the main entities, decision points, uncertainties, and outcomes, indicating the relationships (influences) between them. When combined with sensitivity analysis or Monte Carlo simulation, the influence diagram can identify risks to reveal their sources.

X6.3.4 NOMINAL GROUP TECHNIQUE

The nominal group technique is an adaptation of brainstorming where participants share and discuss all issues before evaluation, with each participant participating equally in evaluation.

X6.3.5 PROBABILITY AND IMPACT MATRIX

A probability and impact matrix allows the user to prioritize risks for further analysis or responses. It helps to distinguish between those risks that will have a minor impact on business activities and those that will have a major impact. It usually classifies risks according to their impact probability, such as very high, high, moderate, low, and very low. An example of a probability and impact matrix is shown in Figure X6-11.

X6.3.6 RISK DATA QUALITY ANALYSIS

Results of the risk analysis are only as good as the data collected. Review of the reliability and sufficiency of the data ensures that the analysis is based on high-quality information. Data that are deemed to be of lesser quality may be further researched or excluded from the risk analysis. Care should be taken when excluding poor quality data to avoid a less-than-robust qualitative analysis.

X6.3.7 ASSESSMENT OF OTHER RISK PARAMETERS

Other characteristics of risk (in addition to probability and impact) can be considered when prioritizing risks for further analysis and action. These characteristics may include but are not limited to:

• Urgency. The period of time within which a response to a risk is to be implemented in order to be effective. A short period indicates high urgency.
• Proximity. The period of time before a risk might have an impact on one or more objectives. A short period indicates high proximity.
• Detectability. The ease with which the results of a risk occurring, or being about to occur, can be detected and recognized. When the risk occurrence can be detected easily, detectability is high.
• Dormancy. The period of time that may elapse after a risk has occurred before its impact is discovered. A short period indicates low dormancy.
• Manageability. The ease with which a risk owner (or owning organization) can manage the occurrence or impact of a risk. When management is easy, manageability is high.
• Controllability. The degree to which a risk owner (or owning organization) is able to control the risk's outcome. When the outcome can be controlled easily, controllability is high.
• Connectivity. The extent to which a risk is related to other individual risks. When a risk is connected to many other risks, connectivity is high.
• Strategic impact. The potential for a risk to have a positive or negative effect on the organization's strategic goals. When a risk has a major effect on strategic goals, strategic impact is high.
• Stakeholder impact. The degree to which a risk is perceived to matter by one or more stakeholders. When a risk is perceived as very significant, stakeholder impact is high.

X6.3.8 SYSTEM DYNAMICS

System dynamics (SD) is a particular application of influence diagrams and can be used to further identify risks within a given situation. The SD model represents entities and information flows, and analysis of the model can reveal feedback and feed-forward loops that lead to uncertainty or instability. In addition, the results of an SD analysis can show the impact of risk events on overall results. Analyses of changes in the model or assumptions can indicate the system's sensitivity to specific events, some of which may be risks.

System dynamics exposes unexpected interrelationships between elements (feedback and feed-forward loops). It can generate counterintuitive perspectives not available through other techniques. The result is a view of the overall impact of all included risks.

X6.4 QUANTITATIVE RISK ANALYSIS

Quantitative risk analysis is used to determine the overall risk to objectives when all risks potentially operate simultaneously. Techniques used appropriately for quantitative risk analysis have several characteristics: comprehensive risk representation, overall risk impact calculation, probability models, data-gathering capabilities, effective presentation of quantitative analysis results, and iteration capabilities. Quantitative risk analysis techniques enable representation of both opportunities and threats to the objectives.

Sections X6.4.1 through X6.4.7 describe some common techniques useful for quantitative risk analysis.

X6.4.1 CONTINGENCY RESERVE ESTIMATION

All of the conditional response plans, as well any of the residual risks will, if they occur, have an effect on objectives. An amount (time and cost) needs to be set aside to allow for these eventualities. This amount is made up of two components: (1) amounts to cover specific, approved conditional responses (e.g., contingency plans) and (2) amounts to address unspecified or passively accepted risks. Quantitative methods can be used to determine the amounts that should be set aside. These reserves are tracked and managed as part of the Monitor Risks process.

X6.4.2 DECISION TREE ANALYSIS

Decision tree analysis is used to determine partial and global probabilities of occurrence. It is a tree-like model that calculates the expected monetary value (see Section X6.4.4) of different possibilities by probability of occurrence. A simple example of a decision tree is shown in Figure X6-12.

X6.4.3 ESTIMATING TECHNIQUES APPLIED TO PROBABILITY AND IMPACT

The probability of a risk occurring can be specified in several different ways. One common way is to assign levels of risk probability by ranges of probability. One benefit of this approach is that the subject matter experts only need to assess a risk's probability within a range rather than as a specific value.

Examples of impact-level definitions are very work specific. The values used to specify the level of impact from very low to very high (if a 5×5 matrix is being used) should be:

• Designated as higher impact for threats or opportunities as they move from very low to very high for a specific objective,
• Defined by the organization as causing the same amount of pain or gain for each level across objectives, and
• Tailored or scaled by stakeholders to the specific work. The definitions, appropriately tailored, can be used for opportunities and threats.

If a risk's impact is uncertain and could be assigned to more than one level of impact (e.g., from moderate to high), the analyst may choose to assign the risk to the impact level that represents the expected or average impact. Alternatively, the risk may be flagged for extra analysis in order to reduce the range of uncertainty to fit within a single range.

X6.4.4 EXPECTED MONETARY VALUE

Expected monetary value (EMV) is a statistical technique that is used to quantify risks, which in turn assists the manager in calculating the contingency reserve. EMV is a calculation of a value, such as weighted average or expected cost or benefit, when the outcomes are uncertain. All reasonable alternative outcomes are identified. Their probabilities of occurring (summing to 100%) and their values are estimated. The EMV calculation is made for the entire event by weighting the individual possible outcomes by their probabilities of occurring. The formula is:

Expected monetary value (EMV) = Probability × Impact

X6.4.5 FMEA/FAULT TREE ANALYSIS

Failure modes and effects analysis (FMEA) or fault tree analysis uses a model structured to identify the various elements that can cause system failure by themselves, or in combination with others, based on the logic of the system. Fault tree analysis is often used in engineering contexts. It can be adapted for use to identify risks by analyzing how risk impacts might arise, or the probability of failure (or of reliability, mean time between failure, etc.) of the overall system, indicating the level of quality of the system or product. If the level of reliability is not acceptable, the fault tree can indicate where the system can be made more reliable; therefore, it is useful in the design and engineering phase of a program or project.

Failure-mode effect analysis assesses and analyzes the potential reliability of a system and/or products. It is used together with failure-mode effect and criticality analysis as part of the general program to assess reliability of a system and potential failure modes.

Using historical data, the analysis of similar products/services, warranty data, customer data complaints, and any other information available may lead to the use of inferential statistics, mathematical modeling, simulations, concurrent engineering, and reliability engineering to identify and define possible failures.

Failure-mode effect and criticality analysis (FMECA) is the logical extension of FMEA. It evaluates the criticality and probability of occurrence of the failure modes.

X6.4.6 MONTE CARLO SIMULATION

Monte Carlo simulation is a technique to simulate probability distribution for a risk on an objective. The statistical method samples events to determine the average behavior of a system.

Monte Carlo simulation is a statistical analysis technique that can be applied in situations in which there are uncertain estimates, with the aim of reducing the level of uncertainty through a series of simulations. In this sense, it can be applied in the analysis of risks associated with a particular objective. For each of the variables, Monte Carlo simulations do not provide a single estimate, but a range of possible estimates associated with each estimate and the level of probability that that estimate is accurate (confidence level) as shown in Figure X6-13.

X6.4.7 PERT (PROGRAM OR PROJECT EVALUATION AND REVIEW TECHNIQUE)

A time-based technique that can be used to quantify risks at a given point in the development of a project or program.

X6.5 PLAN RISK RESPONSES

Plan Risk Responses develops the set of actions required to consider the risks and their characteristics and integrates them into corresponding plans and budgets. The resultant plan should satisfy the risk appetites and attitudes of the key stakeholders. There are three categories of techniques, as follows:

• Creativity techniques to identify potential responses,
• Decision-support techniques for determining the optimal potential response, and
• Implementation techniques designed to turn a risk response into action.

Respectively, these categories of techniques can be used to identify potential responses, select the most appropriate response to translate strategy into planning, and assign corresponding actions.

Identifying potential responses by a variety of creativity techniques are quite similar to risk identification techniques (see Section X6-2). Decision-support techniques assist in examining the trade-off between risk response strategies. Such techniques also assist in choosing between preemptive prevention and contingency responses based on triggers.

Sections X6.5.1 through X6.5.5 describe a few decision-support techniques that may be used for the Plan Risk Response process.

X6.5.1 CONTINGENCY PLANNING

For specific (normally high-impact) risks, the risk owner may choose to assemble a team to develop a response as if the risk had genuinely happened. The corresponding plan, with the supporting information, is then documented and approved by management or the sponsor. This approval includes authorization to deploy the corresponding resources if the predefined trigger conditions arise.

X6.5.2 FORCE FIELD ANALYSIS

Force field analysis is typically used in the change management context. It can be adapted for risk response planning by identifying driving forces (forces for change) and restraining forces (forces against change) which currently affect achievement of an objective. Risk responses can then be modeled based on the net result of the forces as shown in Figure X6-14.

X6.5.3 MULTICRITERIA SELECTION TECHNIQUE

Criteria for deciding whether to choose a specific risk response from among several options include cost, schedule, technical requirements, etc., as well as the risk attributes, such as the type of risk, magnitude of probability, and impact. Multicriteria selection could be weighted to reflect the importance of various criterion as shown in Figure X6-15.

X6.5.4 SCENARIO ANALYSIS

Scenario analysis for risk response planning involves defining several plausible alternative scenarios. Each scenario may require different risk responses that can be described and evaluated for their cost and effectiveness. If the organization can choose between several scenarios, the alternatives, including responses, can be compared. If the scenarios are out of the control of the organization, the analysis can lead to effective and necessary contingency planning.

Scenarios usually include optimistic, most likely, and pessimistic assessments. The representation of optimistic and pessimistic scenarios can be useful in providing managers with a certain sensitivity to the upside and downside potential associated with a portfolio, program, or project.

X6.5.5 SIMULATION

Simulation is a technique to estimate the benefits and implications of different response plans versus the efforts and costs required to implement them. Simulations can also help analyze the possible implications to the critical chain in projects when implementing different risk response options.

X6.6 RESPONSE PLAN IMPLEMENTATION

The most common technique to turn preventative response plans into action is adding them to the portfolio, program, or project management plan. While some planning techniques can keep track of and differentiate between tasks and actions that originated from response plans, some planning techniques will not differentiate between risk response tasks and other tasks.

X6.7 MONITOR RISKS

Monitor Risks provides the assurance that risk responses are being applied, verifies whether they are effective, and, as necessary, initiates corrective actions. Sections X6.7.1 through X6.7.10 describe techniques for monitoring risks during the entire portfolio, program, or project life cycle.

X6.7.1 DATA ANALYTICS

Data analytics supports the exploration of known risk types by analyzing related documentation and related data for applicability to a specific portfolio, program, or project. In direct data analytics, the question and types of risks explored are predefined, as are the relationships between different types of risks and cause and effect. The use of big data, advanced analytics, or artificial intelligence capabilities to explore unknown types of risks are forms of advanced data analytics.

X6.7.2 RESERVE ANALYSIS

Reserve analysis is an analytical technique to determine the essential features and relationships of components in the work management plan to establish a reserve for the schedule duration, budget, estimated cost, or funds. Tracking the state of the reserve through execution provides summary information as to the evolution of the status of the corresponding risks. This information can be useful when reporting up the organization management structure. In addition, once a risk occurs or ceases to be current (i.e., when it can no longer impact), the corresponding reserve needs to be reviewed to assess whether it still provides the agreed-upon level of confidence.

X6.7.3 RESIDUAL IMPACT ANALYSIS

Response plan implementation could lead to residual risks or an emergent risk. Residual impact analysis is used to identify side effects of implementing a response plan.

X6.7.4 RISK AUDIT

Risk audits are carried out in order to evaluate the following:

• Risk management rules are being carried out as specified, and
• Risk management rules are adequate for controlling the work.

Appendixes X3, X4, and X5 discuss metrics useful for developing and defining management controls for portfolio, program, and project risk management governance. These management controls then become criteria against which an audit is conducted.

X6.7.5 RISK BREAKDOWN STRUCTURE

The risk breakdown structure (RBS) is a hierarchical framework of potential sources of risk. An organization may develop a generic or specific RBS. The RBS helps to identify specific risks in relation to its category and offers a framework for other risk identification techniques such as brainstorming. An RBS helps to ensure coverage of all types of risk and tests for blind spots or omissions. An example of a generic RBS for a project is shown in Figure X6-16.

X6.7.6 RISK REASSESSMENT

Risk reassessment requires the following activities to be estimated and validated again to assure effective control:

• Identifying new risks,
• Evaluating current risks,
• Evaluating the risk management processes, and
• Closing risks.

X6.7.7 SENSITIVITY ANALYSIS

Sensitivity analysis is the evaluation of the effect on a variable by one or more influencing variables. Often used as a technique in monitoring risks, it serves to identify the possible impact on a given objective should one or more risks materialize.

X6.7.8 STATUS MEETINGS

Status meetings include the review of all open risks and trigger conditions that have occurred, leading to risks becoming issues. Risks responded to in the past period, effectiveness of the actions taken, impacts on the portfolio, program, or project, and lessons learned are formally recorded in a knowledge management system.

X6.7.9 TREND ANALYSIS

Trend analysis evaluates how the risk profile changes over time, whether or not the previous actions resulted in the expected effect, and whether or not additional actions are required.

X6.7.10 VARIANCE ANALYSIS

The analysis of variances compares planned versus actual results. When the variances are increasing, there is increased uncertainty and risk. Outcomes from this analysis may forecast any potential for future deviation from the baseline plan prior to completion. Deviation from the baseline plan may indicate the potential impact of threats or opportunities.

X6.8 RISK MANAGEMENT TECHNIQUES RECAP

Table X6-1 lists techniques for carrying out risk management in portfolios, programs, and projects. The list is not exhaustive, and it is not necessary to use all of the techniques.

The column headings list the risk management processes discussed in Section 4 of the standard and indicate a few of the strengths and weaknesses of each technique. Within each cell, the letters indicate a subjective evaluation of the relevance of each technique for the risk management process. In Table X6-1, the “C” stands for core and means that the use of that technique is recognized as useful in the context of a given process; the “S” stands for supportive and means that the technique can provide some useful information for a given process.