PMBOK® Guide and Risk Management

PMBOK® Guide and Risk Management
Photo by Ben White / Unsplash

The PMI PMBOK® Guide is an important tool that helps individuals manage risk events and overall project risks in a proactive manner, thereby increasing the chances of project success by minimizing threats and maximizing opportunities. Risk is considered a crucial aspect of project management and is one of the nine Knowledge areas in this methodology. The Guide emphasizes the significance of risk during the planning phase in the Process Planning Group, from section 11.1 – 11.5, and in the Closure Phase in Monitoring and Control section 11.6. These sections cover various aspects of risk management, such as risk management planning, risk identification, qualitative and quantitative risk analysis, risk response planning, and risk monitoring and control. All these processes interact with each other and with the processes of other Knowledge Areas. According to the guide, project risk is a future event, and risk is defined as “an uncertain event or condition that, if it occurs, has an effect on at least one of the project objectives.”

The Project Risk Management Overview diagram in Figure 11-1 of the Guide provides an overview of all these aspects.

PMI Practice Standard for Project Risk Management

The PMI Practice Standard for Project Risk Management (2012) offers a comprehensive perspective on the risk management process, providing practical tools and techniques to manage risks in a project. It is recommended to refer to this standard in conjunction with the PMBOK Guide to gain a more detailed understanding of the risk management process. 

The aim of the PMI Practice Standard for Project Risk Management is to establish a benchmark for project management practitioners and other stakeholders by defining the aspects of Project Risk Management recognized as best practice across most projects, most of the time. The standard is globally applicable and consistently applied. 

It is important to note that this standard is applicable only to risk management in a single project and not to programs or portfolios of projects. The focus of this standard is on the principles of project risk management. 

The practice standard emphasizes critical success factors for Project Risk Management, providing guidance on how to manage risks effectively to achieve successful project outcomes.

Risk management has gone beyond being a local affair and has become an international practice, with increasingly common standards and methods being adopted by most countries around the world. This is due to the fact that most of the risk management methodologies have been developed by specific industries or countries over time, to meet their unique needs, resulting in the emergence of different terminologies and processes. The Finance Industry is a good example of this trend.

As a result, there are numerous standards, methods, guides, and frameworks that cover project risk management. Each of these has its strengths and weaknesses, depending on the industry, project, and purpose they are intended for. However, they all have one crucial objective in common, which is to identify and mitigate risks. In addition to the ISO 31000 Standard and the PMBOK, the other widely accepted standards, methods, and guides include RAMP, SHAMPU, M_o_R, and RFA.

Risk Analysis and Management of Projects (RAMP)

RAMP is a risk assessment method developed in the United Kingdom that provides structured analysis throughout the life cycle of a project. Unlike other frameworks, RAMP focuses on financial concerns influenced by project uncertainty. Ward and Chapman have pointed out that RAMP is unique because it associates financial issues with project risk. 

RAMP approach risk on multiple levels and integrates elements from other frameworks to outline four actions, which include launching a project, reviewing uncertainties systematically that affect the project, managing risk, and terminating the project. 

The stages of RAMP include identifying risks to the project, analyzing the impact of those risks and their likelihood, and outlining options available for addressing those risks. RAMP emphasizes the mitigation of uncertainties that affect the project and the control of factors that cannot be adequately addressed. 

Since RAMP was designed with actuarial interests, it is geared toward project appraisal in light of uncertainties that they face. RAMP provides a comprehensive approach to risk assessment, which is critical for any successful project management.

Shape, Harness, And Manage Project Uncertainty (SHAMPU)

Risk assessment is a crucial process for any project, and one of the popular methods used for this purpose is the SHAMPU framework. SHAMPU stands for Shape, Harness, and Manage Project Uncertainty and is a nine-step process that helps in assessing risk by following the outline set forth in the acronym.

The framework provides a structured approach to reviewing approaches to analyzing stakeholders and related uncertainty management issues. The nine phases of the framework are project definition, focusing the uncertainty management process, identifying sources of uncertainty, structuring the issues, clarifying ownership, estimating variability, evaluating implications of uncertainty, harnessing plans, and managing implementation.

The SHAMPU framework offers a range of strategies for managing stakeholder expectations and fostering trust between stakeholders by characterizing projects on a 'hard-soft' spectrum. The framework emphasizes the importance of a systematic approach to stakeholder management by using project uncertainty management processes that distinguish different stages of the project life cycle.

The three phases of the SHAMPU framework are:

  1. Shape: This phase defines and focuses on the project by analyzing the quality of risks affecting the project, identifying uncertainties, categorizing them, and assigning them to specific owners. The phase also involves estimating the variability of risk and evaluating their implications. An effective strategic view of the project will shape the approach the project manager takes to uncertainty.
  2. Harness: This tactical phase leverages the strategic plan developed in the shape phase and identifies risks that complement the strategic plan.
  3. Manage: Once the tactical plan is in place, management is needed to address uncertainty relevant to the project throughout its life cycle.

The SHAMPU framework provides a comprehensive approach to risk assessment that helps project managers identify and manage uncertainty effectively.

Risk Factor Analysis (RFA)

Risk analysis is an essential part of any project management process, and one popular method of risk analysis is Risk Factor Analysis (RFA). RFA is a qualitative approach that is flexible and customizable to deal with a wide range of uncertainties that can impact project outcomes. The system helps managers identify factors that can affect the quality of the project, providing them with new perspectives to handle qualitative risks.

RFA is a versatile system that can adapt to various scenarios that have different qualitative risks. Some of the uncertainties that RFA can deal with include risks related to project cost, such as labor and materials, scheduling, such as the availability of facilities and personnel, and technical risks that involve the maturity level of technology applied to the project.

Another common example of uncertainty that RFA considers is financial resources. This might include the vulnerability of funding for various project tasks or the inability to gain sufficient funding to complete the project.

Once the uncertainties are ranked and totaled for each category of risk, potential strategies for reducing risk are developed. Using RFA, managers can develop a comprehensive plan to minimize risk and optimize project outcomes.

Management of Risk (M_o_R).

The Office of Government Commerce (OGC), a UK government agency, sponsored the development of a widely used risk management standard known as Management of Risk (M_o_R). It has become the go-to risk management strategy for public projects across the UK government and is affiliated with the PRINCE2 project management methodology.

The M_o_R approach is primarily focused on risk management processing as it relates to management structure, roles, and responsibilities. It also involves implementing several checklists to support the various phases of the risk management process. While it was created specifically for managing risks in government projects, the M_o_R method has also gained popularity in the non-government sectors.

For more information, you can refer to the summary provided by Williams Graham in the book "Everything You Wanted to Know About Management of Risk (M_o_R®) in Less Than 1000 Words." The Stationary Office.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a well-known US organization that aims to provide guidance and thought leadership in the areas of enterprise risk management, internal control, and fraud deterrence. Its mission is to improve organizational performance and governance, while also reducing the extent of fraud in organizations. 

COSO is particularly popular in the accounting and financial industry, and it was established in response to the high-profile corporate and accounting scandals of the early 2000s, such as Enron, Tyco International, Adelphia, Peregrine Systems, and WorldCom. 

In 2001, COSO initiated a project and engaged PriceWaterhouseCoopers to develop a framework that could be easily used by managements to evaluate and improve their organizations' enterprise risk management. Since then, COSO has continued to provide valuable resources and guidance to organizations worldwide in order to strengthen their risk management practices and improve their overall performance and governance.

Project Risk Analysis and Management (PRAM). 

Project Risk Analysis and Management (PRAM) is a vital aspect of project management. It is closely associated with the Association of Project Management (APM) in the UK. The APM's PRAM Guide provides a project-based risk management framework that many construction and UK-based organizations prefer. Compared to PMI's Practice Standard, the PRAM guide is more philosophical and free-flowing in its approach, allowing for a more flexible and adaptable risk management strategy. The Practice Standard, on the other hand, is written in a more structured and practical style, providing a clear and concise framework for managing project risks.

Other Risk methodologies: RAMP, SHAMPU, M_o_R and RFA

Adaptive Project Management, also known as AgilePM or Scrum, is a relatively new approach to project management that emphasizes flexibility and adaptability. Rather than relying on a rigid, linear approach, AgilePM uses an iterative and incremental process that allows for rapid changes and adjustments. 

One of the key features of AgilePM is the use of short, fixed-length iterations that typically last between 2 and 4 weeks. These iterations are designed to deliver a working product or deliverable at the end of each cycle. This approach is particularly popular in software development, but it can be used in a wide range of projects across various industries. 

By embracing the AgilePM methodology, project managers can respond more quickly to changes in requirements, reduce risks, and improve overall project outcomes.