For your reference, the image is displayed again below:
You must actively monitor the identified risks and identify & respond to new risks as they appear. The risk monitoring and controlling process is used to monitor and control risks and includes the following goals:
• Tracking identified risks
• Monitoring residual risks (risks that remain after risk responses have been implemented)
• Identifying new risks and preparing responses for them
• Executing the risk plan and evaluating its effectiveness
However, the risk situation can change from time to time. Therefore, monitoring and controlling risks also includes monitoring risk dynamics, which involves:
• Ensuring that the project execution is conforming to the risk management policies and procedures.
• Determining whether the project assumptions are still valid. If an assumption becomes invalid, it may eliminate a risk or may give rise to a new risk.
• Determining whether the current analysis has changed the risk assessment. The change in the risk assessment may require changes in other aspects of the project, such as cost, schedule, and contingency reserves.
The Monitor & Control Risks Process can be illustrated using the picture below:
Inputs to Monitoring & Controlling Risks Process
The risk register and risk management plan contain the list of risks you identified during risk planning and the responses you will execute if the risks occur. Work performance information from project execution and performance reports is also useful in monitoring risks. These items can help you determine whether risk response plans are being implemented, if those implementations are producing the desired results, and if there are signs of new risks.
To monitor and control risks, you must have a list of identified risks, a plan to deal with the risks, and the signs of risk occurrence. Accordingly, the input items to risk monitoring and controlling are risk management plans, risk registers, approved change requests, and work performance information.
Tools and Techniques for Risk Monitoring and Controlling
There are some tools and techniques available to detect risk triggers, to respond effectively to the risks that have occurred, and to identify new risks. They are:
Risk reassessment - Risks should be continually reassessed as the project progresses. For example, a risk on the watch list might become important enough that you might need to prepare a response plan for it. On the other hand, a risk may disappear and should then be closed. For ex: A risk that the web server may not be delivered on-time by the vendor may be closed the moment the physical device is delivered to us. Under such a situation, this particular risk needs to be closed.
Risk audits - A risk audit is conducted to examine the following:
• Root causes of the identified risks
• Effectiveness of responses to the identified risks
• Effectiveness of risk management processes
The project manager is responsible for ensuring that risk assessments and risk audits are conducted with needed frequency.
Risk analyses - Risk analyses are necessary to effectively respond to risks that have occurred, to detect risk triggers, and to identify new risks. The following two kinds of analyses are appropriate for risk monitoring:
• Variance and trend analysis - Trends in project performance should be reviewed on a regular basis as the project execution progresses. These trends can be determined by analyzing the performance data based on various performance control techniques, such as variance and earned value analysis. This analysis can help in detecting new risks.
• Reserve analysis - Recall that the contingency reserve is the amount of funds or time (in the schedule) in addition to the planned budget reserved to keep the impact of risks to an acceptable level when the project is executing. The risks occurring during project execution can have positive or negative effects on contingency reserve. You perform reserve analysis at a given time to compare the remaining reserve amount to the remaining risk to determine whether the remaining reserve amount is adequate.
Technical performance measurement - Technical performance measurements compare actual versus planned parameters related to the overall technical progress of the project. The deviation determines the degree to which system requirements are met in terms of performance, cost, schedule, and progress in implementing risk handling. The parameters chosen to measure technical performance could be any parameters that represent something important related to the project objectives and requirements; software performance, human resource performance, and system test performance are some examples.
Status meetings - You should always put risk management as an agenda item at project status meetings. The time spent on this item will depend on the number of identified risks, their priorities, and the complexity of the responses planned for them. Nevertheless, keeping risk on your agenda and discussing risks with the team on a regular basis helps make risk management smoother and more effective.
Output from Risk Monitoring and Controlling
The output of monitoring risks includes recommendations for actions and requests for changes to control the risks. The detailed outputs include:
Change requests - You will need to make some change requests as a result of risk monitoring and controlling. The change requests may arise from recommended actions. For example, recommended actions, such as contingency plans and workarounds, might result in requirements to change some elements of the project management plan to respond to certain risks. Of course, the change requests will need to go through the integrated change control process for approval, and the approved change requests will become the input to the Direct and Manage Project Execution process for implementation.
There are two kinds of actions recommended as a result of risk monitoring: corrective actions and preventive actions. Corrective actions include contingency plans and workaround plans. A workaround is a response to a negative risk that has occurred. A workaround is based on a quick solution and is not planned in advance of the risk occurrence event. Preventive actions are recommended to bring the project into compliance with the project management plan. Recommended corrective and preventive actions are input to the integrated change control process.
Updates - The risk monitoring and controlling processes might require updates to the following items:
• Risk register - You might need to include the following updates to the risk register:
o Outcomes of risk reassessments, risk reviews, and risk audits• Project management plan - The project management plan might need to be updated as a result of risk monitoring and controlling. For example, change requests might change the risk management processes, which in turn will change the project management plan.
o Outcomes of risks and responses to risks
• Organizational process assets - As a result of the risk monitoring and controlling processes, some organizational process assets might need to be updated, such as templates for the project management plan, the historical information database for such information as actual costs and durations of project activities, the lessons-learned knowledge database, and checklists.
Prev: Controlling Quality
Next: Performance Reporting