You must remember that risks can have negative and positive impacts. Positive risk is a risk taken by the project because its potential benefits outweigh the traditional approach and a negative risk is one that could negatively influence the cost of the project or its schedule.

The purpose of project risk control is to

- Identify the events that can have a direct effect in the project deliverables
- Assign qualitative and quantitative weight—the probability and consequences of those events that might affect the project deliverables
- Produce alternate paths of execution for events that are out of your control or can not be mitigated
- Implement a continuous process for identifying, qualifying, quantifying, and responding to new risks

The main goals to risk monitoring and control:

- To confirm risk responses are implemented as planned
- To determine if risk responses are effective or if new responses are needed
- To determine the validity of the project assumptions
- To determine if risk exposure has changed, evolved, or declined due to trends in the project progression
- To confirm policies and procedures happen as planned
- To monitor the project for new risks
- To monitor risk triggers

Risk triggers are those events that will cause the threat of a risk to become a reality. For example, you have identified the fact that you only have one pump set available and the replacement takes six weeks to arrive. In the middle of your irrigation and recycling process tests, you discover that water pressure tends to fluctuate beyond pump tolerance levels. If you do not find a way to solve this problem, your risk will become a reality.

Make sure that for each identified risk, you must provide a response plan. It is not much help to you if the risk becomes a reality or issue and you do not have an alternate execution path or some other emergency procurement plan.

Main inputs to to effectively monitor and control risks:

- Risk management plan
- Risk Register / Risk Tracker
- Risk response plan
- Project communications
- New risk identification
- Scope changes

Outputs of Risk Monitoring and Risk Control:

- Workaround plans
- Corrective / Preventive actions
- Change requests
- Risk response plan updates
- Risk database
- Checklist updates

Qualitative Risk Analysis includes methods for prioritizing the identified risks for further action, such as Quantitative Risk Analysis or Risk Response Planning. Organizations can improve the project’s performance effectively by focusing on high-priority risks. Qualitative Risk Analysis assesses the priority of identified risks using their probability of occurring, the corresponding impact on project objectives if the risks do occur, as well as other factors such as the time frame and risk tolerance of the project constraints of cost, schedule, scope, and quality.

Qualitative Risk Analysis is usually a rapid and cost-effective means of establishing priorities for Risk Response Planning, and lays the foundation for Quantitative Risk Analysis, if this is required. Qualitative Risk Analysis should be revisited during the project’s life cycle to stay current with changes in the project risks. Qualitative Risk Analysis requires outputs of the Risk Management Planning and Risk Identification processes. This process can lead into Quantitative Risk Analysis or directly into Risk Response Planning.

Inputs of Qualitative Risk Analysis:

• Organizational Process Assets – Risk Database of past projects
• Project Scope Statement – Projects of a common or recurrent type tend to have more well-understood risks. This can be evaluated by examining the project scope statement
• Risk Management Plan
• Risk Register – list of identified risks

Tools and Techniques used in Qualitative Risk Analysis:

• Risk Probability and Impact Assessment – Risk probability assessment investigates the likelihood that each specific risk will occur. Risk impact assessment investigates the potential effect on a project objective such as time, cost, scope, or quality, including both negative effects for threats and positive effects for opportunities. Probability and impact are assessed for each identified risk.
• Probability and Impact Matrix
• Risk Data Quality Assessment
• Risk Categorization
• Risk Urgency Assessment

Output of Qualitative Risk Analysis: Updated Risk Register / Tracker with the following information

• Relative ranking or priority list of project risks
• Risks grouped by categories
• List of risks requiring response in the near-term
• List of risks for additional analysis and response
• Watchlists of low priority risks
• Trends in qualitative risk analysis results

Risk Identification is an iterative process because new risks may become known as the project progresses. The Risk Identification process usually leads to the Qualitative Risk Analysis process. Alternatively, it can lead directly to the Quantitative Risk Analysis process when conducted by an experienced risk manager. On some occasions, simply the identification of a risk may suggest its response, and these should be recorded for further analysis and implementation in the Risk Response Planning process.

Inputs of Risk Identification Process:

1. Enterprise Environmental Factors - Published information, including commercial databases, academic studies, benchmarking, or other industry studies, may also be useful in identifying risks.
2. Organizational Process Assets - Information on prior projects may be available from previous project files, including actual data and lessons learned.
3. Project Scope Statement - Uncertainty in project assumptions should be evaluated as potential causes of project risk.
4. Risk Management Plan
5. Project Management Plan

Tools and Techniques used in Risk Identification:

1. Documentation Reviews
2. Information Gathering Techniques like Brainstorming, Delphi technique, Interviewing, Root cause identification, Strengths, weaknesses, opportunities, and threats (SWOT) analysis
3. Checklist Analysis - Risk identification checklists can be developed based on historical information
4. Assumptions Analysis
5. Diagramming Techniques like Cause-and-effect diagrams, System or process flow charts, Influence diagrams

Output of Risk Identification Process: Risk Register (Risk Tracker) - it should contain the following information: List of identified risks, List of potential responses, Root causes of risk and Updated risk categories.

• Risk categories are important in classifying risk.
• Risk management planning and risk response planning are not the same activities.
• Risk can be either positive or negative. Positive risks are opportunities, negative risks are threats.
• A risk breakdown structure is used to organize risk in a hierarchical structure.
• Probability and impact are both needed to assess risks.
• Quantitative analysis is generally reserved for high-probability, highimpact risk.
• Risk identification is an iterative process that is performed throughout the project, not just during planning.
• Decision tree analysis is a technique using probabilities and costs for structured decision making.
• Monte Carlo analysis is a technique using simulations and probability in determining quantitative risk analysis.

1. Operational Risk: Risks of loss due to improper process implementation, failed system or some external events risks. Examples can be Failure to address priority conflicts, Insufficient resources or No proper subject training etc.

2. Schedule Risk: Project schedule get slip when project tasks and schedule release risks are not addressed properly. Schedule risks mainly affect on project and finally on company economy and may lead to project failure

3. Budget Risk: Wrong budget estimation or Project scope expansion leads to Budget / Cost Risk.  This risk may lead to either a delay in the delivery of the project or sometimes even an incomplete closure of the project.

4. Business Risk: Non-availability of contracts or purchase order at the start of the project or delay in receiving proper inputs from the customer or business analyst may lead to business risks.

5. Technical Environment Risk: These are the risks related to the environment under which both the client and the customer work. For example, constantly changing development or production  or testing environment can lead to this risk.

6. Information Security Risk: The risks related to the security of information like confidentiality or integrity of customer’s personal / business data. The Access rights / privileges failure will lead to leakage of confidential data.

7. Programmatic Risks: The external risks beyond the operational limits. These are outside the control of the program. These external events can be Running out of fund or Changing customer product strategy and priority or Government rule changes etc.

8. Infrastructure Risk: Improper planning of infrastructure / resources may lead to risks related to slow network connectivity or complete failure of connectivity at both the client and the customer sites. So, it is important to do proper planning of infrastructure for the efficient development of a project.

9. Quality and Process Risk: This risk occures due to

1. Incorrect application of process tailoring and deviation guidelines
2. New employees allocated to the project not trained in the quality processes and procedures adopted by the organization

10. Resource Risk: This risk depends on factors like Schedule, Staff, Budget and Facilities. Improper management of any of these factors leads to resource risk.

11. Supplier Risk: This type of risk may occurs when some third party supplier is involved in the development of the project. This risk occurs due to the uncertain or inadequate capability of supplier.

12. Technology Risk: It is related to the complete change in technology or introduction of a new technology.

13. Technical and Architectural Risk: These types of risks generally generally leads to failure of functionality and performance. It addresses the hardware and software tools & supporting equipments used in the project. The risk for this category may be due to — Capacity, Suitability, usability, Familiarity, Reliability, System Support and deliverability.

Apart from the above mentioned project risks, there is a common type of risk: Project Management Risk. This risk is related to following attributes:

1. Project Planning
2. Project Organization
3. Management Experience & Program Interfaces
4. Delay in getting approval for some of the work products from the customer or more requirement changes

1. Environmental factors
2. Organizational process assets
3. Project Scope Statement
4. Project management plan

Project Risk Management Planning Tools and Techniques: Meetings for planning and analysis are the primary tools for creating the Risk Management Plan, which is the output of this process. One of the ways that a project team can begin to define the types and sources of risk events is to create a Risk Breakdown Structure (RBS).

The Risk Breakdown Structure is one way to identify risks in a structured manner. It assists the team in conducting a systematic review of risks and development of responses to risks.

The Risk Management Plan can include a Probability and/or Impact Matrix for organizing the information that will be used during the Risk Identification process to prioritize and quantify risks, and it may in some cases show opportunities for the project as well. Common information in the matrix includes numerical and/or descriptive definitions of impact, negative and positive, and the probability of occurrence. The combination of probability and impact determines whether a risk is rated high, moderate, or low. These descriptors are rank ordered in a relative scale. Numerical scales can also be used.

Outputs of Risk Management Planning: The Risk Management Plan should describe the entire risk management process, including auditing of the process. It should also define the content and format of the Risk Register, reporting, and risk tracking.

1. Methodology Describes how risk management will be done on the project
2. Roles and responsibilities Defines the risk management team and their responsibilities for risk management activities
3. Budgeting Assigns budget for risk management activities to be included into the project cost baseline (project budget)
4. Timing Specifies when and how often the risk management activities appear in the project schedule
5. Risk categories Defines types and sources of risks to guide the Risk Identification process
6. Definitions Operational definitions for the project team to use to ensure consistency in the assessment of risks and opportunities
7. Probability and Impact Matrix Specific combinations of impact and probability, which lead to risk ratings such as high, medium, or low
8. Revised thresholds Revised or validated descriptions that trigger taking action; scope, quality, cost, and time thresholds may be different from each other
9. Reporting formats How to communicate risk activities and their results
10. Tracking How to document risk monitoring and management activities

The Risk Management Plan will be used throughout the life cycle of the project. As the team moves through the subsequent Risk Management Processes, the plan will be revised, updated, and improved.