Please Share Feedback

Questions, comments, suggestions? Let us know what you think on our Forum.

To contact us privately, please use our contact form.

Author: Elyse, PMP, CPHIMS
March 29, 2007

Risk monitoring and control is the process of identifying, analyzing, and planning for newly discovered risks and managing identified risks. Throughout the process, the risk owners track identified risks, reveal new risks, implement risk response plans, and gage the risk response plans effectiveness. The key point is throughout this phase constant monitoring and due diligence is key to the success.
The inputs to Risk Monitoring and Control are:

  • Risk Management Plan - The Risk Management Plan is details how to approach and manage project risk. The plan describes the how and when for monitoring risks. Additionally the Risk Management Plan provides guidance around budgeting and timing for risk-related activities, thresholds, reporting formats, and tracking.

  • Risk Register – The Risk Register contains the comprehensive risk listing for the project. Within this listing the key inputs into risk monitoring and control are the bought into, agreed to, realistic, and formal risk responses, the symptoms and warning signs of risk, residual and secondary risks, time and cost contingency reserves, and a watchlist of low-priority risks.

  • Approved Change Requests – Approved change requests are the necessary adjustments to work methods, contracts, project scope, and project schedule. Changes can impact existing risk and give rise to new risk. Approved change requests are need to be reviews from the perspective of whether they will affect risk ratings and responses of existing risks, and or if a new risks is a result.

  • Work Performance Information – Work performance information is the status of the scheduled activities being performed to accomplish the project work. When comparing the scheduled activities to the baseline, it is easy to determine whether contingency plans need to be put into place to bring the project back in line with the baseline budget and schedule. By reviewing work performance information, one can identify if trigger events have occurred, if new risk are appearing on the radar, or if identified risks are dropping from the radar.

  • Performance Reports - Performance reports paint a picture of the project's performance with respect to cost, scope, schedule, resources, quality, and risk. Comparing actual performance against baseline plans may unveil risks which may cause problems in the future. Performance reports use bar charts, S-curves, tables, and histograms, to organize and summarize information such as earned value analysis and project work progress.

All of these inputs help the project manager to monitoring risks and assure a successful project.
Once the risk owner has gathered together all of the inputs, it is time to engage in risk monitoring and controlling. The best practices provided by PMI are:

  • Risk Reassessment - Risk reassessment is normally addressed at the status meetings. Throughout the project, the risk picture fluctuates: New risks arise, identified risks change, and some risks may simply disappear. To assure team members remain aware of changes in the risk picture, risks are reassessed on a regularly scheduled basis. Reassessing risks enables risk owners and the project manager to evaluate whether risk probability, impact, or urgency ratings are changing; new risks are coming into play; old risks have disappeared; and if risk responses remain adequate. If a risk's probability, impact, or urgency ratings change, or if new risks are identified, the project manager may initiate iterations of risk identification or analysis to determine the risk's effects on the project plans.

  • Status Meetings –Status meetings provide a forum for team members to share their experiences and inform other team members of their progress and plans. A discussion of risk should be an agenda item at every status meeting. Open collaborative discussions allows risk owners to bring to light risks which are triggering events, whether and how well the planned responses are working, and where help might be needed. Most people find it difficult to talk about risk. However, communication will become easier with practice. To assure this is the case, the project manager must encourage open discussion with no room for negative repercussions for discussing negative events.

  • Risk Audits - Risk audits examine and document the effectiveness of planned risk responses and their impacts on the schedule and budget. Risk audits may be scheduled activities, documented in the Project Management Plan, or they can be triggered when thresholds are exceeded. Risk audits are often performed by risk auditors, who have specialized expertise in risk assessment and auditing techniques. To ensure objectivity, risk auditors are usually not members of the project team. Some companies even bring in outside firms to perform audits.

  • Variance and Trend Analysis - Variance analysis examines the difference between the planned and the actual budget or schedule in order to identify unacceptable risks to the schedule, budget, quality, or scope of the project. Earned value analysis is a type of variance analysis. Trend analysis involves observing project performance over time to determine if performance is getting better or worse using a mathematical model to forecast future performance based on past results.

  • Technical Performance Measurement - Technical performance measurement (TPM) identifies deficiencies in meeting system requirements, provide early warning of technical problems, and monitor technical risks. The success of TPM depends upon identifying the correct key performance parameters (KPPs) at the outset of the project. KPPs are factors that measure something of importance to the project and are time/cost critical. Each KPP is linked to the work breakdown structure (WBS), and a time/cost baseline may be established for it. The project manager monitors the performance of KPPs over time and identifies variances from the plan. Variances point to risks in the project's schedule, budget, or scope.

  • Reserve Analysis - Reserve analysis makes a comparison of the contingency reserves to the remaining amount of risk to ascertain if there is enough reserve in the pool. Contingency reserves are buffers of time, funds, or resources set aside to handle risks that arise as a project moves forward. These risks can be anticipated, such as the risks on the Risk Register. They can be unanticipated, such as events that "come out of left field." Contingency reserves are depleted over time, as risks trigger and reserves are spent to handle them. With constraints as above monitoring the level of reserves to assure the level remains adequate to cover remaining project risk, is a necessary task.

Outputs of the Risk Monitoring and Control process are produced continually, fed into a variety of other processes. In addition, outputs of the process are used to update project and organizational documents for the benefit of future project managers. The outputs of Risk Monitoring and Control are:

  • Updates to the Risk Register – An updated Risk Register has the outcomes from risk assessments, audits, and risk reviews. In addition it is updated with the resulting outcome of the project risk and risk response. Was it a good response, did the response have the desired affect? The updated Risk Register is a key part of the historical record of risk management for the project and will be added to the historical archives.

  • Updates to Organizational Process Assets - Organizational process assets should be documented in ligh of the risk management processes to be used in future projects. Documents as the probability and impact matrix, risk databases, and lessons-learned information, as well as all of the project files are archived for the benefit of future project managers.

  • Updates to the Project Management Plan - Updates to the Project Management Plan occur if any approved changes have an impact on the risk management process. In addition, these authorized changes incur risks which are documented in the Risk Register.

  • Recommend Corrective Actions - Recommended corrective actions consist of two types: contingency plans and workaround plans. A contingency plan is a provision in the Project Management Plan that specifies how a risk will be handled if that risk occurs. The plan may be linked with money or time reserves that can be used to implement the plan. A workaround plan is a response to a negative risk that was passively accepted or not previously identified.

  • Recommend Preventative Actions – Recommended preventative actions assure the project follows the guidelines of the project management plan.

  • Requested Changes – Requested Changes are any identified changes to the project management plan. Change requests are completed and submitted to the Integrated Change Control process. All requested changes must are documented, and that approvals at the right management levels are sought and obtained.

Subscribe and Share!

Did you enjoy this article? Your feedback is very important! I'd like to invite you to keep up to date with the latest posts from Anticlue. We offer several venues. If you have some questions, help can be found here.

2 Comments to “Risk Monitoring and Control”

This is a good article. We always ignore the importance of the risk monitoring and plan, and focus on the risk management plan. Actually it is a continuous process.

is this the overview of risk managment according to the PMI??

« Risk Response Planning Ask Dr. Wiki »

Please share your thoughts and suggestions