HKSM

A structured way to collect risk information and examine it to estimate likelihood, impact, and overall exposure. It helps rank risks, find main drivers, and support choices on responses and reserves.

Key Points

• Combines collecting relevant risk data with techniques to evaluate and synthesize that data.
• Uses both qualitative methods (e.g., scoring, categorization) and quantitative methods (e.g., decision trees, simulations) when warranted.
• Relies on calibrated scales, validated sources, and iterative review with stakeholders.
• Directly feeds updates to the risk register, risk report, and reserve recommendations.

Purpose of Analysis

• Prioritize risks so effort targets the most significant threats and opportunities.
• Expose root causes and systemic drivers to enable effective, preventive responses.
• Quantify uncertainty in cost and schedule to inform contingency and management reserves.
• Support transparent, data-informed decisions and risk-response selection.

Method Steps

• Define scope and objectives: which deliverables, timeframes, and decisions the analysis will support.
• Select techniques: interviews, workshops, document review for data; scoring, EMV, decision trees, or simulation for analysis.
• Prepare instruments: rating scales, risk matrix, data collection forms, model structure, and assumptions.
• Collect data: review logs and lessons learned, survey SMEs, analyze vendor and market data, and extract metrics from tools.
• Validate and clean: de-duplicate entries, check data quality, normalize scales, and estimate ranges with confidence levels.
• Run qualitative analysis: probability–impact ratings, categorization, urgency/trend checks, and data quality assessment.
• Run quantitative analysis when needed: decision trees with EMV, Monte Carlo on cost/schedule, and sensitivity/tornado charts.
• Synthesize results: prioritized list, key risk drivers, exposure metrics, and recommended next actions.
• Review with stakeholders and update the risk register, risk report, and assumptions log.

Inputs Needed

• Risk management approach, scales, and thresholds.
• Current risk register or risk log, including identified risks and categories.
• Scope, cost, and schedule baselines; estimates and ranges.
• Stakeholder information and availability of subject matter experts.
• Historical data, benchmarks, and lessons learned from similar work.
• External data such as vendor performance, market trends, and regulatory updates.
• Assumptions and constraints relevant to the analysis.

Outputs Produced

• Prioritized risk list with rationale and thresholds crossed.
• Exposure measures such as risk scores, EMV, and P50/P80 dates or costs.
• Risk categorization, themes, and root cause insights.
• Data quality assessment and confidence levels for key inputs.
• Updates to the risk register and risk report, including trends and triggers.
• Recommendations for responses and contingency or management reserve adjustments.

Interpretation Tips

• Use thresholds to decide which risks need immediate responses versus monitoring.
• Focus on drivers highlighted by sensitivity or tornado charts to maximize impact of responses.
• Differentiate event risks from variability; treat each with suitable techniques.
• Interpret percentiles correctly (e.g., P80 means 80% chance of finishing on or before that date/cost).
• Account for dependencies and correlations to avoid double-counting exposure.
• Pair quantitative results with qualitative context to avoid false precision.

Example

A cloud migration project gathers defect rates from prior sprints, vendor outage history, and SME estimates of data transfer speeds. The team scores identified risks for probability and impact, then builds a simple schedule model with ranges for network throughput and cutover duration. Monte Carlo results show a high chance of delay driven by data transfer variability; the team plans a phased migration, reserves additional buffer, and sets a trigger tied to pre-migration throughput tests.

Pitfalls

• Using inconsistent rating scales or uncalibrated SMEs, leading to unreliable scoring.
• Confusing issues with risks, inflating exposure with already-occurring problems.
• Overreliance on averages without considering ranges and tails.
• Ignoring correlations between risks or cost and schedule elements.
• Performing heavy analysis on poor-quality or outdated data.
• Analysis paralysis that delays needed responses and reserves decisions.

PMP Example Question

While planning risk analysis, a project manager wants to improve confidence in schedule contingency decisions. Which action best applies data gathering and analysis to achieve this?

1. Ask the sponsor to increase the contingency by 20% across all activities.
2. Hold a lessons learned meeting after go-live to refine contingency estimates.
3. Collect historical throughput data and SME ranges, then run a simulation to identify schedule drivers.
4. Add only high-impact risks to the register and defer all others to execution.

Correct Answer: C — Collect historical throughput data and SME ranges, then run a simulation to identify schedule drivers.

Explanation: Gathering relevant data and analyzing it with a simulation links uncertainty to schedule outcomes and supports contingency decisions. The other options are arbitrary, delayed, or incomplete.