Identify and Analyze Risks

The second stage of the risk management process includes both the identification of potential risks and the evaluation of the potential impact of the risk. As you identify risks, you add them to the risk register and document their characteristics. Risks specific to a particular project should be added as project risks. Risks that may directly impact a program or may impact multiple projects within a program should be added as program risks. For each risk that poses a threat or opportunity to your project or program, you must assign probability and impact values based on the risk assessment criteria defined for the project or program. Using the criteria, you can prioritize your risks. From this prioritization, you can develop a list of the most important risks that can be further analyzed to understand the severity of their potential impact to the project or program, and the time frame when the impact will occur.

Another type of risk, weather, can be added to the register to account for the different weather events your project or program might encounter. The impact of a weather risk is assessed by estimating the amount of non-working time the risk can add to your project or program's activities, thereby increasing the duration and cost of your project. Accurate weather estimates can be provided by referencing historical weather data for the type of event, the location of your project or program, and the time of year in which the work will be performed.

You can control the addition of risks to the risk register by establishing a risk proposal process. Build customized proposal forms for project and program risks and customized workflows for project risks to create, assess, and verify potential risks before they are added to the risk register.

Pre-Response and Post-Response Analysis

When you enter threat or opportunity risks in the risk register and specify probability and impact values for them, you establish a pre-response risk context for your project. This represents your project risk profile before any measures are implemented to mitigate the effect of the risks on the project objectives.

To control risks, you can add risk response actions and define post-response probability and impact values to characterize how response actions can mitigate the effect of risk. When you add risk response actions and enter post-response probability and impact values, you establish a post-response risk context. This represents your project risk profile after risk mitigation techniques have been implemented. You can run risk analyses against the alternate response contexts to determine the effectiveness of your risk response actions. You can view all of your risk response actions on the Response Actions page.

Weather risks do not support pre-response and post-response contexts. When running a pre-response or post-response analysis on your project, the same weather data is used in calculations for both contexts.

The application has the capability to perform both qualitative and quantitative risk analysis.

Qualitative Risk Analysis (Projects or Programs)

Qualitative risk analysis consists of using risk assessment tools to prioritize and rank the risks contained in the risk register on a pre-defined rating scale. Risks are scored based on their probability or likelihood of occurring and the impact on project or program objectives should they occur. Using qualitative analysis, you are able to focus on the most important risk areas. You can generate separate risk scores for pre-response risk values and post-response risk values.

At the project level, risk scoring is based on the assigned project matrix. At the program level, program risk scoring is based on the assigned program matrix. Project risk scores are visible for project risks at the program level, as well as an additional project risk score calculated using the program's matrix. By applying the program matrix to project risks, you can compare risks from different projects using a consistent scoring scheme. This enables you to accurately prioritize project risks across the program.

To perform qualitative risk analysis, you must have your risk assessment criteria set up for your project or program and the Risk Register page must be populated with risk data. Weather risks are not supported by the qualitative risk analysis.

Quantitative Risk Analysis (Projects Only)

Quantitative risk analysis is a way of numerically estimating the probability that a project will meet its cost and time objectives. Quantitative risk analysis can also help you pinpoint where your biggest risk exposure lies and when in the project schedule it is most likely to occur. Oracle Primavera Cloud gives you the ability to run a quantitative risk analysis on a project based on a simultaneous evaluation of the impact of all identified and quantified risks, as well as the impact of general activity uncertainty. You can run the analysis on pre-response and post-response threat and opportunity risk values. Weather risks are also supported by the quantitative risk analysis and are used to simulate non-working time for individual activities.

The application uses the Monte Carlo method to perform the quantitative risk analysis. Monte Carlo is a probabilistic simulation modeling technique to quickly generate multiple runs simulating real project progress. During the analysis, the system uses varied combinations of input variables to build its model, including project schedule, risk, and cost data within their statistical constraints. Each simulation iteration generates a duration for each project activity, taking into account its associated risks, weather-related non-working estimates, and general uncertainty. The system also records all project schedules and critical paths during progress to calculate the many possible project completion dates and project costs. You can adjust your settings to run a less detailed but quicker analysis or a more comprehensive analysis that will take longer to complete.

Schedule impact values are distributed to all activities assigned to a risk. If no activities are assigned to a threat or opportunity risk, the schedule impact values affect the project directly. This means that during the quantitative risk analysis, the duration of the schedule impact is added directly to the project finish using the project calendar. If multiple risks impact the project directly, the schedule impacts are added to the project cumulatively. For weather risks, non-working time estimates are combined with each associated activity's assigned calendar, representing exception time in which the activity is not worked. This simulates the impact a weather event can have on the duration and finish date of an activity, which also indirectly impacts the total cost of the activity. If no activities are assigned to a weather risk, it is not included in the quantitative risk analysis.

The results of the Monte Carlo analysis are statistical distributions of cost and schedule estimates for the entire project. The analysis also produces statistical distributions of schedule estimates for individual activities. Based on the calculated distributions, it is possible to determine the likelihood that the project or an activity will be completed on a certain date. You can also determine the likelihood that the project will be completed within a certain cost.

Optionally, the Monte Carlo analysis also produces a list of the risks that most critically affect (positively or negatively) the finish date and cost of the project in the form of tornado charts. Known as a risk removal impact or sensitivity analysis, results include the potential impacts of individual risks as well as the average estimated impacts that each activity or risk may have on the finish date and cost of the project.

To see the details of the iterations that comprise your risk analysis, you can perform an iteration analysis. Cycle through the first fifty iterations to visualize how the uncertainty and risks applied for an activity would directly impact project dates, the critical path, and critical activities. Risk iterations are random, but assigned a number so you can go back and view a particular iteration until risk analysis is run again.

Quantitative risk analyses are run from the Run Risk Analysis dialog box on the project Risk Register or Risk Analysis pages. Analysis results are displayed in the Distribution Results, Mean Impact, and Risk Removal Impact on the Risk Analysis page and on the Risk Iteration Analysis page.