There are other ways to examine the sources and categories of risk. In A Guide to the Project Management Body of Knowledge ( P M B O P 4 Guide-1987 Edition) (Project Management Institute Standards Committee 1987), risk categories included:

External unpredictable w External predictable w Internal (nontechnical) w Technical

Legal

Sample risks or risk sources from each category are shown in Table 2.

Risk Category Sample RiskslRisk Sources

External unpredictable Unplanned regulatory change Site zoning or access denied Flood

Sabotage Social upheaval Political unrest

Earthquake Vandalism

Environmental catastrophe Unpredictable financial collapse External predictable Financial market fluctuation Raw materials demand

Competitive shifts Productlsewlw value

Inflation Taxation

Safety Health regulation

Internal (nontechnical) Procurement process delays Team member inexperience Senior staff changes Integration mistakes Poor human resources coordination Access limitations Cash flow concerns Late deliveries

Technical Technology shifts Design imprecision

Quality demand changes Requirements changes Productivity limitations Improper implementation Operational demand changes Reliability challenges

Legal License challenges Contract failures

Patent litigation Staff lawsuits

Customer lawsuits Government action

Table 2. Risk Categories and Sources (per PMBOKaGuide-1 987 Edition)

PMBOKm is a trademark of the Project Management Institute, Inc., and is registered in the United States and other nations.

I 6 Chapter2

However, in the latest edition ( P M B O P Guide-2000 Edition) (Project Management Institute 2000), the risk categories shifted slightly,

becoming-

w Technical, quality, and performance w Project management

Organizational External

Sample risks and sources of risk are shown in Table 3.

Risk Category Sample RisksIRisk Sources

Technical, quality, and Higher performar~ce goals performance Technology shifts

Platform changes Project management Poor time allocation

Poor budget planning Organizational Weak infrastructure

Unclear organizational objectives

External Legal challenges

Shifting customer goals

New industry standards Complex technology Unproven technology Poor resource allocation Poor project planning

Intra-organizational resource conflict Shifting funding availability Natural disasters Regulatory shifts

Table 3. Risk Categories and Sources (per PMBOKmGuide-2000 Edition) Their differences notwithstanding, in both instances the emphasis is on the risk drivers rather than the risk indicators.

External Unpredictable

Issues that loom at the doorstep of any given project are the classic "act of God" risks. Natural disasters, capricious acts of government, sociological upheaval, or environmental change can happen without warning, thus changing the entire tenor of a project. Project rationale may be subverted, and approaches may be subsumed. Although there is generally little that can be done to preclude these events, awareness of their existence is crucial.

External Predictable

External predictable risks are those externally driven problems that can be foreseen. Although the total impact may be difficult or impossible to discern, it is possible to work through the issue in depth and examine potential outcomes and potential time frames. For example, changes in financial markets can be predicted, but the degrees of accuracy vary widely depending on who makes the predictions. External predictable risks are perceived as those environmental risks that project managers should be

Risk Concepts 1 7

attuned to and prepared for, as they can be more readily detected than their unpredictable peers.

Internal (Nontechnical)

By virtue of their existence, organizations generate risk. Levels of bureauc- racy, staffing policies, administrative procedures, and basic internal procedures drive certain risks. Although many of these risks are not under the project manager's direct purview, there is still an expectation that the project manager will take responsibility for ensuring project success in the context of this environment. These are not the risks associated with carrying out the actual tasks in a project but are rather the risks associated with the setting in which the project will take place.

Technical

As the name implies, technical performance drives technical risks. What does it take to get the job done? Whether the project objective is to deploy servers or to pave a road, there remains a certain level of technical risk.

Given the current marketplace of ideas and approaches, technical risks increase dramatically as new technologies are brought to bear. Moreover, attempting to balance capability with technology makes this all the more demanding.

As discussed earlier, the increasing complexity of the technical environment makes risk identification within this category an escalating challenge. As a result, project managers should expect, at a minimum, to have a clear understanding of the breadth of the risks associated with a particular technical level.

Legal

When the earlier version of the P M B O P Guide (1987) was published, legal risks were regarded as having sufficient weight to merit their own category-and with good reason. Within projects, legal risks are legion since many are contractually based, and all serve a body of widely varied stakeholders. With the societal propensity for lawsuits (particularly in the United States), the unique nature of projects makes them an open and ready target for the litigious.

Technical, Quality, and Performance

The new category of technical, quality, and performance mirrors the category designated "technical" in the earlier P M B O P Guide (1987) and the original DSMC text. However, with our increasing emphasis on quality and performance, there is recognition that the level of quality requested and the capabilities of the system can drive additional risks. Higher levels

of complexity drive higher levels of risk, as do higher demands for quality.

In both instances, there is a greater possibility that customer expectations may not be achieved.

Interestingly, high-quality projects are frequently those that are per- ceived as generating a lower level of risk for the buyer. Building in such risk protection, however, often bears its own set of risks for the seller. The seller must develop a product or service that has, to a degree, been risk-proofed.

During the development process, the seller becomes responsible for examining the breadth of possibilities for risk associated with the deliv- erable~ and for ensuring that those risks either do not materialize or are transparent to the buyer if they do occur.

Project Management

Project managers are not solely responsible for project management, but they must take responsibility for its outcomes. Project management is a team activity; as such, the variety of players who take the field in par- ticipating in the processes all have opportunities to either generate or reduce risks. Whereas project management is largely rooted in planning, most of the risks identified within this category are those associated with the efficacy of the plans created.

Project management risks include the risks of poor project plans, poor resource allocation, poor budget planning, poor schedules-all of which lead to varying levels of stakeholder dissatisfaction. The creation of this category places the onus on the project managers to bring together disparate stakeholders in the process and to unite them behind a single vision as to what the plan(s) should be.

Organizational

Project management's classic dilemma is that project managers are burdened with extensive responsibility but have no authority to cany it out. Organizational risks point directly to that issue because they are primarily bureaucratic in nature. They are borne both out of organizations' inability to support projects and their excessive zeal in dictating how projects should be carried out.

Classic battles between functional factions, resources, and competing budgets are typically waged with projects as the battleground. Because projects frequently stretch organizational capability, projects also test organizational objectives and missions, challenging management at senior levels to make what can be difficult decisions. Moreover, the cross- functional nature of projects also draws other combatants into the fray, including human resource staff, functional managers, and sometimes, the executive team.

Risk Concepts 19

External

External risks in the P M B O P Guide-2000 Edition mirror earlier definitions of both predictable and unpredictable external risks.

In later discussions, it will become more evident why the varied (and perhaps seemingly arbitrary) categories and facets of risk are critical to effective risk management organizations. For now, suffice it to say that these categories provide a sound context in which risk management can be framed. By applying these categories, managers can ensure a level of consistency in identifying and reviewing the breadth of risks their organizations face. Without them, it becomes increasingly likely for one particular risk category to be favored to the exclusion of the others.