Chapter 3 Introduction to Risk – Artificial Intelligence for Risk Management


Introduction to Risk

  • Definition of risk
  • Risk examples: risk business case
  • Different types of risks
  • Risk management process
  • Risk categories

Chapter Outline

  • Define risk and provide examples
  • Illustrate various risk areas
  • Illustrate risk process areas in detail
  • Determine risk mitigations
  • Illustrate risk standards

Key Learning Points

  • Learn and understand risk
  • Identify risk areas
  • Mitigate risk
  • Understand what uncertainties exist
  • Analyze and determine which events must have a planned response
  • Adopt an approach for each risk event, defining what triggers a response
  • Maintain risk plans
  • Monitor risk occurrences

Definition of Risk

Risk can be defined as the possibility of gaining (good) or losing (bad) something such as financial benefits, time benefits, brand value, customer value, and any measurable value. Thus, two types of risks are positive and negative. While investing money into a business, financial gain is positive and financial loss is negative. Risk can be the uncertain potential, unpredictable, and uncontrollable outcome. Risk perception can be judgment people make about severity and possibility. Any task or action comes with some sort of risk.

Risk is uncertainty. Typical risk is facing an unfortunate situation, such as losing an investment. Another example is that an organization may have a lower than planned and budgeted trend of doing well in the financial calendar year.

Technical projects tend to be lean. This means challenges occur due to work with inadequate funding, staff, and equipment. To make matters worse, managers have a persistent expectation to complete projects faster than projected.

Some concerns lead to risk and include issues that are not addressed and allowed to persist in the corporate workspace. Some concerns may include:

  • Issues that affect a project’s time, schedule, cost, or quality and scope.
  • Project or task areas that require assessment and executive review.
  • Subsequent areas that do not address cultural or organizational changes, technical changes to applications, legal or contract changes, and the business/project sponsor owner with new requirements.

Occasionally people working on projects for corporations contribute people risks that consist of the following:

  1. Late start of a project: At times, project personnel are unavailable at project start, perhaps due to finishing previous projects later than expected.
  2. Occasionally, project resources may be lost due to resource resignation, promotion, reassignment, health, or other reasons.
  3. Consultants and contract workers may be in short supply or unavailable. The firm may experience a temporary loss of staff due to illness, unusual busy work at the organization site, support priorities, or for other reasons.
  4. Queuing could be an issue on projects due to slippage related to experts’ commitment availability.
  5. Lack of motivation can lead to a lack of team interconnection and interest; this is more likely to happen on long projects.

Other types of risks will be described in the examples provided.

Another example of a risk is that an organization may have a lower than planned and budgeted trend of doing well in the financial calendar year. Other related topics of risk will be explained in this chapter.

Example of a Risk Business Case

Risks in an organization/business sector can be dangerous and unpredictable for organizations. The following case studies are typical examples that provide clear examples.

Case Study 1: Blockbuster and Netflix


The risk purpose for the Blockbuster and Netflix case illustrates how due diligence is important to commit to business dealings. Being too quick to get into an agreement can create problems for organizations. This means an investigation is required to look at positive and negative risks.

  • Accountability of new trends and impact to large corporations and the risks associated.
  • How do we avoid such new trend changes and impacts to other corporations?
  • How do we detect business model trends early enough to save large corporations?
  • Can we detect new trends to answer this problem?

Business Case Summary

The case study of Netflix (Reed Hastings, founder of Netflix) and Blockbuster (John Antioco, CEO of Blockbuster). In 2000, the founder of Netflix, based in Dallas, proposed a partnership to Blockbuster, which was atop the video rental industry. The proposal was that Netflix could run Blockbuster’s brand online and Blockbuster could promote Netflix in its stores. Eventually Blockbuster went bankrupt in 2010 and Netflix became $28 billion company.

Hastings is widely hailed as a genius and Antioco is considered a fool. Scientists for the past 15 years studied the incident and now they know how the networks function and how this incident could have been avoided.

The lesson of risk stems from the notion that in 2000, Blockbuster had thousands of retail locations and millions of customers with enormous budgets and efficient operations that dominated the competition in this business sector. Unfortunately, Blockbuster had a weakness of charging its customers for late fees. This was an important model that earned them enormous revenue. Netflix did not have the same late fees and did not have locations. Customers could watch videos if they wanted or return them to get another one. However, customer needed to have a subscription to rent videos. This worked well for Netflix. The lesson here was that a risky business model led to the downfall of the Blockbuster corporation.

This is one example of business model risk: Blockbuster did not incorporate a new type of business model and new technological trends. Positive risk was the Netflix approach and negative risk was that Blockbuster had fallen into a trap. Similarly, AI is heading into new technological trends and industrial revolutionary business model transformations. Corporations should embrace this model trend sooner than later to avoid business model risk, making a positive risk by using the opportunity.

Case Study 2: Taxi Business and Uber


The purpose of the Taxi and Uber case illustrates how due diligence is important when starting a business without thorough research, and what is to come. Too eager to adopt a business model and commit fully can hurt the growth and prospects of the organization. This means an investigation is required to consider the positive and negative risks associated with such business models.

  • Consideration and due diligence of the corporation and the associated risks.
  • How do we incorporate research and expected changes to clients’ needs to reflect the business model?
  • How do we detect possible risks in the business model?

Business Case Summary

The regular taxi business has been straightforward, answering the need if a person needed a ride from Point A to Point B. They would just call the taxi office and specify the goal location. The taxi specifies the amount to pay or lets the meter in the vehicle tally the distance and amount. Some taxis can be stopped on the road and told the destination. The taxi driver specifies the amount to be paid, and once at the destination, the customer pays the driver the agreed amount. Here are additional advantages for Uber:

  1. A driver can drive their vehicles based on prior arrangement with Uber bookings.
  2. Log into your phone app and drop customers at specified locations.
  3. Uber driving is not a full-time business.
  4. A driver makes money and customer fees are lower.
  5. Customers can call from anywhere. This is convenient for the customer.
  6. Uber created a business model transformation.

The conventional taxi business model has been lucrative everywhere in the United States until recently. Uber Technologies Inc., doing business as Uber, introduced taxi service with a new business model. The Uber taxi business model operates differently. The customer can book Uber car service by using an application on the customer’s cell phone. The service is relatively safe because of controls built into the application and the services it offers. The driver of the Uber car is checked to make sure they have no security issues. The customer knowing that Uber drivers are relatively safe attracts more customers to use the service. Uber drivers use their vehicles to operate under the Uber business name. The service is attractive and has taken some business from the conventional taxi service.

Regular taxi drivers have felt the pinch of losing business to Uber. The effect is that taxi drivers have lost income (KATZ March 28, 2018) leading to suicide among some taxi drivers. On March 16, 2018, Nicanor Ochisor, a 65-year-old yellow cab driver, took his own life in his New York Queens home. His family reported he has been worrying about losing revenue. Nicanor paid a great deal of money to obtain his taxi medallion and was not making adequate money to enable him to retire. In February 2018, a similar case happened to taxi driver Douglas Schifter. Douglas shot himself outside City Hall after posting a long statement on Facebook blaming politicians for saturating the streets with taxi cabs that included Uber taxis. The New York Taxi Workers Alliance, a nonprofit group that advocates for drivers, reported that two other incidents of drivers killing themselves occurred due to financial pressures.

Case Study 3: Enron Case Study


The purpose of the Enron case illustrates how financial accountability in an organization is important in leading to growth or collapse of an organization without thorough research and what is to come (Segal 2018). Not auditing and ensuring accountability may lead to risk problems. This means companies should adopt an appropriate risk standard.

  • Accountability of financial declarations of the corporation to stakeholders and the risks associated.
  • How do we avoid such incidents happening to other corporations?
  • How do we detect such incidents early?

Business Case Summary

In 2001, a U.S. corporation, Enron, based in Houston, Texas, ran into accountability problems with the law due to lies in the organization’s merger between Houston Natural Gas and InterNorth. Both organizations are small regional companies. Enron employed about 20,000 employees and was named one of the Fortune innovative companies for six consecutive years.

By 2001, it was found that Enron reported financial information that turned out to be institutional, systematic, and creatively planned fraud, later known as the Enron scandal. This led to corporation accounting practices and activities in the United States and subsequently led to the enactment of the Sarbanes–Oxley Act of 2002. This enactment affected the greater business world by causing a dissolution of Arthur Andersen, an accounting firm. Enron eventually filed for bankruptcy in the Southern District of New York in late 2001, using Weil, Gotshal & Manges as its bankruptcy counsel. Enron eventually sold its last remaining business, Prisma Energy International Incorporation on September 7, 2006, to Ashmore Energy International Ltd. (currently called AEI).

The idea is to investigate the truth about the claims that enabled them to be innovative six times. Was Enron truthful and ethical in their business dealings?

The intended audience of the corporation is project stakeholders such as the business owner and senior leadership.

Business Need

Were there risk violations that made Enron look good for nominating six times? It is important that similar incidents be analyzed and have immediate resolutions.


A similar incident may likely happen in the short term or over time. It is important corporations and merger organizations identify such occurrences and quickly stop unethical occurrences.


Organizations need to check if there are risk areas that include schedule, initial costs, life-cycle costs, technical obsolescence, feasibility, reliability of systems, dependencies/interoperability, surety considerations, future procurements, project management, overall project failure, organizational/change management, business, data/information, technology, strategic, security, privacy, project resources, and project lies.

Everyone lies (Cothenet 2016). Lies may cause damage through investigation, and organizations should carry out investigation and ensure accountability.

High-Level Business Impact

Any damaging operations are likely to create false assumptions that can tarnish the reputation of a corporation. Here are some reputation issues that can damage an organization:

  1. Legal issues
  2. Loss of reputation
  3. Loss of finance/revenue
  4. Employees may lose their jobs
  5. Companies may go out of business
  6. Loss to investors

Alternatives and Analysis


How could this have been avoided?

How can we determine a reputable auditing firm for the corporation?

How can we confirm that the corporation is conforming to government regulations and policies?

Is this too good to be true?

Is it statistically verifiable?

Is the data collected projected or actual data?

Alternative A

Check this organization frequently for ethical accountability. The budget should be reviewed as a top priority. Who audited the account, and can this person be trusted to do a thorough job consistently? Check if the generation of the budget is too blurred or if the budget is insufficient. If it is insufficient, ask the stakeholders to explain the situation and ask them to revise the budget or change the scope of the project or entities used to conclude the budget.

Alternative B

If an unethical finding emerges, legal action will be used against the firm.

Preferred Solution

Financial Considerations:

  • Financial accountability should be well detailed. This will include assumptions and supporting documents.
  • What data need to be collected to justify appropriate accountability?
  • Which data points need to be collected and statistically verified?

Uncertainties on any of the task area should focus on risk and risk management. This means care and attention should be taken to plan risk and risk management well. Let’s spend some time discussing how risk should be managed.

Different Types of Risks

Natural Risks

Natural risk can be categorized as earth processes. Typical examples of natural risks are flooding, hurricanes, tornadoes, earthquakes, volcanic eruptions, tsunamis, and other geologic occurrences. Natural disasters can cause death, can damage property, and typically leaves some economic damage in its wake. Further causes of severe damage depends on the affected population settings. Infrastructure can be damaged severely.

Country-Specific Risks

Country risks relate to the borders of a country and focus on related financial commitments. Risk may extend to political and economic unrest of the country. Business in a country may experience risk that must be considered. A typical example of country risk is purchasing a bond in countries such as Canada and Mexico. One of those countries may end up defaulting. The assessment will depend on the stability of the countries. One can assume that the default is more likely to happen in Mexico, because of the tax systems in the countries. The analysis will depend on the evidence of corruption in the countries, inflation rates, demographics, and education. Other factors may also lead to the prediction of risk. Further analysis will show that Mexico’s initial purchase is less than that of Canada. However, purchasing the bond in Mexico will likely cost less.

To evaluate country risk, analysts must consider qualitative and quantitative analysis.

An effective way to diversify stock is through international investing, but countries in which to invest must be chosen carefully. Deciding to invest in Mexico and Italy is not the same as investing in the United States. The careful analyst will consider the country’s economic and political risks that affect its businesses and affects investment losses.

Industry-Specific Risks

Investors may face various risks in industrial silos. Examples are provided in the following.

Industry-specific risk can be categorized into different industries such as construction (i.e., construction falls, quality controls, and managing construction defects), retail (i.e., product recall, managing crowds, and parking lot safety), and restaurants (i.e., kitchen safety, foodborne illness, kitchen staff cuts, and burns). Various industries face specific risks that may occur in another industry or are unique to that industry. Risks may align with daily activities, the equipment being used, or simply the type of business. Retail businesses have different types of risk from restaurant businesses. Further, resources can be used to address and minimize risk, and to promote safety in industries. Analysts should make efforts to minimize workplace accidents or injuries. Also, costs should be controlled appropriately.

Some risks can be controlled, such as investing in stocks. Although risky, the risk can be controlled with appropriate care and discipline. Here, thoughtful selection of investment to answer individual goals will keep individual stock and bond risks at an acceptable threshold.

Functional Area Risks

Functional area risks are typically referenced in areas such as division management, facility management, and security. These risks include allocation of building perimeters, chemical storage, elevators, entrances and exits, information security, parking areas, roof openings, shipping and receiving, warehouses, windows, and additional areas.

Departmental Risks

Numerous risks can affect departments in completing project objectives. We list a few risks:

Accidental hazards, acts of nature, client-related risk, employee risk, environmental risk, financial risk, fraud/corruption, hostile actions from others, landlord-related risk, legal risk, partner or supplier/contractor risk, political risk, process risk, public-opinion risk, and technology risk.

Subject Matter Risks

Subject matter risk is relevant to the following risk areas:

  • Country risk (i.e., political, environment, security, etc.).
  • Business risk (i.e., customer capability to pay, creditworthiness, market factors, etc.).
  • Contract risk (i.e., liability, price, type, penalties, etc.).
  • Project risk (i.e., resources, skill set, methodology, product stability, etc.).
  • Technology risk (i.e., solution, architecture, hardware and software infrastructure network, delivery channels, etc.).

Corporate Risk

Corporate risk is common in corporations. This is a broad range of risk to clients ranging from small business sectors to multinational corporations. Corporate risk requires management that will minimize financial losses. Risk management relates to external threats to a corporation such as fluctuations in the financial market that affect the corporation’s financial assets.

Here are examples of typical corporate risks:

  • Information technology risk (i.e., issues include data integrity, data leakage, loss of intellectual property, or cybercrime).
  • Fraud (i.e., employee misconduct may arise in a difficult economic climate).
  • Cost reduction pressure (i.e., a significant portion of the increase in profits may have to be achieved through cost reductions).
  • Increased competitive pressure in the organization (i.e., consumer spending has dropped to new lows; executives need to innovate products, prioritize customer service, reduce expenses on current offerings, and expand their product portfolio).
  • Compliance (i.e., expect more intense scrutiny and regulation of business practices).
  • Liquidity risk (i.e., bank credit availability remains limited and companies may need to explore alternative funding sources).
  • Talent risk (i.e., the market for talented and skilled professionals is flourishing and may lead to retaining and engaging employees as a human resource issue).
  • Political trends (i.e., economic discontent or expanding universal geopolitical risk).
  • The high cost of capital (i.e., credit crises and a high cost of capital are likely to persist until global credit markets stabilize).
  • Strategic change management (i.e., business transformations such as mergers, divestitures, and internal organizations).

Start-Up Risks

Every start-up business encounters some sort of risk. Typical start-up risks range from ideation to ongoing development:

  • Trusting a key employee
  • Relying on cash flow
  • Abandoning the steady paycheck
  • Sacrificing personal capital
  • Estimating popular interest
  • Betting on a crucial deadline
  • Investing personal time, funds, and health

All seven listed items can create an enormous risk for the start-up organization.

Security Risks

Security issues are everywhere. Two forces can cause risk:

  • Enemies are getting better and faster at making their threats stick.
  • Companies that still struggle with an overload in urgent security tasks.

Here is a collection of IT security risks that need to be noted for organizations to consider:

  • Failure to cover cybersecurity basics.
  • Not understanding what generates corporate cybersecurity risks.
  • Lack of a cybersecurity policy.
  • Confusing compliance with cybersecurity.
  • The human factor plays an important role in how strong (or weak) the organization’s information security defenses are. Lower level employees can weaken security considerations. Organizations must watch the security setup and monitor access levels.
  • Bring-your-own-device policy and the cloud. One in five organizations suffered a mobile security breach.
  • Funding, talent, and resource constraints can lead to enormous problems in an organization.
  • Little or no information security training for stakeholders.
  • Lack of a recovery plan.
  • Constantly evolving risks: polymorphic malware risks (type of malware that constantly changes its identifiable features to evade detection) are harmful and destructive, or intrusive computer software such as a virus, worm, trojan, or spyware.

Risk Management Process

We describe the risk management overview in detail, including the following processes (Heldman, July 5, 1905). This approach follows the PMI PMBOK Standards. The standard processes are plan risk management, identify risks, perform qualitative risk analysis, perform quantitative risk analysis, plan risk responses, implement risk responses, and monitor risks.

The processes are manually based and AI solutions for risk are redefined using an approach applying AI in a generalized fashion.

See Figure 3.1 for the generalized risk approach. Also see the Risk Management Overview Table 3.1 PMBOK 6 (PMI 2017).

Figure 3.1 Risk management process

Table 3.1 Risk management process



Plan Risk Management

Overall planning of the risk that may occur. This process enables planning risk management activities aiming to increase positive risk and minimize negative risk.

Plan risk management defines how risks associated with the project will be identified, analyzed, and managed. In this section, we outline how risk management activities are performed, recorded, and monitored throughout the life cycle of the project and describe, at a high level, the process to be used to record and prioritize risks by the risk manager or risk management team.

Identify Risks

Determine ways to identify risks. The process documents individual risks and their sources, subsequently helping the project team respond to the identified risks appropriately.

Perform Qualitative Risk Analysis

The process of prioritizing individual risks for further analysis or actions on their priorities using the probability of occurrence and impact focused on high priority risks. This process is repeated over the life of the project.

Perform Quantitative Risk Analysis

Numerically analyzing individual risks with other sources of uncertainties combined with overall impact. Literally, it quantifies overall risks exposure on the project. Additionally, it provides quantitative risk information that helps with risk planning responses. It is important that the process is carried out after qualitative analysis is performed. The process is completed through the project life cycle, as needed.

Plan Risk Responses

This process enables developing options, selecting appropriate strategies and actions, and treating individual risks. Responses enable resources to be allocated and document risk details. This process is repeated throughout the project life cycle.

Implement Risk Responses

Developing options and strategies for the identified risk as agreed in the plan. Agreed responses are implemented as planned to address the identified risk. This process is repeated throughout the project life cycle.

Monitor Risks

Watching for possible signs of risk and taking appropriate action to mitigate or remove it. This process enables the decision to be based on currently identified risks.

The Project Risk Management Plan is a high-level plan that details other risk processes. The resources working on the project determine the effort that will be put into taking care of the likelihood of the risk that will occur. The following entities go into project risk management: scope, schedule, and budget are the primary areas of project risk that information going into project risk management must address clearly and well.

The collected risk data will be used to analyze the AI system. Tables will be created from the risk management processes that can be used in the AI system.

This plan becomes a component of the Project Management Plan, documenting how the remaining risk processes will be performed.

Plan risk management with data that can be analyzed using Table 3.1, indicating the structure of each risk process. The process for each risk will be defined in detail. First, let us define what process means here.

Developing a Process

Processes make up the Process Management Institute project management approach. A process consists of three parts: input, tools and techniques, and output. This approach is adopted in this book (see Table 3.2).

Table 3.2 Process Icons

Initial information required to create process output. This will be provided by other processes or documents created during the overall process.

Tools and Techniques

Tools and techniques are the actions taken to create output. Several tools, methods, or techniques can be used in different processes and provide specific information or operations to achieve the objectives of the process. In general, a tool or technique consists of the following examples. The acronym STAMPED is useful when preparing for certification

S: Systems, Skills, Software

T: Templates

A: Analysis, Audits

M: Methods, Meetings (including reviews, training, team building, negotiations, bidder conference)

P: Performance Measurements

E: EVM (Earn Value Management), Expert Judgment

D: Decomposition, Diagramming

Input is the initial information required to start the process, such as the company’s background information, procedures, and requirements before the project starts. The tools and techniques are the experiences, other procedures, and tools required to use the inputs to generate the output. The output varies based on the input, tools and techniques, and requirements of the project. The following icons will be used to denote the requirement.

To create a process, appropriate internal documents are inputs from the organization or outside the organization. The inputs are used by the tools and techniques to get one or more output. A general scenario is putting an orange into a blender and getting orange juice at the end. The orange is the input to the blender. The blender is the tool, and the technique is the expertise of the person using the blender to produce the orange juice. The orange juice is the output. See Figure 3.2: Project Process Diagram.

Each process identified in the process table is described in terms of the aforementioned model or methodology. For each input, several sources are provided. They could be previous documents or information obtained in a previous process. For example, the Project Charter is one of the very first documents created when a project is to be initiated. This document and all its relevant information are used to guide other processes. Also, see Figure 3.2.

Figure 3.2 Project process diagram

Input and Output Process

For example, in the Tools and Techniques for Define Activities, as shown as follows, we described the concept of decomposition, templates, and expert judgment earlier in the chapter. Next, we describe the new item, Rolling Wave Planning.



Rolling Wave Planning


Expert Judgment

The output process has two possible effects. The first effect is that the process may create a new document, new information, or new processes. The second is that the output can affect existing processes or documents. We summarize the input and output processes for that area, providing a data-flow diagram to demonstrate how the information connects to the project. It is helpful to use the rolling wave planning approach to consider each piece of the project related to risk.

Risk management consists of planning, identification, analysis, response planning, response implementation, and monitoring risk on the project. The objectives of project management are to increase the possibilities of positive risk and to decrease the impact of negative risks.

Points: Case Story of Blockbuster and Netflix

Example of business model risk: Blockbuster did not adhere to the new technological trend (Newman September 23, 2010). AI could have been applied for a solution. The new technology trend builds on social media and one can watch this approach. Here is a typical trend that needs to be watched:

  • Taxi business and Uber: New technological trend, better pricing model, and ease of driver sign on.
  • Enron business burst, use Enron case study.
  • Use other three business cases as applicable as possible.

Risk can occur based on lies on the project, as in the case study of Enron

Purpose of

  • Accountability of financial declaration of a corporation to stakeholders and the risks associated.
  • How do we avoid such incidents happening to other corporations?
  • How do we detect such incidents early?

Business Case Summary

The following business case issues need to be mitigated, and the approach is provided next.

Positive Risk (Opportunities) Response Strategies

One can engage strategic responses to positive and negative risks. Let us look at each of the strategies.

The list of identified risks is recorded in the Risk Register. A Risk Register is an artifact generally used in risk management and project management. The purpose is to help assure regulatory compliance and stay current with potential issues that can derail intended outcomes. Identified risks are categorized into positive and negative strategies that need to be used appropriately.

Strategies use specific information regarding category, priority, urgency, schedule, and budget impact values. The probability of each occurring is described as follows.


This response strategy is used to ensure that the risk happens to get the perceived benefit from the situation. Simple ways to do this could be to train the team to give them extra skills or to adjust the deliverables slightly so they respond better to the opportunity.


A good aspect of the share response is in bidding for work or procurement. It is successful if the project bid involves being partnered or sharing with another firm. The opportunity of winning the bid would be more likely to happen if working as a team.


Enhancing the opportunity can come about when focused on the causes of the opportunity. In this strategy, it will be appropriate to focus on factors that are going to make this positive risk/opportunity happen. An example is by introducing software features to make the new product more marketable or shareable.


The accept strategy is used simply to accept the risk of the opportunity coming to the corporation. If nothing is done to influence the opportunity, then it could have a negative effect instead.

Negative Risks (Threats) Response Strategies

Negative risk strategies are useful for identified risks and may hurt the project. Using these strategies will help mitigate identified risks.


A mitigation strategy lessens the impact of the risk by trying to decrease either the probability of the risk happening or the impact of the risk. This strategy tends to decrease the severity of the risk.


In the transfer risk response strategy, the idea is to transfer the risk to a third party to manage. Transferring does not eliminate the risk; rather, it only transfers the responsibility of managing the risk to the third party. Vehicle insurance is a typical example.


Avoidance is a desired risk response strategy mainly used for critical risks and is the best technique for almost all risks. It cannot be used most of the time. It is easy to use this strategy if the risk is identified in the very early stage; otherwise, it is difficult to adopt this strategy because in a later stage, changing scope or schedule is a costly affair.


The acceptance risk response strategy is used for positive and negative risks. No action is needed to manage the risk except acknowledging it. Project managers use this strategy when the risk is not critical or if a response is not reasonable, based on the importance of the risk.

General Risks

Brief Qualitative and Quantitative Risk Analysis Summary

The qualitative analysis starts by determining whether the risk event requires a response. Risks that are thought to be significant will be analyzed further using risk quantification. Risks that are considered limited in impact and probability may be documented and put in lower rankings as a result of qualitative analysis. In all cases, no risk is left alone without being documented in the Risk Register. It is important that each identified risk is fully understood. The risks that are not understood may require further analysis that may lead to quantitative analysis. Quantitative risk analysis can take time and be expensive, stretching the project budget. At times, risk can be overemphasized, which takes up time and resources that should have been allocated to more worthy events. Often overemphasis happens when incorporating project management. If the project team did not previously realize the risk, and directed all efforts to other prioritized tasks until the team ran into difficulties moving forward, project management is not paying attention to critical areas of the project. The team needs to mitigate the risk very quickly, before the project fails.

Probability and impact are essential for analyzing and prioritizing risks. Determining the probability of risk-taking carries consequences. A scale is used to quantify the risks. The risks are quantified using the same measure and are prioritized accordingly.

Risk ranking enables comparability among projects. This analysis helps the project team and management understand the project’s pending risks. Here, the team can decide whether they should continue or terminate the project, if the risk is outside their risk tolerance level or threshold. Costs, schedules, and other planning become more realistic based on risk analysis. Going forward, the investigation may be needed for the top ranking risks to identify factors that may have been considered.

What Is Risk Categorization?

Risk is an important component of tasks or projects undertaken daily. It is important to categorize risks because they are part of daily life. However, risks in corporate settings may come in many forms ranging from financial loss to losing important business transactions to a competitor or loss of reputation. Based on experience, some risks are accidental and unanticipated. Some risks can be anticipated and planned for using standards such as the Project Management Institute guidelines for managing risk. To help identify risk easily, it is necessary to group risks, which can be beneficial in several ways:

  • Making effort to avoid surprising situations.
  • Providing a structured, focused approach to identifying problems.
  • Developing more effective risk mitigation techniques.
  • Applying better strategies for responding to risks.
  • Enhancing organizational communication by including employees.
  • Making a conscious effort to monitor risk using various simplified risk approaches.

One approach is to use common frameworks of risks to refine them to suit an organization environment’s unique situation. A typical example appears in the following.

Risk Response

Let us consider identified risks, put them categories, and determine possible mitigations.

Common Root Causes of Project Risks

  1. Inappropriate or poor leadership at any level. The project manager, acting as a leader, needs management to help as well to ensure project success. The project manager and management need to collaborate.
  2. Ethical misalignment and incorrect culture. If ethical misalignment and inappropriate culture are entertained in the project environment, disorientation on the project may result and team members may not have the motivation to perform sufficiently well for the project to be successful.
  3. It is quite worthwhile to plan well and use appropriate planning processes. If a project is planned well, the project will have a great chance of being successful. Planning well incorporates functional and nonfunctional requirements including short-term tasks.
  4. It is practical and efficient to document progress on a project. This approach helps ensure that important points are not overlooked. Documenting the project progress will help determine which areas need resources to complete the project in a timely manner.
  5. Based on appropriate planning, the project team can set expectations and manage them progressively. The project team needs to be managed using hard and soft management techniques. If this approach and technique are not used properly, clearly defined consequences will ensue that are bad for the project. Planning leads to prioritized tasks that are appropriately assigned to competent stakeholders.
  6. Stakeholders must be well trained to carry out project work efficiently. The project manager needs to be well trained and capable of carrying out the project successfully. Management responsibilities must be assigned to individuals who have the capabilities to meet requirements. If the manager is poorly trained, the project may fail.
  7. The project budget must be calculated accurately. If the budget is not estimated well it can lead to problems. Improper calculation may cause the cost of an undertaking to be underestimated. Once the project runs out of resources, it is difficult to complete it successfully. This approach requires identifying a lack of resources early in the life of the project.
  8. Communication is one of the most important entities in project management. If communication is not carried out correctly, complications can result. Communications should be done appropriately among management executives, the project manager, and team members. It is important that stakeholders feel free to share their concerns or suggestions.
  9. It is important to ensure competing resources are not stretched in manpower and financing. Good cost estimates avoid problems.
  10. It is important to pay attention to risks that show up on the project. If the warning signs are ignored, project problems may result and add up quickly.

Risk Categories

We list the various risk categories to provide brief knowledge here. We discussed the risk categories in earlier parts of the book.

Identification of Similarities

The system is capable of identifying similar risk issues that can be used to provide solutions, perhaps requiring an artificial neural network to be used. The AI engine being used has neural networks built in. The system’s ability to learn from current data is based on the use of neural networks.

AI and the building blocks of the knowledge base connect.

Figure 3.3 Risk management ISO classification.

Risk Management Standard

International Organization for Standardization (ISO) 31000:2018, Risk management guidelines provide principles, a framework, and a process for managing risk. Any organization can use the risk management guidelines regardless of its size, activity, or sector. (see Figure 3.3).

The ISO, based in Geneva, is represented by 163 member countries in the world. It has published over 19,000 international standards that can be viewed at Here are some of the standards: ISO Guide 73: 2009 focusing on risk management and vocabulary. ISO 31000-2013 on risk management provides guidance for the implementation of ISO31000. ISO31004, based on risk management, provides guidance on the implementation of ISO31000 ISO31010:21009 on risk management. Risk assessment techniques provide how to implement ISO 31000 in an organization. ISO 31010: 2009 on risk management and assessment techniques guides companies on how to select and apply systematic techniques for risk assessment. ISO 31000 guides the selection and application of techniques to assess risk in a wide range of situations, assisting firms in making decisions where there is uncertainty. The goal is to provide information about risks as part of a process for managing risk. The standard provides summaries of a range of techniques, with references to other documents where the techniques are described in greater detail. The current version of the standard provides more details on the process of planning, implementing, verifying, and validating the use of the techniques.

Figure 3.4 ISO 31000 business value

See Figure 3.4 for risk standards. The figure illustrates strategic management, tactical management, and project management. These three encompass business value in terms of preserve and fail/gain.