A Deep Dive into Probability Distribution in Risk Management

Ever tossed a fair coin? I’d bet you have! At least in your childhood days while deciding which team would bat first in a baseball or a cricket match, or who would serve first in a badminton or tennis game. Every kid agrees to it because it’s unbiased. When you toss a fair coin, the chances of getting a head is 1/2 (0.5) or 50%. This is the division between the favorable outcome, which is a head and all possible outcomes (head and tail).

A coin toss is perhaps is the simplest introduction to probability, which informs chance or likelihood of occurrence of a random variable. The random variable here is getting a head. Let’s note the random variable as X and probability as P(X). Mathematically put:

Probability (Getting head) or P (X)

= Favorable number of outcomes of the event / Total number of possible outcomes

= 1 / 2 = 0.5 = 50%

Now, what’s the chance of getting a head when you toss a pair of coins together? In this case, the total number of possible outcomes is four: tail (first coin) and tail (second coin), tail and head, head and tail, and finally head and head. The values that the random variable can take are many, as shown in the below table:

As you can see, the possible values of X range from 0 to 2 (i.e., 0 head, 1 head, or 2 heads). This leads to the concept of distribution. Looking at the above table, we can see the frequencies of this random variable’s occurrences are 1, 2, and 1. This is distribution or frequency distribution. One could say: distribution is the possible values a random variable can take and how frequently these values occur.

Now, if I add probabilities to this random variable’s values, we get a probability distribution. This is depicted in below:

As shown in the above table:

• We have all favorable outcomes for 0, 1, or 2 heads. These are represented in the first and second columns.
• All possible outcomes are obviously four, and that’s shown in the third column.
• P(X) is shown in the final column, and the probabilities are 25%, 50%, and 25%, respectively for 0, 1, or 2 heads. This is probability distribution. Summed up, it equals one.

Hence, we can say that probability distribution for a random variable describes how probabilities are distributed over the values of the random variable.

Discrete and Continuous Distribution

Distribution can be discrete or continuous. Discrete means you are getting an integer number (1 head or 2 heads). You don’t say that you will get 0.33 head! Considering another example of counting the number of children in households of a locality, you will come-up with results such as 0 child, 1 child, 2 children, etc. You won’t get 0.57 child!

You may be laughing now – what’s 0.33 head or 0.57 child!? Good to see you smiling. Smiling lessens stress and helps in understanding.

All random variables; however, are not discrete. For example, let’s say you are determining the distribution of age, weight, or height of people in a locality. Considering height, it can be anything: 5 feet, 5.5 feet, 5.85 feet, 6.1 feet, and so on. In such a case, the distribution is continuous. So, this distinction is important: at a high-level, there are two types of random variables – discrete and continuous and respective probability distributions – discrete probability distribution and continuous probability distribution.

Now, combining all, i.e., probability, distribution and probability distribution, I've the following consolidated tip.

But, how does all of this fit into Risk Management? Risk Managers don’t toss coins or calculate heads/tails in an experiment. That’s kids’ games and not for grown-up men or women! Perhaps; although, child play teaches the basics neatly.

Probability Distribution and Risk Management

With the above basics, let’s consider another example to understand probability distribution from the perspective of risk management. You are going to a friend’s house. It may take you one hour to reach your destination if you encounter no obstacles. If there is heavy traffic, it’s possible that you may not get there for three hours. With less traffic, it’s more likely to take 2 hours. Hence, you can say there are three possibilities:

• Minimum (or Optimistic) travel duration = 1 hour
• Most likely travel duration = 2 hours
• Maximum (or Pessimistic) travel duration = 3 hours

In this case, the random variable (X) is the “travel duration.” Can you conclusively say which one of the estimates is correct? Unlikely, because other factors such as traffic conditions are involved. Now, if I add chances to these numbers, then we get probability distributions. I’ve prepared the below video to explain in more detail [Duration: 05m:33s]. For better audio-visual experience, you may want to go full HD and plug-in your earphones.

Importance of Probability Distribution *** UPDATED ***

In project risk management, the concept of probability distribution is applied to estimation. Continuing with our previous example, when we estimate, we take the most likely outcome of two hours, which is not correct because we’ve forgotten to consider other possibilities.

We can (and should!) consider possible scenarios, not just the most likely one. In other words, instead of saying an activity in a project is going to take “X” number of days, we also can consider other days using a distribution. For each duration in the distribution, there is a probability available.

This can be done for all the activities or tasks of the project, which in turn impacts the project schedule and cost. This enables us to build a more realistic plan.

Now that we have understood the basics of probability, distribution, and probability distribution, let’s look at the various types used in risk management.

Triangular Distribution *** UPDATED ***

Triangular distribution is the most common type of distribution used.  Named triangular because of the shape of the curve, this refers to there being no pre-existing data, but only expert opinions or judgment.

Symmetrical Triangular Distribution

The below distribution is triangular and symmetrical.

                                 

By looking at the graph above, we can say: There is approximately a 30% chance of the duration being 6 days, a full chance of the duration being 8 days’, and also a 30% chance of the duration being 10 days.”

Asymmetrical Triangular Distribution

Do note that the triangle shown need not be symmetric. Asymmetrical diagrams are shown below:

From here, you can calculate the durations with respective chances or probabilities.

Let’s take another example of a project, once with a task of Product Requirement Documentation (PRD) Preparation with an estimated 5 days duration. This is the most likely estimate, but we do not have the minimum and maximum value.

By using the Primavera Risk Analysis (PRA) software tool, the triangular distribution is depicted as below:

                                

The durations can be 4, 5, or 6 days (shown in the X-axis). The respective chance for minimum, likely, and maximum values are entered when you perform a duration risk analysis. This is demonstrated in a video in the later part of this article.

While building the schedule model, this triangular distribution can be noted as Triangle (4, 5, 6) or Triangle (4; 5; 6).

Uniform Distribution

In rectangular distribution, you can use a maximum value and a minimum value, but not any most likely value. In the below example, we have a uniform (or rectangular) distribution.

Looking at it, we might say: The task has a minimum duration of 4 days, but a maximum duration of 12 days

You can use Uniform Probability Distributions when you specify the extremes of uncertainty of the activity under consideration and when the intermediate values have equal chances of occurring. It is also possible when you cannot draw any inference on the possible distribution shape.

Taking our previous example of the PRD Preparation task, which is estimated to be 5 days, using PRA, we have the following values for Uniform distribution:

Like Triangular distribution, while building the schedule model, this distribution can be noted as Uniform (4, 6).

Beta Distribution *** UPDATED ***

Beta distribution, like triangular distribution has also three possible values – worst case, most likely, and best case. Like the triangular model, it also gives more weightage to the most likely case. We have seen one example of Beta distribution in the earlier video.

Unlike the triangular distribution, the shape for beta distribution is smoother and the tails in Beta distribution taper off less quickly. A sample beta distribution curve is shown below:

Beta distribution can also be symmetric or asymmetric in shape. The notations happen like Beta (6, 8, 10). As you can see above, there can be many values close to the most likely values, and it slowly tapers off towards the minimum or maximum ends.

Using the PRA software tool, for our task, PRD Preparation, a Beta (or BetaPert) distribution will come out as below:

Do note that along with the triangular distribution, beta distribution is another frequently used probability distribution.

Normal Distribution

Normal distribution is defined by the mean of a planned (or remaining duration) activity for an activity and standard deviation (SD) of the activity.

This distribution is used if there is historical information available. Normal distribution also has a bell-shaped curve like Beta, but considers SD to calculate the worst (and best) case scenarios. 

For our example (task of PRD Preparation with a duration estimate of 5 days), we note the normal distribution as Normal (5,1), where 5 is the mean and 1 is the SD.

Discrete Distribution

In a discrete distribution model, the duration of an activity under consideration can have a number of integer values, but without any intermediate values. In other words, the distribution is discrete, rather than continuous like in a triangle, beta, or uniform.

In the above sample, the activity has discrete distribution of values 6, 10, 18, and 20. 

Considering our task of PRD Preparation, the discrete distribution will be seen as below with the PRA tool. The distributions are 2, 3, 4, and, 5 with respective weighting factors of 10, 20, 30 and, 50, respectively. This can be noted as Discrete ({2, 3, 4, 5}, {10, 20, 30, 50}).

Practical Example and Demonstration

With this understanding, let’s take a practical look using MS Project and Primavera Risk Analysis. The video [Duration: 05m:42s] demonstrates a project plan with fixed activity estimates. It’s next imported to the PRA tool and analyzed with various probability distributions for the activities of the project.

Conclusion

Probability distribution is very important when you use quantitative risk analysis, which involves a number of mathematical modeling and sampling. Managers or planners can also deploy advanced probability distributions such as lognormal distributions, cumulative distributions, general distributions, among others. The above video explains a few of these.

We have come a long way and seen a number of examples. I propose just one more exercise. I promise it won’t be difficult, provided you have read the content sincerely. Going back to our first examples of coin tosses, can you answer these:

• What’s the probability distribution of getting a head when you toss three coins?
• What are the values that the random variable can take?

If you are getting four values for the random variable of getting a head and when all your probability distributions are summed-up to equal one, then you have well understood the concept. 

I welcome your thoughts, feedback, and suggestions in the comment section below.

* This article is dedicated to the memory of my father, the late Harendra Nath Dash, who passed away three years ago on June 11, 2019. He first introduced me to the concept of probability and statistics. It was mesmerizing then, and I still remember it. I wish this article to be a tribute to him and his teachings.

--

This article was first published by MPUG.com on 7th June, 2022. The current one is updated.

PMP Live Lessons and RMP Live Lessons:

• PMP Live Lessons - Guaranteed Pass or Your Money Back
• RMP Live Lessons – Guaranteed Pass or Your Money Back

PMP 35 Contact Hours and RMP 30 Contact Hours:

• PMP 35 Contact Hours Online Course - Full Money Back Guarantee
• RMP 30 Contact Hours Online Course - Full Money Back Guarantee

PMP Book and RMP Book:

• Book: I Want To Be A PMP, The Plain and Simple Way, Second Edition
• Book: I Want To Be A RMP, The Plain and Simple Way, Second Edition

Unknowable-unknowns Vs. Unknown-unknowns in Risk Management with Emergent Risks and Novel Risks

Want to master Risk Management? Become a RMP, a specialized PMI certification.

Course at a very low cost: RMP Live Lessons Course - Guaranteed Pass or Money Back  [samples]

The guarantee has no hidden T&Cs—just take the exam!

The free article follows. 

--

As I frequently interact with project and risk management practitioners, the below two questions on unknowable-unknowns and unknown-unknowns come up. They are quite confusing for many. The existing literature doesn’t help as they are written with complicated language and/or complex explanations. The questions are:

• What are the differences between Unknowable-unknowns and Unknown-unknowns? 
• Where does emergent risk actually fit in (in the above context)?

To understand, let’s simplify. 

The Fundamentals

First, let’s understand, what is the difference between unknowable and unknown?

• Unknown: You really don’t know. It’s definitive. 
• Unknowable: You are not likely (or unlikely) to know. It’s probabilistic. 

When we say definitive, it’s certain that you don’t know. For example, it’s possible you don’t know some new technologies, design or frameworks.

When we say probabilistic, a chance factor comes in. There is a chance (usually high) that you don’t know. For example, when disruptive technologies start to pervade, you are unlikely to know the impact. 

Simply put:

• When we say unknown, it means there is a lack of knowledge or untapped knowledge.
• When we say unknowable, it means there is not only lack of knowledge, but also exploration is not probable. In this case, it’s untappable knowledge. 

Now, let’s see what are emergent risks and novel risks? 

Emergent Risks

As per PMI’s Standard for Risks in Portfolios, Programs and Projects, this is the definition of emergent risks:

“A risk that arises which could not have been identified earlier on.”

I agree with this definition, but not the subsequent explanation of PMI on emergent risks in the context of the unknowable, though I’ve adopted them in my books and courses. In this case, one can say these risks could not be identified because they were unknown at that time, but later on, the risks emerged.

When one says “emerge”, a pattern is forming, but not clear. It’ll emerge. 

Novel Risks

I provide this definition for novel risks:

“A risk that arises which was not probable (improbable) to be identified earlier on.”

Here you can say, these risks were improbable to be determined and later it came-up unexpectedly, hence the term “novel” or completely new – not emerging! 

When one says “novel”, there is no pattern formation at all. It is completely new. 

Also, did you notice the distinction in the definitions?

For an emergent risk, we could not have identified earlier, which can be due to many factors such as lack of knowledge, understanding or considering various scenarios. 

For a novel risk, we have a probability factor coming into play. It was improbable to be identified earlier because exploration of such a risk was improbable. 

Unknown-unknowns Vs. Unknowable-unknowns

Now, let’s see the difference between these two:

• Unknown-unknowns: You don’t know that you don’t know. This is pure ignorance. Knowledge wise, it’s untapped knowledge. It’s part of the Complex domain.
• Unknowable-unknowns: You are unlikely to know that you don’t know. This is not pure ignorance. Knowledge wise, it’s untappable knowledge. It’s part of the Chaos domain.

The emergent risks are actually unknown-unknown risks or simply unknown risks, whereas novel risks are actually unknowable-unknown risks or simply unknowable risks. Again, do note that my explanation differs from many, including PMI. The figurative representation is shown below.

I’d also strongly recommend that, you read the followings articles:

Cynefin Framework, Risks and Agile: Known-unknowns, Unknown-unknowns, and Unknowable-unknowns

Risk Classification: Known-knowns, Known-unknowns, Unknown-unknowns, and Unknown-unknowns

Conclusion

Combining all that I've explained:

• Known-known is conscious knowledge or facts. You know that you know.
• Known-unknown is conscious ignorance. You know that you don't know.
• Unknown-unknown means unconscious ignorance. You don't know that you don't know.
• Unknowable-unknown means unexplorable and unconscious ignorance. You are unlikely know that you don't know.

Another question that comes-up is this: How about Black Swans? Is it related to unknowable-unknowns or unknown-unknowns? To a certain extent, black swans are unknowable-unknowns. Because these result in chaos. More specifically, black swans are distinguisged with their very low probabilities, but catastrphic impact. In other words, black-swans comes with a chance factor (very low), but with tremendous effect (very very high).

If you have understood so far in this article, then you have understood the difference between unknowable-unknowns, unknown-unknowns and the associated risks such as emergent risks and novel risks. 

References: 

[1] RMP Live Lessons - Guaranteed Pass or Your Money Back, by Satya Narayan Dash

[2] RMP 30 Contact Hours, with Full Money Back Guarantee, by Satya Narayan Dash

[3] Book - I Want To Be A RMP: The Plain and Simple Way To Be A RMP, Second Edition, by Satya Narayan Dash 

[4] The Standard for Risk Management in Portfolios, Programs and Projects, by Project Management Institute

Cynefin Framework, Risks and Agile: Known-Knowns, Known-Unknowns, Unknown-Unknowns and Unknowable-Unknowns

Want to master Risk Management? Become a RMP, a specialized PMI certification.

Course at a very low cost: RMP Live Lessons Course - Guaranteed Pass or Money Back  [samples]

The guarantee has no hidden T&Cs—just take the exam!

The free article follows. 

--

The Cynefin framework is important to know for both aspiring Risk Management Professionals (RMP) and aspiring Project Management Professionals (PMP).

First, it’s a complexity model and it helps making decisions in a complex environment. The Project Management Institute (PMI) defines complexity as noted below:

"Complexity is a characteristic of a program or project or its environment that is difficult to manage due to human behavior, system behavior, and ambiguity."

Simply put, a complex thing is difficult to manage. The sources of complexity can be human behavior, system behavior, ambiguity, uncertainty, among others. All of these sources and complexity itself can result in risks.

Before proceeding further, I’d suggest that you read the article related to risk classification to understand fundamentals of knowns and unknowns. 

Cynefin Framework and Five Contexts

The Cynefin Framework has five problem and decision-making contexts (or domains). This framework helps in detecting the cause and effect relationship, which in turn helps in decision-making. 

Now, let’s understand the five domains in this framework. The framework’s five contexts are shown in the below figure. Later, we will learn how to apply it in Risk Management.  

Obvious (Simple): 

• The cause and effect relationship is obvious. You know the questions and know the answers. Hence, little to no expertise is needed. 
• The approach used here is sense-categorize-respond. You sense the environment/context, categorize them and based on that you respond. 
• Best practices are applied to make decisions.

Complicated: 

• The cause and effect relationship is not obvious. You know the questions, but don’t know the answers and hence, seek expert knowledge to analyze and get a range of answers. 
• The approach used here is sense-analyze-respond. Unlike Obvious context, you use expert judgment to analyze after sensing. 
• Good practices are applied to make decisions.

Complex: 

• There is no apparent (visible/demonstrable) cause and effect relationship. You don’t know the questions and don’t know the answers! In such a case, no amount of analysis will help. You have to first probe or experiment.
• One uses repeated cycles of probe-sense-respond as complex systems or environments change due to external stimulus. 
• Emergent practices (practices which are not completely known, but emerging or taking shape) are applied to make decisions.

Chaotic: 

• The cause and effect relationship is unclear. There is too much confusion. There is no point in searching for questions and answers, because the cause and effect relationship is impossible to determine and constantly shifting. The situation is too drastic or chaotic. 
• Your immediate and first step is to act or contain and then stabilize the situation. Hence, the approach used here is act-sense-respond. As you can see, you are first acting here, not sensing or probing. You are acting to stabilize. 
• Novel practices (completely new practice, never known to exist before) can be applied to make decisions.

Disorder: 

• This is the space in the middle as shown in the figure. In this case, you don’t even know where you are, hence disorder (not unordered).
• To understand, you have to break the environment/system into smaller parts and move into one of the other four zones or have contextual links with one of the other four zones of Obvious, Complicated, Complex and Chaos.

Cynefin Framework and Risk Management

Now, let’s see how this framework can be used in the context of Risk Management. 

Obvious (Simple) [Known-Knowns]: 

• In risk management parlance, this is the realm of known-knowns. You know the risk (known), and also the know the amount of work (known) needed. 
• In other words, these are actually not “risks”, but documented requirements and addressed as part of the scope management. 
• As noted before, best practices are applied here. Best practices by its very nature come from past practices.

Complicated [Known-Unknowns]: 

• In risk management parlance, this is the realm of known-unknowns. You know the risk (known), but don’t know the rework (unknown).
• These are classic risks or the “known risks” - the known risks with unknown or unforeseen work.
• You predominantly apply good practices of risk management in this context. Usually good practices are either known to you or known to someone within the community. 
•  The practices can be iterative processes for risk management, having contingency reserve, having contingency plans etc.

Complex [Unknown-Unknowns]: 

• In risk management parlance, this is the realm of unknown-unknowns. You don’t know the risk (unknown), and don’t know the rework (unknown).
• In other words, these are “unknown risks” - the unknown risks with unknown or unforeseen work. 
• As noted earlier, you apply emergent practices. Emergent practices are neither known to you or others because it's emerging based on the context. 

Chaotic [Unknowable-Unknowns or Unknowables]: 

• In risk management parlance, this is the realm of unknowable-unknowns or simply the unknowables. You don’t know the risk and exploration is also not possible (unknowable). And of course, you don’t know the rework (unknown).
• As noted earlier, you apply novel practices here. Novel practices are completely unseen and no one actually knows till the situation occurs and actions are taken.

Slightly modifying our previous figure, one can have the below figure. 

Cynefin Framework and Agile

Agile concepts and approaches are now part of both RMP and PMP exams. The Cynefin framework can also be used in Adaptive (or Agile) environments. 

• Obvious (or Simple) context: Go for a predictive or waterfall development approach.
• Complicated context: One can go either for an iterative or incremental development approach.
• Complex context: Here, one can use both iterative and incremental development. Agile is both iterative and incremental.
• Chaos Context: Agile development approach can’t be used here. You have to first sense some stability and respond by taking steps to get into the Complex zone. 

References: 

[1] RMP Live Lessons - Guaranteed Pass or Your Money Back, by Satya Narayan Dash

[2] RMP 30 Contact Hours, with Full Money Back Guarantee, by Satya Narayan Dash

[3] Book - I Want To Be A RMP: The Plain and Simple Way To Be A RMP, by Satya Narayan Dash 

[4] A Leader’s Framework for Decision Making, by David J. Snowden and Mary E. Boone

[5] A Guide to Project Management Body of Knowledge, 7th edition, by Project Management Institute (PMI)

Using Probabilistic Linking in Risk Management

Probabilistic branching and probabilistic linking are two completely different concepts in risk management. Many risk management practitioners confuse these two and use them interchangeably. This is not correct. To understand probabilistic linking, first you need to understand probabilistic branching. You can refer to this detailed article to understand probabilistic branching.

I hope you have gone through the linked article. Probabilistic branching informs the probability of an activity existing or not. On the other hand, probabilistic linking allow you to model the probability of a link between two tasks existing or not existing. 

In this article, we will use a simple example and will follow some steps to understand how probabilistic linking can be there in a schedule. The content of this article is taken from my new course and book on Risk Management Professional (RMP) exam: 

RMP Live Lessons, Guaranteed Pass or Your Money Back

Now, let’s see the steps to perform a probabilistic linking and analysis.

Step – 1: Create the tasks and Link the tasks

Let’s create two tasks: 

• Task A. It’s of 3 days duration.
• Task B. It’s of 6 days duration.

I’m going to use the Primavera Risk Analysis (PRA) to build this simple plan. Next, we are going to select both these tasks and right click, which will give us the option to link. We are going to use the finish-to-start (FS) link. This is depicted below. 

The linked tasks will come as shown below. 

Step – 2: Add probability values to the links

Next, we are going to select Task B and go to the Risk and Uncertainty tab under the Task Details pane. Under this tab, we will select the “Probabilistic Links” sub-tab. As shown below, for Task B, the link is with respect to Task A. It’s mentioned as the preceding link. 

Here, we will add linking probability with Task A as 75%. In other words, the probability or chance of Task A being linked with Task B is 75%. Obviously, we will have 25% left to allocate. This is shown below.

Do note that there is another tab called Probabilistic Branch tab, just left of the Probabilistic Links tab. As noted in the beginning of the article, these two are completely different concepts.

Step – 3: Add another probabilistic link

Next, we are going to add another task of Task C. For Task C, we have the following operations:

• Task C is of 5 days duration. 
• Task C is linked to Task B and it’ll be the predecessor to Task B. The dependency will be again finish-to-start (FS). 
• In other words, Task B has two predecessors now: Task A and Task C.

This is represented in the below figure.

Next, select Task B (not Task C) and click on the Probabilistic Links tab. Here, give the probability or chance of link between Task B and Task C as 25%. The linked values given are shown below.

As shown above:

• Task B now has two preceding links: Task A and Task C.
• Task A’s linking chance is 75%, whereas Task B’s linking chance is 25%.
• Together it equals 100% or as noted in the above figure, total % left to allocate for probabilistic linking is now 0%.

Step – 4: Run a risk analysis

Next, we are going to run a risk analysis with the PRA tool. This can be done by simply using the command Run Risk Analysis from Risk menu list in the toolbar.

As you step through the analysis you will see the links disappearing and the effect on the plan. The below figure shows Iteration 1 out of 1000 and with it the link between Task B and Task C is not considered. 

As shown above, while Task B is actually connected to both Task A and Task C, in Iteration 1, only the link between Task A and Task B are considered! 

As you proceed with the Risk Analysis step after step, the links will keep on changing, i.e., one link will disappear and another one will appear. 

The above figure shows for Iteration 3, the link between Task B and Task C is considered, whereas the link between Task A and Task B has been removed. 

Step – 5: Complete the risk analysis

As your plan moves through multiple iterations, the probabilistic linking and its value will keep on changing for the tasks in the schedule. If you have applied probabilistic distribution for the activities or tasks in your project, then you run a complete Monte Carlo or Latin Hypercube simulation. You can learn a brief on probability distribution for tasks in this article. 

I’ve intended to keep the example very simple to make you understand the difference between Probabilistic Branching and Probabilistic Linking with a real-world software tool. 

Conclusion

In probabilistic linking, the preceding links for a concerned task can have a probability of 100%. When two or more preceding links are there for a task with less than 100% probability, then all of those probabilities must add up to 100%.

If you are preparing for your Risk Management Professional (RMP) exam, you need to understand all these:

• Probability Distribution
• Probabilistic Branching
• Probabilistic Linking

Predominantly, your questions will be on probability distributions. However, you can expect a few questions on probabilistic branching and linking as well.

References:

[1] New Course: RMP Live Lessons, Guaranteed Pass, by Satya Narayan Dash

[2] New Course: RMP 30 Contact Hours Online, by Satya Narayan Dash

[3] Book: I Want To Be A RMP, The Plain and Simple Way, Second Edition, by Satya Narayan Dash

Risk Management: Possible Types of Risks

I receive many questions on Risk Management - particularly from the customers of my new risk management courses and readers of risk management book. Many times, there is a lack of clarity on possible type of risks.

Hence, I decided to write the possible types of risks that came to my mind and referenced my new course: RMP Live Lessons, Guaranteed Pass.

Note: This was posted earlier with a few risks. A new set of risks have been added to the list recently with the availability of new Risk Management Professional (RMP) courses. 

This list, by no means is exhaustive. There can be other types. Do note that these are types of risks, not categories or classifications of risks.


1# Individual project risk: An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more objectives.

2 # Overall project risk: A risk that has an effect of uncertainty on the project as a whole.

3 # Positive risk (Opportunity): A risk that would have positive effect on one or more objectives.

4 # Negative risk (Threat): A risk that would have negative effect on one or more objectives.

5 # Known risk (Identified risk): A risk that is identified.

6 # Unknown risk (Unindentified risk): A risk that is not identified.

7 # Secondary risk: A risk that occurs because you took a risk response on a (primary) risk.

8 # Emergent risk: An arising risk that could not have been identified earlier.

9 # Residual risk: A risk that remains after you have taken a risk response.

10 # Outdated risk: A risk that didn't occur - either based on event or condition.

11 # Correlated risk: A risk that is correlated to one or more other risks.

12 # Connected risk: A risk that is connected to one or more other risks.

13 # Undifferentiated risk: A risk that has not been qualified.

14 # Differentiated risk (Qualified risk): A risk that has been qualified.

15 # Quantified risk: A risk that has been quantified, usually in terms of time and/or money.

16 # Aggregated risks: Risks that are aggregated with one or more other risks and pose a bigger threat or opportunity.

17 # Event based risk: A risk that occurs based on an event.

18 # Non-event risk: A risk that occurs, but not based on an event, e.g., variability risks, ambiguity risks. We have seen these in an earlier post:
Risk Classification: Known-Knowns, Known-Unknowns, Unknown-knowns and Unknown-unknowns

19 # Prioritized risk (High-priority risk): A risk that has been prioritized based on the risk score, which crosses the risk threshold. 

20 # Low-priority risk: A risk that has been prioritized based on the risk score, which is below the risk threshold. This risk will be on a watch-list.

21 # Enterprise risk: A risk of an entire enterprise or organization. It’s also known as Business risk..

If you know any other types, I welcome your comments. They will be added to this list.

References

[1] New Course - RMP Live Lessons, Guaranteed Pass, by Satya Narayan Dash

[2] New Course - RMP 30 Contact Hours Online, by Satya Narayan Dash

Probabilistic Branching and Analysis in Risk Management

Imagine this scenario. You are going to a friend’s house for an important event. It is scheduled with a hard start, meaning you can’t have delays, but as you start traveling, you notice that your vehicle is running low on gasoline. A few options come to mind:

• Continue driving because you think your available gasoline will suffice.
• Fill-up your gasoline tank at a nearby gas station and then continue to travel.
• Use a small gasoline container you have with you to fill-up your tank and then continue to travel.

Which option would you choose? What impact will your choice have for the duration of your trip? Can you reach your friend’s house on time?

These questions lead to a concept called probabilistic branching and analysis, which is used in quantitative risk analysis and management. Probabilistic branching is one of the ways to represent individual project risks. In every probabilistic branch, you model individual project risks and determine the overall project risk.

In this article, we’ll start with the fundamental concepts used in probabilistic branching. I’ll illustrate them with an example, show how to build a project plan with MS Project, help you create the needed probabilistic branching, and provide analysis and interpretations. In conclusion, we will see the significance of this concept.

Uncertainty in Schedule Network Diagram

If you consider the options you had running low on gasoline while driving to your friend’s house, a simple network diagram can be built:

• Start (milestone) – Starting from your home
• Activity 1 – Starting to travel in your vehicle
• Activity 2 (an option or branch) – Fill-up the tank at a nearby gas station
• Activity 3 (another option or branch) – Use the small gas container available
• Activity 4 – Continue travelling
• End (milestone) – Reach your friend’s house

This seems pretty straightforward, but can you be sure of which option or branch you should take considering your desire to arrive at your friend’s house on-time? It may not be as straightforward as you think due to these activities being uncertain (may or may not happen). Uncertainties mean risks, and these risks can ultimately impact your objective (reaching your friend’s home on-time for the event). Hence, you can give probability or chance of occurrence to these risks on each of the branches.

When you assign probability values to each branch, you get a risk-adjusted schedule network diagram. We can modify our previous network diagram and represent as shown:

For “Activity 2” and “Activity 3,” I’ve assigned 30% and 40% chances, respectively, as existence values.

As you assign probability values to individual branches in response to the risks, the branches in the network diagram are known as probabilistic branches. You can have single or multiple probabilistic branches, though the latter is more frequently used.

Statistically Independent

Consider closely our first example:

Can you take two options or go for two branches simultaneously? In other words, would you fill-up the tank at a nearby gas station and use the small gas container available?

Obviously, you would not, as it doesn’t add any value for you. In fact, these are two independent outcomes–more specifically these outcomes are statistically independent. When you build a schedule network diagram (as shown in previous figure) with probabilistic branches, you model the risk of different outcomes occurring in a project in each branch.

Therefore, you could say probabilistic branching is best used when the risks occurring are statistically independent, meaning that one risk occurring in one branch is statistically independent of another risk occurring in another branch. This is also applicable when the events are mutually exclusive.

With this background and fundamentals explained, let’s look now at a real-time, project management example and get a bit deeper into probabilistic branching and analysis.

An Example

Let’s say that you and your team are excavating in an area to have a new garden prepared for a town’s residents. Your team will remove the soil, dig normally, then fill the hole, and finally plant grass to complete the work.

The tasks in this project will occur as shown in the below table. I’ve added duration details for each task or activity. Note that this example is taken from Primavera tutorial and modified with respect to MS Project usage and respective representations in this article.

What good can a project plan be, if we don’t know the total duration and end date? In such a case, scheduling software comes to our aid. Using Microsoft Project software, the plan looks as shown below.

The project is starting on January 4, 2021 and finishing on April 23, 2021. The duration is calculated to be 80 days.

So far, so good. There is no difficulty at all in creating a plan for this simple project.

But, as with many projects we manage, we have a twist!

Decide on the Branches

Let’s say that you get in touch with local experts and are informed of a possibility of archaeological remains in the area. Obviously, you just can’t go on and just start digging in this scenario. You may think of three possible scenarios or outcomes.

1. Archaeological remains need expert removal.
2. Archaeological remains can be discarded.
3. No actual archaeological remains are found.

These scenarios can be modelled using probabilistic branching with three branches for three possible types of outcomes. All these outcomes, as you can see, are statistically independent.

Now, because these are probabilistic branches, there will be risks associated with each branch. At this point, we can confidently say the following:

• Risk 1 (on Branch 1):
• Archaeological remains are found that need expert removal.
• Chance of occurrence (probability value) = 5%
• Risk 2 (on Branch 2)
• Archaeological remains are found, but can be discarded.
• Chance of occurring = 25%
• Risk 3 (on branch 3)
• No archaeological remains are found.
• Chance of occurring = 70%

As you see above, a probability value is assigned to each outcome or branch. You can decide on the probability values to be assigned subjectively and/or with expert opinion.

Add New Tasks to the Plan

Before we perform a risk analysis, we need to include all three of the above branches into the existing plan. In our plan, we have three new tasks representing the three outcomes or branches. The new tasks, along with existing tasks in the plan are:

• Task – 1: Remove topsoil
• Task – new: Remains found that need expert removal
• Task – new: Expert removal
• Task – new: Remains found but can be discarded
• Task – 2: Dig normally
• Task – 3: Fill hole
• Task – 4: Plant grass

Did you notice the branching that occurred after the “Remove topsoil” task? After this task, we now have three possibilities or three branches: “Remains found that need expert removal,” “Expert removal,” and “Remains found but can be discarded.”

Next, let’s add these tasks to our MS Project plan with the following durations:

Remains found that need expert removal = 2 weeks

• Expert removal = 4 weeks
• Remains found that can be discarded = 2 weeks
• After this step, we see the following modified plan within MS Project.

As shown in the above figure, with the addition of the new tasks, there is no change in the project duration, the critical path, or the finish date. However, we are not done with our plan yet.

Link the Tasks to the Existing Tasks

We have to link the newly inserted tasks and include the probabilistic branching for each of these tasks. I’ll be linking the tasks as follows:

• Link the finish of “Remove topsoil” task to the start of “Remains found that need expert removal” task.
• Link the finish of “Remains found that need expert removal” task to the start of “Expert removal” task.
• Link the finish of “Expert removal” task to the start of “Fill hole” task.
• Link the finish of “Remove topsoil” task to the start of “Remains found but can be discarded” task.
• Link the finish of “Remains found that can be discarded” task to the start of ‘Fill Hole” task.

Logically, the above sequence makes sense. For example, if you remove the soil and require expert removal, then these tasks should be linked with FS dependency. Next, the task “Expert removal” will be linked to the task “Remains found that need expert removal” and so on.

After linking the tasks, the project plan as created with MS Project will result as shown below.

From the task “Remove topsoil,” we have three branches, [v.i.z]:

• “Remains found that need expert removal”
• “Remains found that can be discarded”
• “Dig normally”

The branching from the “Remove topsoil” task has been highlighted in green in the above figure.

In the above modified plan, the project continues to start on the same date of January 4, 2021, but finishes on May 7, 2021 (it was April 23, 2021). The duration of our project has been recalculated as 90 days (from 80 days) and the critical path for the project has also changed.

Assign Probability to the Branches

Next, we will import this Microsoft project plan (.mpp) file into Primavera Risk Analysis software and assign the probability for each of these branches. We will use the following probability values, which we had decided upon earlier.

• Remains are found that need expert removal – 5%
• Remains found but can be discarded – 25%
• Dig normally – 70%

The .mpp file will be seamlessly imported and will be depicted as follows:

This plan is an exact replica of the MS Project plan that we had created before with branching happening from the “Remove topsoil” task (highlighted in green). In each branch, probability values have been assigned, highlighted in the pink color in the graphical side of the Gantt chart and noted to the left of the bars.  The critical and non-critical tasks are also the same, highlighted in red and blue colors, respectively.

Run a Risk Analysis

Next, we have to simply run an analysis on the risk adjusted schedule model, and we will iterate the plan a number of times for simulation. The resultant histogram will show as below, post the simulation (known as the Monte Carlo simulation). I’ve formatted the histogram with color coding, highlighted arrow marks, and other data representation.

Let’s interpret the above graph as follows:

• In our initial plan, the project was supposed to be completed by April 23, 2021. In the new plan, after adding the probabilistic branches, the end date moved to May 07, 2021.
• The chance of completing the project by May 07, 2021 is 97%, which is mentioned in the “Highlighters” section in the table to the right. The corresponding line projections are highlighted in yellow arrow marks on the graph.
• The project has a 50% chance of completing by April 21, 2021, and an 80% chance by April 28, 2021. These are highlighted in black (or bold) arrow marks on the graph.
• A 100% chance of completion is possible by May 19, 2021, which is nearly two weeks beyond our planned finish date with probabilistic branches.

Conclusion

Let’s go back to our first example of travel to a friend’s house. It’s not a complex one, and it’s possible that you will be able to calculate the end result in your mind with probabilistic branches.

However, in the real-world, projects or programs are expected to be complex, and you will be needing management and simulation software tools to determine the impact of probabilistic branching to your finish time. To use these software tools, you need to have clarity on probability branching, understanding how to create branches and link with the existing tasks in the plan for analysis.

If you are aspiring to be a Risk Management Professional (RMP), you can expect questions pertaining to these concepts on the exam. On the other hand, if you are an aspiring Project Management Professional (PMP), you need to have a basic understanding on probabilistic branching and how it’s used as a tool, as well as the technique named “Representation of Uncertainty” in quantitative risk analysis.

It is my hope that, within this article, you received a sound understanding on when and why to use probabilistic branching, as well as how run an analysis with an example and hands-on software tools.

--

This article was first published by MPUG.com on 30th November, 2020. This is an updated version with the latest Primavera Risk Analysis software with latest Risk Management practices.

References

[1] Book: I Want To Be A RMP, The Plain and Simple Way, Second Edition, by Satya Narayan Dash

[2] Online Course: Practical RMP with Primavera Risk Analysis, Second Edition, by Satya Narayan Dash

[3] Online Course: RMP Live Lessons, Guaranteed Pass or Your Money Back, by Satya Narayan Dash

[4] Online Course: MS Project Live Lessons, by Satya Narayan Dash