The Technical Manager’s Survival Guides

Concepts and Practices
By
Marcus Goncalves and Raj Heda

Goncalves and Heda

Risk Management for Project Managers

Risk Management for
Project Managers
Concepts and Practices

“Good read. This book is a template for managing complex businesses and
contains information that every Asset Manager should know. Highly recommended.”
—James Willey, P.E., Vice President, Pearl Energy Philippines Operating, Inc.

“Marcus’s new guide to risk management provides pragmatic advice that
project managers can use to help them frame risks, use that knowledge to
retain control of their projects and get their project completed with a minimum
number of unpleasant surprises. An excellent book that all project managers
should keep on their book shelf.”
—Rick Welch, Senior Vice President of Services, Demandware Corporation,
Burlington, MA, USA

Two Park Avenue
New York, NY 10016, USA
www.asme.org

Job Name:280684

Color:
Black

Risk Management
         
for Project Managers

“Uncertainty, or risk, is an essential part of life so that thoughtful action can
influence the success or failure of endeavours. This is nowhere more apparent than in projects, where poor risk management often leads to failure.
Goncalves and Heda’s new book makes a valuable contribution to the project
risk management literature, highlighting the need to systematically and practically manage risks, and gives valuable best-practice advice on how this can
be done effectively and efficiently. It is a concise, easy read for non-technical
managers who will find it full of practical information.”
—Richard Whitfield PhD, President, East-West Institute for Advanced Studies, Macau, China

By

Marcus Goncalves
Raj Heda

The Technical Manager’s Survival Guides
Date:13-11-21
PANTONE 300 U

PDF Page:280684pbc.p1.pdf


Risk Management for Project
Managers
Concepts and Practices


By Marcus Goncalves and Raj Heda

The Technical Manager’s Survival Guides


© 2014, ASME, 2 Park Avenue, New York, NY 10016, USA (www.asme.org)
All rights reserved. Printed in the United States of America. Except as permitted under
the United States Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or
retrieval system, without the prior written permission of the publisher.
Information contained in this work has been obtained by the American
Society of Mechanical Engineers from sources believed to be reliable.
However, neither ASME nor its authors or editors guarantee the
accuracy or completeness of any information published in this work.
Neither ASME nor its authors and editors shall be responsible for any
errors, omissions, or damages arising out of the use of this information.
The work is published with the understanding that ASME and its authors
and editors are supplying information but are not attempting to render
engineering or other professional services. If such engineering or
professional services are required, the assistance of an appropriate
professional should be sought.
ASME shall not be responsible for statements or opinions advanced in papers or . . .
printed in its publications (B7.1.3). Statement from the Bylaws.
For authorization to photocopy material for internal or personal use under those
circumstances not falling within the fair use provisions of the Copyright Act, contact
the Copyright Clearance Center (CCC), 222 Rosewood Drive, Danvers, MA 01923,
tel: 978-750-8400, www.copyright.com.
Requests for special permission or bulk reproduction should be addressed to the ASME
­Publishing ­Department, or submitted online at: />ASME Press books are available at special quantity discounts to use as premiums or for use in

corporate training programs. For more information, contact Special Sales at

Library of Congress Cataloging-in-Publication Data
Goncalves, Marcus.
 Risk management for project managers : concepts and practices / by Marcus Goncalves and Raj Heda.
 pages cm -- (The technical manager's survival guides)
Includes bibliographical references.
ISBN 978-0-7918-6023-6
 1. Risk management. 2. Project management. I. Heda, Raj. II. Title.
HD61.G646 2013
658.15'5--dc23
2013041478


Acknowledgement
I would like to thank, yet again, Mary Grace Stefanchik, the editor at the American Society of Mechanical Engineers (ASME), not only for
publishing yet another one of my work for ASME’s collection, but especially for her continuous patience during the production phase of this book.
Many thanks, again, to my co-author and friend Raj Heda, for finding time
in his schedule to land his expertise on risk management, and write this
book with me.
Raj Heda: I wish to record my debt to some of the people who have
made an indelible mark in my life.
A special note of thanks to my dear professor and now friend and
colleague, Marcus Goncalves, for his generous helpfulness, trust, support
and above all, for offering me again the opportunity to co-author this book.
To my mother for being ever loving and encouraging. To my
brother Ravi for all the love and the fun days we spent. To my aunt, Meenu
for always lending me a patient ear and giving me genuine advice in all
my endeavors. To my friend and colleague in business, Dorothy, for her
sincere lookout for my well-being and for her beautiful heart. To my dear

friends Anand, Shrikant, Prajay, Prashant and Amit for always being there
for me in good times and bad. To my good friend, Matt, for help with
graphics in the book.
Many thanks to Marcus and the team at ASME for involving me in
this project. I am indebted to my beautiful daughters, Radhika and Vrinda,
for showering all their love on me and for always bringing a smile to my
face; they make everything worth the effort. I am grateful to my loving
wife for always having the confidence in me - even beyond what I have in
myself. Finally, I can never forget the contributions of my mother in getting
me to where I am in my life today. Love you Mom!



Dedication
To my wife Carla, sons Samir and Josh (in memory), and my princess Andrea (also in memory), the true joy of my life. To God be the glory!
Marcus Goncalves, Summer 2013

To my wife, Anu, for being such a caring and loving life partner,
for her synergistic help in all my activities and for her invaluable editing
of this book. To my beautiful princesses Radhika and Vrinda, who are my
true loves and who make it all worth the while!
In loving and thankful memory of my dearest father, Shiv Heda,
the angel always beside me.
Raj Heda, Summer 2013



Table of Contents
Acknowledgement..............................................................................................iii
Dedication.............................................................................................................v

Chapter 1............................................................................................................... 1
Understanding Risk: Opportunities or Threat?............................................ 1
Overview........................................................................................................... 1
What is Risk?.................................................................................................... 3
Chapter 2............................................................................................................... 7
Risk Management Theory and Practice.......................................................... 7
Overview........................................................................................................... 7
What is Risk Management?............................................................................ 8
Appetite for Risk.......................................................................................... 9
Categories of Risk...................................................................................... 11
Outcome of Risk Assessment............................................................... 11
Chapter 3............................................................................................................. 13
Developing a Risk Assessment and Mitigation Strategy......................... 13
Overview......................................................................................................... 13
Chapter 4............................................................................................................. 19
The Risk Management Process...................................................................... 19
Overview......................................................................................................... 19
Risk Identification.......................................................................................... 21
Qualitative and Quantitative Risk Analysis........................................... 22
Risk Response Planning............................................................................ 23
Risk Monitoring and Control................................................................... 23
Chapter 5............................................................................................................. 25
Risk Analysis Tools and Methodologies...................................................... 25
Overview......................................................................................................... 25
Qualitative Risk Analysis: Tools and Techniques...................................... 25
Risk Probability and Impact Assessment............................................... 26
Probability and Impact Matrix................................................................. 26
Risk Data Quality Assessment..................................................................... 27
Risk Categorization.................................................................................... 28
Risk Urgency Assessment......................................................................... 28

Quantitative Risk Analysis: Tools and Techniques................................... 28
Data Gathering and Representation Techniques................................... 29
Probability Distributions........................................................................... 30

vii


Monte Carlo Simulation............................................................................ 31
Sensitivity Analysis.................................................................................... 32
Decision Tree Analysis.............................................................................. 33
Chapter 6............................................................................................................. 35
Identifying Risk................................................................................................ 35
Overview......................................................................................................... 35
Identifying Risks............................................................................................ 38
Risk Identification Process............................................................................ 41
Best Practices for Risk Identification........................................................... 45
Chapter 7............................................................................................................. 49
Assessing and Mitigating Risk...................................................................... 49
Overview......................................................................................................... 49
Four Steps to Risk Assessment..................................................................... 51
Prioritizing Risk......................................................................................... 53
Measuring Risk Impact............................................................................. 54
Measuring Likelihood............................................................................... 58
Risk Mitigation Strategies............................................................................. 59
Risk Assessment Best Practices.................................................................... 60
Chapter 8............................................................................................................. 63
Developing Risk Response Strategies.......................................................... 63
Overview......................................................................................................... 63
Developing a Risk Response Strategy......................................................... 64
Responding to Risk Events....................................................................... 67

Identifying Risk Response Alternatives.............................................. 68
Selecting Response Alternatives.......................................................... 69
Assigning Risk Ownership................................................................... 70
Preparing Risk Response Plans............................................................ 70
Chapter 9............................................................................................................. 73
Implementing Risk Response Controls........................................................ 73
Overview......................................................................................................... 73
Response Controls and the Risk Registrar................................................. 74
Inputs to Risk Monitoring and Controls................................................ 76
Techniques to Risk Monitoring and Response Control.................... 76
Outputs to Risk Monitoring and Response Controls........................... 77
Handling Change Requests...................................................................... 78
Chapter 10........................................................................................................... 83
Incident Management and BC/DR Planning............................................... 83
Overview......................................................................................................... 83
viii


Distinguishing Business Continuity from Disaster Recovery
Planning........................................................................................................... 86
What is in the Plans................................................................................... 88
Developing a Business Impact Analysis..................................................... 91
Incident Management Process..................................................................... 92
Glossary of Terms............................................................................................. 95
About the Authors............................................................................................ 99

ix




Chapter 1
Understanding Risk:
Opportunities or
Threat?

Overview
The goal of risk assessment and mitigation management is to measure and assess risk events, with the ultimate goal of managing those risks.
In practical terms, risk management is the process of minimizing, or mitigating, risk events, starting with the identification and evaluation of such
events and extending on to the optimization of the resources used to monitor and minimize it.
It is important that project managers have a total understanding of
risk management, by familiarizing themselves with the principles of the risk
management process. Under the Project Management Institute’s (PMI) Project
Management Body of Knowledge (PMBOK), risk management falls into the
arena of Project Planning. But over time, specific standards and methods have
1


been developed with respect to risk management best practices. Such methods
of analysis have assisted those of us practicing risk management in establishing standard ways of identifying, assessing, and responding and managing
risk events. These methods have also helped us practitioners to manage risks
by avoiding, transferring, or reducing the impact of such risks, or by various
other alternative solutions that will be discussed throughout this book.
In 2002, the U.S. National Institute of Standards and Technology
(NIST) published a set of risk management best practices. According to the
guide, risk management consists of risk assessments, risk mitigation, and
ongoing risk evaluations and assessments. For instance, the risk assessment stage is where project managers identify and evaluate each risk, the
impact these risks have on the organization, and any risk-reducing recommendations. The risk mitigation stage involves prioritizing, implementing,
and maintaining appropriate risk-reduction measures that are recommended in the risk assessment process, while the ongoing risk evaluation
and assessment stage asks that the organization continuously evaluate
their risk management activities in reducing risks.

Generally speaking, any risk event is a result of uncertainty in a project, or process, including but not limited to uncertainties in the market place
such as variations on demand, supply and the stock market, project failures,
accidents, and natural disasters, to name a few. As we will discuss later in this

IMPACT

ACTIONS

SIGNIFICANT

Considerable Management
Required

Must Manage
and Monitor
Risks

Extensive Management essential

MODERATE

Risk are bearable to
certain extent

management
­effort worthwhile

Management effort
required


MINOR

Accept Risks

Accept but
monitor
Risks

Manage and
­Monitor
Risks

MEDIUM

HIGH

LOW

LIKELIHOOD
Table 1.1 - A sample template of a risk event analysis matrix

2


book, when dealing with risk analysis, a risk prioritization process should
be followed whereas risks that pose the threat of great loss and have great
­probability of occurrence are dealt with first. Table 1.1 provides an example
to this process, which can be useful in strategizing various risk scenarios.
As observed in Table 1.1, the two main variables to be analyzed in any
risk assessment and mitigation process, which should govern the ­response

actions required, are the probability of occurrence and the impact of the risk. For
instance, let’s assume a risk event condition where the impact on the project
is minor and the probability of it actually occurring is low. In such scenario the
best course of action, risk mitigation, may be to accept the risk without any
interventions. Conversely, however, a condition where the likelihood of a
risk event occurring is high and the impact is significantly high as well, there
might be a need for extensive risk management. The study of risk assessment and mitigation methods helps us understand how a certain priority
can be established in dealing with the risk. Therefore, it is key to this process
that we first understand what risks are, and what they are not.

What is Risk?
Risk, or better yet risk events, can be found in almost anything that
we set out to do or accomplish in life, be it in business or our own personal
lives. Think of a risk event as situation that can potentially have a negative
impact on something, or a process, that is important, or of value to you.
Risk events can be caused by an endless variety of factors. Since we cannot
anticipate all risk events and mitigate every single one of them, it is important for us to devise methods to understand and analyze the severity of a
risk, so we can decide how to effectively respond to it, from deciding to do
nothing about it, or something, to not taking the risk at all. Hence, a risk
event should always be analyzed for its probability of occurring, the higher
the chance that a risk event will happen the higher the risk. Probability is
then assessed in combination with loss.
As suggested earlier in this chapter, when it comes to project management, all types of risk can occur, such as knowledge risk, relationship risk or
process-engagement risk. Unfortunately, as we already know, each of these
risk events can have a huge impact on the productivity of your teams and
3


ultimately on the success of the project at hand. That said, it is also important to understand that not all risks can be avoided, nor should it, otherwise
nothing would ever be accomplished in your lives, or projects, as risk events

exists in every single task we are involved with, some higher, some lower,
but they are always there, waiting to comply with Murphy’s Law, where
anything that can go wrong, will! Our job is to identify and analyze these
risk events, their potential outcomes, and decide when to allow the risk.
Such analytical process of assessment, analysis, and mitigation causes us to
follow a risk management cycle, as depicted in Figure 1.1.
As illustrated in Figure 1.1, there are four steps in the process of
risk management, which will be discussed in details in later chapters of
this book. In general terms, the first step is the assessment of risk events,
followed by evaluation and management of the same. The last step is measuring the impact of such risk events.
Risk event identification, the first step, typically starts at the base
or the surface level of a project. The key questions here is, what can go
wrong? What can deviate from what has been planned? As we ask such
questions we are also trying to identify the source of such risk events. By
risk source we mean any cause, which could be either internal or external
to the project at hand. External sources are often beyond our control while
internal sources are potentially controllable, to a certain extent at least. For

Figure 1.1 - Risk Management Cycle

4


example, we cannot control an unexpected rain (external), but we can control how we deal with it by carrying an umbrella (internal), etc.
After major risk events have been identified then it is time to assess
the potential of criticality they present. Such analysis will require you to
prioritize your risk events. In general terms, likelihood of occurrence × impact
is equal to risk. After you have a good understanding of the risk events at
identified, you will be required to develop a risk management plan and
implementation of the same, which will comprise of the effective security

controls and control mechanisms for mitigation of risk. It gores without
saying that a challenging risk to any organizational effectiveness is a risk
event that is present but cannot be identified.
Risk management process can minimize the chances and effects
of bad outcomes in a project, and can accelerate an organization’s recovery from disasters. But this process does not suggest you need to avoid all
risks, as there are always opportunities in risks, and insurance companies
know this well and capitalize on it. It is, therefore, important that as part
of your risk assessment and mitigation process you also understand and
analyze the threat versus opportunity a risk event imposes on your project.
The question here as depicted in Figure 1.2 is: Is this risk event imposing a
threat to my project or an opportunity?
As illustrated in Figure 1.2, risk events have several dimensions.
A risk event in itself is neither good nor bad. A risk with low probability

Figure 1.2 - Understanding risk threats and opportunities

5


Figure 1.3 - Changing the risk assessment model from threat into opportunity

of occurring and very low impact on a project in the event of it occurring
may be insignificant enough to be ignored. Conversely, a risk with high
probability of occurring with a high impact to the project may be worth not
taken, or at least it may deserve to be hedged.
One of the main goals of risk assessment and mitigation process is,
therefore, devise strategies that enables us to change the model, to change
the threat versus opportunity correlation in a risk event, as depicted in
Figure 1.3.
The following chapter will help you understand the process in analyzing and mitigating this process in details.


6


Chapter 2
Risk Management
Theory and Practice

Overview
Risk is no longer a measure solely restricted to the financial world,
where analysts monitor the risk of a financial investment. As stated in the
previous chapter, anything that we endeavor in life has a risk factor associated with it. As technology has become an increasingly core aspect of
world economies, risk management has come to the fore in recent years.
Given the extreme importance of risk, it is inevitable that we must have a
formalized theory and approach to the risk management process.
An organization that weaves risk management into its project management process can be said to have a proactive approach to managing
risk. Undoubtedly, such an organization will be better prepared to manage
and mitigate risks in an increasingly volatile business environment and
will have a more favorable outcome than an organization that crosses the
bridge when the time comes. The irony here is that most executives these
days acknowledge that there are known and unknown risks impacting
7


their businesses and projects but very few have a risk plan that they rigorously follow and follow-up on.

What is Risk Management?
Now that we recognize the inevitability of risk, we need to do something to manage this uncertainty. The process of managing risk in a manner
to maximize the probability of highest positive outcome is called risk management. Risk management needs to be an integral part of project planning.
It is not an isolated event that occurs that the start of the project during the

initial planning phase. Business environments are always changing and technology is changing at a much faster pace than the overall business. Therefore, risk management needs to be an ongoing process. More likely than not,
risk management in another section of a business feeds into the project idea.
Active risk management continues throughout the project life cycle. And
risk management must continue even after the project has been successfully
implemented. Also, risk management is not a task relegated to an isolated
risk team. Risk management is just one aspect or one of the tasks under overall project management that provides inputs during all the project steps.
The core concept of risk is that it is the probability of occurrence of
an unfavorable outcome and the consequence of that outcome.
In other words, R = p x c
where,
R = Risk
p = probability of unfavorable outcome
c = consequence of unfavorable outcome
For instance, if a company expects that it could either has an outstanding year and achieves $100mn in revenue, or might not fare that well
and just be able to garner $50mn in revenue. Both outcomes have equal
probabilities of occurring. Here, there is a 50% probability of the firm losing $50mn in revenue. However, is that all that is at risk? Sadly, no. The
8


consequences of a negative outcome go far beyond the immediate monetary loss. The company might have had some projects in the pipeline that it
can no longer fund. Therefore, the company is risking losing new revenue
opportunities. The company might need to lay off employees to cut wages
and salaries. This will impact the firm in that the firm might lose critical
manpower and will have to make do with a smaller workforce. This will
also impact the morale of the employees laid off and also of those that
remain. The investors are not going to be happy about the much lower
revenue and this will restrict access to capital for future projects. Therefore, when managing risk, it is imperative that both the immediate and
future consequences of an unfavorable outcome are taken into consideration. Therefore, it can be said that the main purpose of risk management
is not just preventing losses but also protecting a company such that it can
go about its business as usual.

From the above equation, it can also be inferred that in general, if
either the probability of occurrence or the impact or consequence of the
occurrence increase, the risk increases. However, there is not a 1-to-1 relationship between the increase in probability and/or consequence and risk. In
other words, for every unit increase in probability and or/consequence, risk
does not increase by the same amount. The impact on risk depends on the
life cycle of the project. For instance, if a project fails very early on in its life,
the risk is lower since not much has been invested into the project. However,
as time passes and more resources are utilized the stakes increase.
A few important concepts to keep in mind when managing risk for
a project are:
• Appetite for risk
• Categories of risk
• Outcome of risk assessment

Appetite for Risk
Just like not one model investment portfolio is suitable for all financial investors, similarly, no one-risk management approach is suitable for
all kinds of projects. Every project is unique in itself and must be viewed as
such when devising risk management strategies for it. For instance, a proj9


ect that is not expected to result in a significant enhancement in revenues
or productivity for a company might not be high on the priority list of the
project management office. As such, the risk tolerance for such a project
would be low. Similarly, a project that is expected to take the company
to the next level would be a top-priority project for which the company
would be willing to take risks.
Another important aspect to consider is the appetite for risk of the
project manager. Some project managers are risk takers by nature and
derive satisfaction from taking on highly risky projects and turning them
around. Other project managers are risk averse and would not like to take

on more risks than necessary. Yet another set of project managers make a
more detached decision regarding projects. They have a more mathematical approach and go by just what the numbers say.
The risk appetite of the firm has a final bearing on the risk appetite
for the project. For instance, the firm might be in the process of issuing an
IPO and all seems to be going as planned. At this point, the firm might
not want to take on highly risky projects. This is because investors punish companies more severely for failures than reward them for successes.
Another example is that of a pharmaceutical company. Such companies
derive maximum revenues from licensed drugs. Therefore, they spend a
lot of money on drug research and are willing to embark on risky experiments to discover the break-through drug. On the other hands, firms that
are very stable and have profit margins in the low single digits do not have
much of an incentive to take on risky projects. The margin of error is low
for them and they are unwilling to rock the boat when not required.

Figure 2.1 - Risk Categories

10


Categories of Risk
Risk to a project can arise from one of the following four categories
listed in Figure 2.1.
Technical risks are the most obvious risks and exist for any technology project. This is because not all requirements can be penned to perfection. Similarly, technological and interface complexities are hard to predict.
Finally, quality is a subjective matter and there always exists the risk that
quality standards of all stakeholders are not met.
External risks are toughest to manage for a project manager since these
are factors that are not in the manager’s control. However, proactive planning
and hedging can help the manager reduce the impact of external risks.
No project can be successful without the buy-in of the senior management. A project is dependent on the organization for funding, resources and
prioritization. Finally, projects in general do not operate as silos. There could
be some pet projects that work as independent entities within organizations.

However, most of the projects are linked to other activities or projects within
the organization, and this contributes to the risk associated with the project.
Finally, there are risks associated with the project management
activities for the project. Gaps in planning, estimating, controlling and
communication among project stakeholders will impact the project outcome and hence act as risks to the project.

Outcome of Risk Assessment
Based on the risk appetite of the organization and the project manager, the project manager has identified risks in the various categories that
he needs to manage. Now what? The outcome of this risk assessment exercise is the risk management plan that the project manager owns. The risk
management plan is integrated into the project plan. It elaborates on the
two W’s and two H’s of risk management.
• What risk will be managed
• Who will manage the risk
11


• How will the risk be managed
• How much will be spent on managing the risk
There are several risks impacting every project. Not all of them
need to be managed. Some risks can be tolerated and some will need to be
mitigated. Therefore, one of the main outcomes of risk assessment is identifying which risks need to be mitigated or otherwise managed.
The risk management plan also identifies individuals or teams that
will be assigned the responsibility of managing the risks and identifies
tools that they will use to manage the risks. Finally, it will also outline the
budget outlay for the various risk activities. Some risks might not be worth
mitigating and the risk management plan will identify those risks.

12



Chapter 3
Developing a Risk
Assessment and
Mitigation Strategy

Overview
Risk is a part of life in everything we do. No activity is free of risk
but we do not give in to a life of inaction just because there is risk in everything we do. In a similar fashion, software projects are prone to risks at
every stage. There is a risk of market demand shrinking due to general
economic conditions, risk of losing key resources during the project, risk of
a natural calamity, etc.
When a project plan does not incorporate a risk plan, it is like shooting darts in air. There is a likelihood of hitting the eye but this likelihood is
very low. In other words, the project might succeed, but its success can be
attributed to sheer luck and not something that can be repeated. If you pick
up some older project management books, you might not find a discussion
13


of risk management or just a fleeting reference to it. Is it then surprising
why projects tend to have a track record not worth flaunting about?
The poor outcome of projects got seasoned practitioners thinking
what was the missing link. It turned out that projects were planned taking
into account the most likely events. However, life throws surprises at us when
we least expect them. As such, projects never turned out as planned and the
projects plans were not equipped to handle contingencies. As a result, projects
ended up with cost and schedule overruns or had to be scrapped altogether.
Therefore, risk management started getting more and more attention.
The first change that needed to be made was to change the attitude
towards risk. Risk is not something that is bad or needs to be frowned
upon. Risk, if planned for appropriately and managed expertly, can result

in competitive advantage. However, in order to capitalize on risk, it needs
to be anticipated proactively, prioritized intelligently, planned for appropriately and monitored continuously. When risk is managed in this fashion, it becomes an opportunity for higher project success.
The next question was whether an individual or a team should be
assigned the role of risk management and the rest of the team continues
to work as before. Unfortunately, such a setup is also very likely to fail.
The risk managers are sadly not the favorites in the project team. They are
the ones that are considered the harbingers of bad news or the ones that
are always pointing out what are the loose ends or what could go wrong.
When all is going well, no one wants to hear that there is a possibility of
failure and no one wants to expend resources to prepare for outcomes that
seem far from likely. As such, risk management plans would not be worth
the paper they are written on. Therefore, risk management needs to be an
integral part of project management. All the stakeholders that help with
the project plan also create the risk plan for the project. Outside experts
should also be leveraged since they might offer perspectives that might be
missed by the internal stakeholders.
Risks can be known and unknown. For instance, an existing competitor is a known risk. However, a new entrant is an unknown risk. Definitely, a known risk would require leashing immediately. Also, it gets
highest visibility. However, unknown risks can cause much more severe
damage and disrupt project success. Therefore, when planning for risks,
both known and unknown risks must be addressed.
14