firefrost-gaming/claude-skills-reference
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d740f77ef74494dea032333894e335f6332cb423
claude-skills-reference/project-management/senior-pm/references/risk-management-framework.md
Leo 882ce5abd1 feat(pm): elevate scrum-master and senior-pm to POWERFUL tier 
- scrum-master: add velocity_analyzer, sprint_health_scorer, retrospective_analyzer
- scrum-master: add references, assets, templates, rewrite SKILL.md
- senior-pm: add risk_matrix_analyzer, resource_capacity_planner, project_health_dashboard
- senior-pm: add references, assets, templates, rewrite SKILL.md
- All scripts: zero deps, dual output, type hints, tested against sample data
2026-02-15 20:36:56 +00:00

485 lines
17 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Risk Management Framework for Senior Project Managers
## Executive Summary
This framework provides senior project managers with quantitative risk analysis methodologies, decision frameworks, and portfolio-level risk management strategies. It goes beyond basic risk identification to provide sophisticated tools for risk quantification, Monte Carlo simulation, expected monetary value (EMV) analysis, and enterprise risk appetite frameworks.
---
## Risk Classification & Quantification
### Risk Categories with Quantitative Weightings
#### 1. Technical Risk (Weight: 1.2x)
**Definition:** Technology implementation, integration, and performance risks
**Quantification Approach:**
- **Technology Maturity Score (TMS):** 1-5 scale based on technology adoption curve
- **Integration Complexity Index (ICI):** Number of integration points × complexity factor
- **Performance Risk Factor (PRF):** Historical performance variance in similar projects
**Formula:** `Technical Risk Score = (TMS × 0.3 + ICI × 0.4 + PRF × 0.3) × 1.2`
**Typical Sub-Risks:**
- Architecture scalability limitations (Impact: Schedule +15-30%, Cost +10-25%)
- Third-party integration failures (Impact: Schedule +20-40%, Cost +15-30%)
- Performance bottlenecks (Impact: Quality -20-40%, Cost +5-15%)
- Technology obsolescence (Impact: Long-term maintenance +50-100%)
#### 2. Resource Risk (Weight: 1.1x)
**Definition:** Human capital availability, skills, and retention risks
**Quantification Approach:**
- **Skill Availability Index (SAI):** Market availability of required skills (1-5)
- **Team Stability Factor (TSF):** Historical turnover rate in similar roles
- **Capacity Utilization Ratio (CUR):** Team utilization vs. sustainable capacity
**Formula:** `Resource Risk Score = (SAI × 0.4 + TSF × 0.3 + CUR × 0.3) × 1.1`
**Financial Impact Models:**
- Key person departure: 3-6 months replacement + 2-4 weeks knowledge transfer
- Skill gap: 15-30% productivity reduction + training/hiring costs
- Over-utilization: 20-40% quality degradation + burnout-related delays
#### 3. Schedule Risk (Weight: 1.0x)
**Definition:** Timeline compression, dependencies, and critical path risks
**Quantification Method: Monte Carlo Simulation**
```
Three-Point Estimation:
- Optimistic (O): Best case scenario (10% probability)
- Most Likely (M): Realistic estimate (50% probability)
- Pessimistic (P): Worst case scenario (90% probability)
Expected Duration = (O + 4M + P) / 6
Standard Deviation = (P - O) / 6
Monte Carlo Variables:
- Task duration uncertainty
- Resource availability variations
- Dependency delay impacts
- External factor disruptions
```
#### 4. Financial Risk (Weight: 1.4x)
**Definition:** Budget overruns, funding availability, and cost variability risks
**Expected Monetary Value (EMV) Analysis:**
```
EMV = Σ(Probability × Impact) for all financial risk scenarios
Cost Escalation Model:
- Labor cost inflation: Historical rate ± standard deviation
- Technology cost changes: Market volatility analysis
- Scope creep financial impact: Historical data from similar projects
- Currency/economic factors: Economic indicators correlation
Risk-Adjusted Budget = Base Budget × (1 + Risk Premium)
Risk Premium = Portfolio Risk Score × Risk Tolerance Factor
```
---
## Quantitative Risk Analysis Methodologies
### 1. Expected Monetary Value (EMV) Analysis
**Purpose:** Quantify financial impact of risks to inform investment decisions
**Process:**
1. **Risk Event Identification:** Catalog all potential financial impact events
2. **Probability Assessment:** Use historical data, expert judgment, and statistical models
3. **Impact Quantification:** Model financial consequences across multiple scenarios
4. **EMV Calculation:** Probability × Financial Impact for each risk
5. **Portfolio EMV:** Sum of all individual risk EMVs
**Example EMV Calculation:**
```
Risk: Third-party API failure requiring alternative implementation
Probability Scenarios:
- Minor disruption (60% chance): $50K additional cost
- Major redesign (30% chance): $200K additional cost
- Complete platform change (10% chance): $500K additional cost
EMV = (0.6 × $50K) + (0.3 × $200K) + (0.1 × $500K)
EMV = $30K + $60K + $50K = $140K
Risk-adjusted budget should include $140K contingency for this risk.
```
### 2. Monte Carlo Simulation for Schedule Risk
**Purpose:** Model schedule uncertainty using probabilistic analysis
**Implementation Process:**
1. **Task Duration Modeling:** Define probability distributions for each task
2. **Dependency Mapping:** Model task dependencies and their uncertainty
3. **Resource Constraint Integration:** Include resource availability variations
4. **External Factor Variables:** Weather, regulatory approvals, vendor delays
5. **Simulation Execution:** Run 10,000+ iterations to generate probability curves
**Key Outputs:**
- **P50 Schedule:** 50% confidence completion date
- **P80 Schedule:** 80% confidence completion date (recommended for commitments)
- **P95 Schedule:** 95% confidence completion date (worst-case planning)
- **Critical Path Sensitivity:** Which tasks most impact overall schedule
**Schedule Risk Interpretation:**
```
If P50 = 6 months, P80 = 7.5 months:
- Schedule Buffer Required: 1.5 months (25% buffer)
- Risk Level: Medium (broad distribution indicates uncertainty)
- Mitigation Priority: Focus on tasks with highest variance contribution
```
### 3. Risk Appetite & Tolerance Frameworks
#### Enterprise Risk Appetite Levels
**Conservative (Risk Score Target: 0-8)**
- **Philosophy:** Minimize risk exposure, accept lower returns for certainty
- **Suitable Projects:** Core business operations, regulatory compliance, customer-facing systems
- **Contingency Reserves:** 20-30% of project budget
- **Decision Criteria:** Require 90%+ confidence levels for major decisions
**Moderate (Risk Score Target: 8-15)**
- **Philosophy:** Balanced risk-return approach, selective risk taking
- **Suitable Projects:** Process improvements, technology upgrades, market expansion
- **Contingency Reserves:** 15-20% of project budget
- **Decision Criteria:** 70-80% confidence levels acceptable
**Aggressive (Risk Score Target: 15+)**
- **Philosophy:** High risk tolerance for high strategic returns
- **Suitable Projects:** Innovation initiatives, emerging technology adoption, new market entry
- **Contingency Reserves:** 10-15% of project budget (accept higher failure rates)
- **Decision Criteria:** 60-70% confidence levels acceptable
#### Risk Tolerance Thresholds
**Financial Tolerance Levels:**
- **Level 1:** <$100K potential loss - Team/PM authority
- **Level 2:** $100K-$500K potential loss - Business unit approval required
- **Level 3:** $500K-$2M potential loss - Executive committee approval
- **Level 4:** >$2M potential loss - Board approval required
**Schedule Tolerance Levels:**
- **Green:** <5% schedule impact - Monitor and mitigate
- **Amber:** 5-15% schedule impact - Active mitigation required
- **Red:** >15% schedule impact - Escalation and replanning required
---
## Advanced Risk Modeling Techniques
### 1. Correlation Analysis for Portfolio Risk
**Purpose:** Understand how risks interact across projects and compound at portfolio level
**Correlation Types:**
- **Positive Correlation:** Risks that tend to occur together (e.g., economic downturn affecting multiple projects)
- **Negative Correlation:** Risks that are mutually exclusive (e.g., resource conflicts between projects)
- **No Correlation:** Independent risks
**Portfolio Risk Calculation:**
```
Portfolio Variance = Σ(Individual Project Variance) + 2Σ(Correlation × StdDev1 × StdDev2)
Where correlation coefficients range from -1.0 to +1.0:
- +1.0: Perfect positive correlation (risks always occur together)
- 0.0: No correlation (risks are independent)
- -1.0: Perfect negative correlation (risks never occur together)
```
### 2. Value at Risk (VaR) for Project Portfolios
**Definition:** Maximum expected loss over a specific time period at a given confidence level
**Calculation Example:**
```
For a portfolio with expected value of $10M and monthly VaR of $500K at 95% confidence:
"There is a 95% chance that portfolio losses will not exceed $500K in any given month"
VaR Calculation Methods:
1. Historical Simulation: Use past project performance data
2. Parametric Method: Assume normal distribution of returns
3. Monte Carlo Simulation: Model complex risk interactions
```
### 3. Real Options Analysis for Project Flexibility
**Purpose:** Value the flexibility to modify project approach based on new information
**Common Real Options in Projects:**
- **Expansion Option:** Scale up successful projects
- **Abandonment Option:** Exit failing projects early
- **Timing Option:** Delay project start for better conditions
- **Switching Option:** Change technology/approach mid-project
**Black-Scholes Adaptation for Projects:**
```
Project Option Value = S₀ × N(d₁) - K × e^(-r×T) × N(d₂)
Where:
S₀ = Current project value estimate
K = Required investment (strike price)
r = Risk-free rate
T = Time to decision point
N(d) = Cumulative standard normal distribution
```
---
## Risk Response Strategies with Decision Trees
### Strategy Selection Framework
#### 1. Avoid (Eliminate Risk)
**Decision Criteria:**
- High impact + High probability risks
- Cost of avoidance < Expected risk cost
- Alternative approaches available
**Examples:**
- Choose proven technology over cutting-edge solutions
- Eliminate high-risk features from scope
- Change project approach entirely
#### 2. Mitigate (Reduce Probability or Impact)
**Decision Tree for Mitigation Investment:**
```
If (Risk EMV > Mitigation Cost × 1.5):
Implement mitigation
Else if (Risk Impact > Risk Tolerance Threshold):
Consider partial mitigation
Else:
Accept risk
```
**Mitigation Effectiveness Factors:**
- Cost efficiency: Mitigation cost ÷ Risk EMV reduction
- Implementation feasibility: Resource availability and timeline
- Residual risk: Remaining risk after mitigation
#### 3. Transfer (Share Risk with Others)
**Transfer Mechanisms:**
- Insurance: For predictable, quantifiable risks
- Contracts: Fixed-price contracts transfer cost risk to vendors
- Partnerships: Share both risks and rewards
- Outsourcing: Transfer operational risks to specialists
**Transfer Decision Matrix:**
| Risk Type | Transfer Mechanism | Cost Efficiency | Risk Retention |
|-----------|-------------------|-----------------|----------------|
| Technical | Fixed-price contract | High | Low |
| Schedule | Penalty clauses | Medium | Medium |
| Market | Revenue sharing | Low | High |
| Operational | Insurance/SLA | High | Low |
#### 4. Accept (Acknowledge and Monitor)
**Acceptance Criteria:**
- Low impact × Low probability risks
- Mitigation cost > Risk EMV
- Risk within established tolerance thresholds
**Active Acceptance:** Establish contingency reserves and response plans
**Passive Acceptance:** Monitor but take no proactive action
---
## Risk Monitoring & Key Performance Indicators
### Risk Health Metrics
#### 1. Portfolio Risk Exposure Trends
```
Risk Velocity = (New Risks Added - Risks Resolved) / Time Period
Risk Burn Rate = Total Risk EMV Reduction / Time Period
Risk Coverage Ratio = Mitigation Budget / Total Risk EMV
```
#### 2. Risk Response Effectiveness
```
Mitigation Success Rate = Risks Successfully Mitigated / Total Mitigation Attempts
Average Resolution Time = Σ(Risk Resolution Days) / Number of Resolved Risks
Cost of Risk Management = Total Risk Management Spend / Project Budget
```
#### 3. Leading vs. Lagging Indicators
**Leading Indicators (Predictive):**
- Resource utilization trends
- Stakeholder satisfaction scores
- Technical debt accumulation
- Team velocity variance
- Budget burn rate vs. planned
**Lagging Indicators (Confirmatory):**
- Actual schedule delays
- Budget overruns
- Quality defect rates
- Stakeholder complaints
- Team turnover events
### Risk Dashboard Design
**Executive Level (Strategic View):**
- Portfolio risk heat map
- Top 10 risks by EMV
- Risk appetite vs. actual exposure
- Risk-adjusted project ROI
**Program Level (Tactical View):**
- Risk trend analysis
- Mitigation plan status
- Resource allocation for risk management
- Cross-project risk correlations
**Project Level (Operational View):**
- Individual risk register
- Risk response action items
- Risk probability/impact changes
- Mitigation cost tracking
---
## Integration with Portfolio Management
### Strategic Risk Alignment
**Risk-Adjusted Portfolio Optimization:**
1. **Risk-Return Analysis:** Plot projects on risk vs. return matrix
2. **Portfolio Diversification:** Balance high-risk/high-reward with stable projects
3. **Resource Allocation:** Allocate risk management resources based on EMV
4. **Strategic Fit:** Ensure risk appetite aligns with strategic objectives
**Capital Allocation Models:**
```
Risk-Adjusted NPV = Standard NPV × Risk Adjustment Factor
Risk Adjustment Factor = 1 - (Project Risk Score × Risk Penalty Rate)
Where Risk Penalty Rate reflects organization's risk aversion:
- Conservative: 0.8% per risk score point
- Moderate: 0.5% per risk score point
- Aggressive: 0.2% per risk score point
```
### Governance Integration
**Risk Committee Structure:**
- **Executive Risk Committee:** Monthly, strategic risks >$1M impact
- **Portfolio Risk Board:** Bi-weekly, cross-project risks
- **Project Risk Teams:** Weekly, operational risk management
**Escalation Triggers:**
- Risk EMV exceeds defined thresholds
- Risk probability or impact significantly changes
- Mitigation plans fail or become ineffective
- New risk categories emerge
**Decision Authority Matrix:**
| Risk EMV Level | Authority Level | Response Time | Required Documentation |
|----------------|-----------------|---------------|------------------------|
| <$50K | Project Manager | 24 hours | Risk register update |
| $50K-$250K | Program Manager | 48 hours | Risk assessment report |
| $250K-$1M | Business Owner | 72 hours | Executive summary + options |
| >$1M | Executive Committee | 1 week | Full risk analysis + recommendation |
---
## Advanced Topics
### Behavioral Risk Factors
**Cognitive Biases in Risk Assessment:**
- **Optimism Bias:** Tendency to underestimate risk probability
- **Anchoring Bias:** Over-reliance on first information received
- **Availability Heuristic:** Overweighting easily recalled risks
- **Confirmation Bias:** Seeking information that confirms existing beliefs
**Bias Mitigation Techniques:**
- Independent risk assessments from multiple sources
- Devil's advocate roles in risk sessions
- Historical data analysis vs. expert judgment
- Pre-mortem analysis: "How could this project fail?"
### Emerging Risk Categories
**Digital Transformation Risks:**
- Data privacy and cybersecurity (GDPR, CCPA compliance)
- Legacy system integration complexity
- Change management and user adoption
- Cloud migration and vendor lock-in
**Regulatory and Compliance Risks:**
- Changing regulatory landscape
- Cross-border data transfer restrictions
- Industry-specific compliance requirements
- Audit and documentation requirements
**Sustainability and ESG Risks:**
- Environmental impact assessments
- Social responsibility requirements
- Governance and ethical considerations
- Long-term sustainability of solutions
---
## Implementation Guidelines
### Risk Framework Maturity Model
**Level 1 - Basic (Ad Hoc):**
- Qualitative risk identification
- Simple probability/impact matrices
- Reactive risk response
- Project-level focus only
**Level 2 - Managed (Repeatable):**
- Standardized risk processes
- Quantitative risk analysis
- Proactive mitigation planning
- Portfolio-level risk aggregation
**Level 3 - Defined (Systematic):**
- Enterprise risk integration
- Monte Carlo simulation
- Risk-adjusted decision making
- Cross-functional risk management
**Level 4 - Advanced (Quantitative):**
- Real-time risk monitoring
- Predictive risk analytics
- Automated risk reporting
- Strategic risk optimization
**Level 5 - Optimizing (Continuous Improvement):**
- AI-enhanced risk prediction
- Dynamic risk response
- Industry benchmark integration
- Continuous framework evolution
### Getting Started: 90-Day Implementation Plan
**Days 1-30: Foundation**
- Assess current risk management maturity
- Define risk appetite and tolerance levels
- Establish risk governance structure
- Train core team on quantitative methods
**Days 31-60: Tools & Processes**
- Implement EMV and Monte Carlo tools
- Create risk dashboard templates
- Establish risk register standards
- Begin historical data collection
**Days 61-90: Integration & Optimization**
- Integrate with portfolio management
- Establish reporting rhythms
- Conduct first portfolio risk review
- Plan continuous improvement initiatives
---
*This framework should be adapted to organizational context, industry requirements, and project complexity. Regular updates should incorporate lessons learned and emerging best practices.*
Reference in New Issue View Git Blame Copy Permalink