FIT5057 · Project Management
Risk and Governance
This chapter governs the project under uncertainty. It walks the risk management process and the risk register, then the two ways to analyse a risk: qualitatively with the probability×impact (P×I) matrix, and quantitatively with expected monetary value (EMV = probability × impact in $). It covers the response strategies — for threats: avoid, transfer, mitigate, accept; for opportunities: exploit, share, enhance, accept — which the quiz loves to mix up. The governance half centres on Earned Value Management (EVM): planned value (PV), earned value (EV) and actual cost (AC) give the variances and indices (SV, CV, SPI, CPI) that say whether a project is ahead or behind, over or under budget. It closes on KPIs / RAG status and integrated change control. EVM interpretation (a negative CV means over budget) is prime quiz material; the full calculation is project-assignment work.
What this chapter covers
- 016.1 The risk management process & the risk register
- 026.2 Qualitative analysis — the P×I matrix
- 03Quantitative analysis — EMV (probability × impact)
- 046.3–6.4 Response strategies (threats vs opportunities)
- 05Earned Value Management — PV, EV, AC and the indices
- 06Worked EVM — a project at its data date
- 076.5–6.6 KPIs / RAG status & integrated change control
Worked example: reading an Earned Value snapshot
- +1Schedule variance: SV = EV − PV = 40,000 − 50,000 = −$10,000 — negative, so the project is behind schedule.
- +1Cost variance: CV = EV − AC = 40,000 − 45,000 = −$5,000 — negative, so the project is over budget.
- +1Schedule performance index: SPI = EV / PV = 40,000 / 50,000 = 0.80 — below 1, confirming behind schedule (doing 80% of planned work).
- +1Cost performance index: CPI = EV / AC = 40,000 / 45,000 ≈ 0.89 — below 1, confirming over budget (getting $0.89 of value per $1 spent).
- +1One-line read: negative variances and both indices below 1 → the project is behind schedule and over budget.
Key terms
- Risk register
- The living document that records each identified risk with its description, probability, impact, score, owner and planned response. A "good" risk is written as a cause-event-effect statement, not a vague worry — it must be specific enough to assess and assign.
- Expected monetary value (EMV)
- The quantitative value of a risk: EMV = probability × impact (in $). It converts a risk into a single dollar figure so risks can be compared and reserves sized. Used in decision-tree analysis to weigh options under uncertainty.
- Risk response strategies
- For threats: avoid, transfer, mitigate, accept. For opportunities: exploit, share, enhance, accept. The pairs mirror each other (transfer/share, mitigate/enhance), and the quiz tests whether you apply a threat strategy to a threat and an opportunity strategy to an opportunity.
- Earned value (EV) and the variances
- EV is the budgeted cost of work actually completed at the data date. With planned value (PV) and actual cost (AC): schedule variance SV = EV − PV, cost variance CV = EV − AC. Negative means behind / over; positive means ahead / under.
- CPI and SPI
- The performance indices. Cost performance index CPI = EV / AC; schedule performance index SPI = EV / PV. Above 1 is good (under budget / ahead of schedule); below 1 is bad. They normalise the variances into a ratio you can compare across projects.
Risk and Governance FAQ
What does a negative cost variance mean?
Over budget. CV = EV − AC, so a negative CV means actual cost exceeds the value earned — you have spent more than the work completed is worth. Likewise a negative SV (EV − PV) means behind schedule. The sign rule is the one thing the quiz reliably tests: negative variance = bad, and the corresponding index (CPI or SPI) is below 1.
What's the difference between a risk and an issue?
A risk is a potential future event that may or may not happen (uncertain, managed proactively with a response plan). An issue is a risk that has already occurred — it is now a current problem to be resolved. You analyse and plan for risks; you manage and resolve issues. The quiz tests this distinction directly.
How do I match a response strategy to a risk?
First decide if it is a threat (negative) or an opportunity (positive). Threats: avoid (remove it), transfer (shift it, e.g. insurance), mitigate (reduce probability or impact), accept. Opportunities: exploit (make sure it happens), share (partner to capture it), enhance (increase its probability or impact), accept. Applying "mitigate" to an opportunity, or "enhance" to a threat, is the classic mix-up.
Do I have to compute full EVM in the quiz?
Rarely the full set under time pressure — the quiz tests the interpretation (what does CPI < 1 mean, is a negative SV good or bad). The full EVM calculation at a data date is most relevant to the project assignment's governance section. Learn the four formulas (SV, CV, SPI, CPI) and the sign/threshold rules cold.
Exam move
Master the EVM sign rules above everything else here, because they are the most testable: SV and CV negative = behind / over; SPI and CPI below 1 = behind / over; positive / above 1 = ahead / under. Be able to write the four formulas and read a snapshot in one line. For risk, keep the threat and opportunity strategy lists paired and remember EMV = probability × impact. Distinguish risk from issue, contingency from management reserve, and qualitative (P×I) from quantitative (EMV) analysis. For the assignment's governance section, you will produce a real risk register and an EVM read, so practise both end to end.