Sunday, 27 October 2019

How many iterations are required


Some people believe that if they increase number of iterations in Monte Carlo simulation, they will have much more accurate results. But remember that the  accuracy of results depends on the accuracy of input data or in our case, how we define statistical distributions for task cost, duration and other parameters. Let’s assume that your estimate low and high durations of task in software development project. Even you if you perform this task few times, you cannot tell if duration is between 4 and 6 days, or between 3.5 and 6.5 days. In this case, the accuracy of estimation is greater than 10%. Such accuracy is different for different projects and different tasks. Sometimes it may be 1-5% of you maintain records and do repeatable project. However sometimes it is very significant number. If everybody would estimate project duration very accurately we would not need any analysis and you would not need to read this book. 


Standard deviation of project duration vs. number of iteration.



Mean of project duration vs. number of iteration.

Now let’s take a look how much accuracy additional Monte Carlo simulations would add. When we calculate perform Monte Carlo simulation we calculate mean and standard deviation of project duration. There are the results for standard deviation and mean of project duration of very small real software development project (Figure 5.13 and 5.14).
As you can see here if number of iterations is small, there is a significant difference between results on current and previous iteration. However, after few hundred iterations, the difference would be reduced significantly. If fact the difference between standard deviation for 500 iterations calculation and 550 iterations calculation is only 0.4%. The difference between mean for 500 iteration case and 550 iteration case is even less 0.04%. Remember the accuracy of our input uncertainties around 10%? We found that it real world it does not make sense to do many iterations. In most schedules 300-500 iterations will be correct optimal number of iterations. There are two cases where you would need to do more iterations:
1.      You have very rare events, which you would like to capture in your schedule risk analysis. For example, earthquake with probability 0.01% per duration of the project. So your number iterations should be at least 10,000 iterations in this case.
2.      It is important for you to monitor results of “extreme percentiles”, for example for P1 or P99. If you input distributions with low probability on the tails, such as triangular, you may need to increase number of iterations to get more accurate results of simulation.
Modern schedule risk analysis software can perform Monte Carlo simulations quite fast. Results could be quite different for different schedules, hardware, and software packages, but we can give you some idea. It may take 30 seconds – 1 minute to run 2000 iterations for 5000 task schedule on average computer. Any problems with performance may occur with large integrated schedules with tenth of thousands of tasks if you attempt to do very many iterations.


Wednesday, 4 September 2019

Role of the PMO in Project Risk Management


In a perfect world, projects would be like an isolated island untouched by outside forces and constraints, but unfortunately this isn’t the case. Projects inhabit an environment that is characterized by many constraints and risks. In larger organizations, a specific project is just one of many that are being planned or executed at any one time, the project portfolio. These  projects share common risks and uncertainties due to constraints and objectives of the larger organization in which they exist. Within this environment, the Project Management Office (PMO) provides risk management governance over the project portfolio to ensure that risks are managed consistently and aligns with the organizations objectives.

Consistency is important to ensure that same processes and criteria are used when generating  information used in the decision making process. If there is no consistency, it is difficult to compare project performance in the portfolio and allows personal biases to affect the analysis.  PMO’s ensure consistent risk management practices first by developing and distributing guidelines and specifications, templates, and training as necessary. These guidelines outline the standard organization risk management processes for identification, assessment, planning, monitoring, and controlling risks.  The guidelines will often come accompanied by templates or sample workbooks that provide standardized documentation to support the risk management process, including planning documents, assessment matrixes, and sample reports.
Along the same lines, the PMO can support the processes by providing training and mentoring to project team members. In fact, training and mentoring is just as important as providing the risk management framework (processes etc.) as this will ensure team members understand their roles in the process and how to perform them successfully. Without the training and mentoring, guidelines and specifications will suffer the same fate as  most copies of Tolstoy’s War and Peace. It is often featured prominently on bookshelves, but on closer inspection it becomes clear that book has rarely if ever been opened. Training bridges the gap between theory and practice and ensures that all projects know how to perform the required steps in the risk management process.
Finally, PMOs provide a portfolio risk management capability where the assessments of the project risks are rolled up at the portfolio level. This rolling up allows companies to identify common risks across their projects that can be managed most effectively at the organization level. This centralization of the risk management the PMO is able to provide a portfolio risk reporting capability for various organization stakeholders.
To conclude in organizations with a portfolio of projects, PMOs can provide an important role in overseeing the implementation of standardized project portfolio risk management process that includes providing a process framework, mentoring and training, a portfolio reporting capability.

Wednesday, 7 August 2019

Qualitative Risk Analysis for IT and Software Development Projects


If you have been following the unravelling of Phoenix, the Canadian governments new payroll system, you are aware of at least one major IT or software development project that has suffered catastrophic failures.  It is not alone, if you have them time, Google “software project failures” and it will return, the IEEE’s Software Hall of Shame is perhaps my favorite. At this point, you will probably come to the same conclusion shared by many in industry that IT projects can be extremely risky and prone to uncontrollable overruns and failure to deliver planned capabilities. IT Projects experience more risk than most other types of projects, a phenomenon that suggests that IT project managers would be wise to manage and hopefully minimize project risks. Now that we have made the case that if you are the PM of a IT project you need to manage risk, here is a brief overview of how you can quickly put one in place.             
First, you will need a risk management plan. Risk management plans outline who, what, when, and how (why was covered earlier). The plan can be a simple document that outlines how risks will be managed through the course of the project. It includes:
-          how you will identify, assess, and control risks
-          when activities will take place,
-          how you will communicate your plans to stakeholders.
Second, from the risk plan, you can develop a risk register. A project risk register is central to capturing and maintaining the information required to identify, assess, respond, and control your risks. Risk registers are commonly spreadsheets set up to track and assess risks. Common information that is tracked in a risk register:
Name
Descriptive name of risk
Description
If … then statement
Risk ID
Unique ID
Date Identified
When the risk was first identified
Likelihood
Probability or chance that a risk will occur
Impacts
Impact to project schedule, cost, quality, etc.
Severity or Score
Calculate level of risk severity
Owner
Person responsible for risk
Mitigation or Response Plan
Description of how and when the risk will be managed

The next step is the Risk Assessment, in which potential risks are identified and then assessed for their potential impact on the project. To identify risks, you can use several processes, including expert opinion, historical data, risk workshops etc. Once risks are identified, your team can then assess them based on criteria outlined in the risk management plan. For qualitative risk assessment, you can set up a simple probability and impact matrix that outlines how your project will assess probability and impacts. Here is an example that could be used on a small project:
Assessing the risk requires a simple multiplication of the risk probability by the highest impact rating using the numeric values . So for example, if a risk had the following assessment of:
Probability
Cost Impact
Schedule Impact
Quality Impact
4
3
4
4

The risk score =  Probability x Highest Impacts Score = 16
Risk scores can be converted to a rating. Using color help highlight the risk severity rating.
Rating
Score
Insignificant
1-5
Minor
6- 10
Medium
11- 15
Serious -
15-19
Critical
20 - 25

With the assessment completed, the next step to develop your strategies to manage individual  risks based on the assessment. Commonly, these strategies are: Avoid, Transfer, Mitigate, or Accept. Regardless of the selected strategy, any actions associated with plans  must be documented and include the person responsible, when it will occur and any costs associated with the plans.
Finally, during project execution, you monitor and control risks. This includes regular status updates (reviews) of existing risks monitor any changes and ensure controls are working. During project execution, schedule periodic risk sessions to include any new risks. The results of the risk reviews should be included in the Risk Register.
Final thought, keep it simple. Like many things in life, the best results come not from perfection, but from consistency. Keeping your risk management simple and paralleling your development process, will help to ensure consistency and ultimately better results.

Friday, 12 July 2019

Visualizing Risk Adjusted Linear Schedules


For visualizing location based projects, a popular alternative to Gantt charts are time location charts. Location based projects are usually construction projects, such as pipelines, buildings, and roads. In addition to standard scheduling data (start/finish times, duration, resources, and costs) each activity has location data.

Time location or linear charts are a way of visualizing project schedules with linear locations on the horizontal axis, and dates on the vertical axis. Schedule activities are then plotted onto the chart according to the locations over which they occur and the start and finish data that the project schedule determines.  This method is extremely effective in visualizing spatially how actual work will be performed and maximizes resource efficiency.

While, the appearance of time location charts is much different than the more common Gantt charts, they still include the requisite data (start time, finish time, duration, and task relationships) to allow for schedule risk analysis. When a schedule risk analysis has been performed, it is possible to generate a location based chart that compares the original vs a risk adjusted schedule. If you are familiar with RiskyProject, this type of view would be the equivalent of the Results Gantt, which shows the results of the simulation compared to the original schedule.

Creating a risk adjusted location based schedule is quite simple. First, depending upon the software you are using to generate the location based chart, set up the Simulation Results view which the specified columns and order of columns. Second, run a simulation. Third, export the results to Excel. At this point you may have to add the location based data for each activity. Finally, import the Excel data into the software that you are using to visualize the location based schedule.

Monday, 17 June 2019

Risk Scores and Risk Prioritization

A very common topic of discussion with RiskyProject users is how risks are scored.  In most cases,  users are familiar with traditional qualitative risk scoring that is a simple probability multiplied by impact. The advantage of this type of scoring is that it is both easy to understand and communicate severity to stakeholders.  If you are used to see this type of scoring, RiskyProject ‘s quantitative scoring can appear difficult to comprehend and communicate and you might ask why we don’t use the standard scoring method.  To understand why, I’ll first discuss the shortcomings of the standard risk scoring method.

Risk scores are of second order importance when assessing project risks. Primarily, risk assessment is about prioritization and the score should be considered as a value that is used to prioritize how risks will be managed and traditional risk matrix type scoring is notoriously unreliable and can often lead to poor or “worse than random decisions”.  This is analogous to how high  total cholesterol has been used as a marker for heart disease.  Using this as a marker, health authorities developed nutritional guidelines designed to lower cholesterol in the general population that focused on a low fat diet that has resulted in a massive increase in diabetes and obesity. If this was a project, it would viewed in the same light as Napoleon’s invasion of Russia. With this in mind, we can see how important it is ensure what you are measuring is an accurate reflection of the state of your project.

To increase the accuracy and validity of the risk scores and ranking, RiskyProject calculates risk scores based on their measured impact on defined project parameters such as duration or costs.  Risk probability and impacts to cost and schedule assigned to project activities and resources. So, in addition to the estimates for probability and impacts, the calculation also takes into account estimates for task durations, costs, and resource allocation. In each iteration, when you run a simulation RiskyProject does two things to calculate risk scores. First, it measures the impact of each risk on each parameter is measured in absolute units (days, dollars, etc).  As each risk occurs probabilistically and can have a range of impacts, these impacts can range from 0 – x depending on the parameter measured. Second,  the total project cost, duration, finish time, work and success rates are calculated. From these two measurements, the correlation between each and parameter is calculated. This correlation accurately reflects the expected or probabilistic impact of each risk on each parameter. Using risk weighting, this ranking can be extended to rank risks based on their overall impact on a project.  Risk weighting assigns a relative importance of one project outcome over another. For example, if a project a delay in a project will incur substantial penalties or other losses, schedule impacts can be assigned a higher importance for scoring purposes and is included in the risk score when looking at rankings for all parameters.

Communicating the results of this type of analysis can be challenging if your team is expecting to see risks scored as “High” or “20”. A risk score of  32.5% doesn’t elicit the reaction of a risk ranking of severe, highlighted in red. Make your stakeholders aware that the focus of the assessment is not to generate scores, but to prioritize risk planning by accurately ranking of risks based on calculated impacts on project objectives. If that is not enough, it is possible to calculate the expected values of risks in dollars and days,  but that is a subject for another post.

The focus of risk assessments needs to be shifted from labels or scores to ranking and prioritization. This requires abandoning or minimizing the use of unreliable qualitative methods and the use of quantitative methods that incorporate risks, cost, and schedule data that provide a more valid basis for decision making.

Tuesday, 7 May 2019

Project Risk Identification

What could possibly happen to my project? If you are a project manager or member of a project team, this question has probably crossed you mind on many occasions and it is a key to project success. When you ask this question, you are identifying risks that could happen during your project, which is the first step in managing your project risks. This step is called “Risk Identification” just asking what could happen is a good way to start, there are several methodologies you can use to improve your ability to identify project risks.
Brainstorming is perhaps the most popular method for identifying risks. While imagination and “thinking outside the box” are encouraged, it should be guided so that it focuses on risks that could impact key project objectives or critical activities. The goal is to cast a wide a net as possible, nothing out of bounds at this stage.
Alternatively, you can use input from experts or SME (Subject Matter Experts). One such method is Delphi. Delphi is a much more regimented process in which a facilitator sends out questionnaires to participant who remains anonymous throughout the process. They are asked to return their answers to the questionnaire to the facilitator. The facilitator then captures the ideas and sends out new questionnaires to refine the items identified in the first round. This process is iterative and continues until a consensus is reached.
Interviewing techniques can also be used to identify risks. In this process, confidentiality is used to elicit risks from project team members that ordinarily might not be identified in group settings due to group think and psychological effects. The confidentiality provides anonymity that otherwise would constrain individuals from providing complete disclosure. These three techniques are perhaps the most popular and can be used in any scale of project, but there are additional methods that can be used to augment the risk identification process.
SWOT analysis (Strengths, Weaknesses, Threats, Opportunity) is a process in these elements are represented a diagram and the project team identify internal and external factors for each element. It is very useful not only for identifying risks, but also to support decision making in the presence of risk and uncertainty.
Cause and Effect analysis are extremely useful in identifying underlying situation that can cause a risk to occur. Often cause and effect diagrams will generate causal chains of events where conditions and actions can trigger or make more probable a series of related risks to occur.
Event Chain Diagrams is a visualization technique that identifies risk and causal relationships between them. The relationships are event chains and help project managers identify and manage the risks that can have most impact on project plans.
Risk templates or checklists are by-products of the risk identification process. Using past projects, project managers can assemble lists of common risks that can be applied to future projects. These lists or templates can provide the basis for risk identification at the start of a project: however, as each project brings its own unique set of objectives and constraints, lists and templates should only be used as a starting point as they only represent a portion of the risks.

For many projects even using vigorous risk you may still miss many risks during original risk identification process. It often happens for research and development project when you don’t have enough historical project information. These “known risks” or those you identified before project starts are “tip of the iceberg”. Many risks can be identified only after project starts as part of project control. Therefore is it important to repeat risk identification process on different phases of the project.

Saturday, 20 April 2019

Project Risk Resilience

According to a quick search, the definition of resilient is an adjective to describe people or things that are “able to withstand or recover from difficult conditions.” The condition of being resilient is a key to success in any endeavour and while some people or things have an innate resilience, in general it is something that must be cultivated through experience, training, and planning. Recently, I watched an interview with an ex-Navy Seal, who in his second career has become famous for methods for building personal and team toughness and resilience.  He was asked if he had ever watched the movie “Navy Seals”, a 1990 movie starring Charlie Sheen, and realistic a depiction it was. Obviously, it isn’t, but one main points was that Charlie Sheen saw more action in the brief period that the movie covered than most Seals would see in a career. The reason being is that the Seals spent 95% of their time planning, looking at every possible scenario, and developing contingency plans to ensure they had the best chance of success. The point being, that while Navy Seals are extremely well trained, their missions are successful because they are resilient due to extremely careful planning.
This same approach can be applied to project management to ensure that your project is resilient. Basically to make your project risk resilient you need to include provisions for risk mitigation and plan risk response. Here is how you can make your project resilient.
Step 1. Identify possible obstacles to delivering the project. Ask three important questions. One, what could happen during project execution? Two, what would the impact be to capabilities, cost and schedule if something occurs? Three, what can do about it? During this process, you should identify risks (obstacles), assess them (how likely and ranges of impacts), and prioritize (identify those that have the most potential to affect your project).
Step 2: Create risk response plans. Starting with your highest priority risk, determine the best strategy for reducing its impact on the project. Commonly, these strategies are defined as Avoid, Transfer, Mitigate or Accept. Avoiding or transferring risks often means changes to project scope. Mitigation will allow you to reduce risk impacts, but require spending additional time and resources to achieve this and essentially becomes a cost benefit analysis to developing the most cost effective strategy for reducing risks. The post-mitigated impact of the risks, plus the impacts of the Accepted risks are residual risks that must be accounted for in your plan.
Step 3: Identify and assign uncertainties to the your plan. Uncertainties are natural variances that are unmanageable and affect all activities.  Uncertainties occur during project execution, often due to unforeseen circumstances, but also due to varying conditions that occur during project  execution. As they cannot be managed (like the residual risk), uncertainties  can only accounted for.
Step 4: Run Monte Carlo simulations to generate risk adjusted schedule margin and cost contingency. Running the simulation will generate range of outcomes for cost and schedule. Using these probabilistic ranges, you can generate schedule margin and cost contingencies to that give your project a high confidence of finishing on time and budget with the need capabilities. Monte Carlo simulations also allow you to determine efficiency of mitigation efforts and select best mitigation plan.
Using the above steps, you can ensure that your projects are risk resilient and give your team the best chance to be successful in delivering the promised value to your stakeholders.

Thursday, 21 February 2019

Visualization of Project Risks and Uncertainties

ne of the challenges of project risk analysis is creating visualizations that provide the relevant information in a format that is easily understood by the intended audience. The Gantt chart is a useful format on which to base the results of schedule risks analysis.
Gantt charts may be one of the most recognizable visualizations of project schedules. Developed in the early 1900’s by Henry Gantt, they were first used as a general planning tool for a variety of processes. However, it was not until the 1960s with the advent of critical path and adoption of computer based CPM scheduling tools, that Gantt chart became the primary visualization tool for schedule planning and analysis. We will show how this format can be modified to show the results of project risk analysis using a “risk adjusted” Results Gantt chart. Risk adjusted project schedule is generated based on results of project risk analysis of the original schedule. The Result Gantt chart provides alternative models of a project based upon the results of a Monte Carlo schedule risk analysis. The chart consists of two precedent networks that visualize the original deterministic schedule and the results of the Monte Carlo simulation. These results include both uncertainties in schedule parameters (start time, finish time, duration, lags, calendars) and risk events. Each activity has two bars for the deterministic and simulation results respectively. The bar for the simulation results can be modified to present additional information about the results of the schedule risk analysis. The length of the bar can be modified to represent various levels of uncertainty. Often the default value is P50 or Mean, but these values can be modified to show other levels such as P80, which is a standard level of certainty for calculating schedule margin.

In addition, the ranges and distributions for early and late start time and finish times for each task can be visualized as small triangles at the beginning and end of each bar, which provide a quick overview of the relative levels of schedule uncertainty in each task. You can visualize how risks events are assigned to project tasks using arrows. Arrows can represent threats or opportunities. Their direction, color, and size indicate if they are a threat (down) or opportunity (up), and severity or criticality (color and size). It is possible to link specific detailed risk assignment probabilities and impacts, such that it can be accessed directly from the individual arrows. The result is a rich and easy to understand Gantt chart that provides its audience a quick overview of the results of a project risk analysis in comparison with the original project plan. Event chain diagrams take the idea of a using the Gantt chart to model risk and uncertainties a step further. Event chain diagrams allow planners to identify events (risks) that affect specific activities and model both single events and chains of events (event chains) and identify the critical event chains that will have the most potential impact on the project. Chains occur with one event causes another event or chain to occur. The relationships and potential impact of these events can be extremely complex and because As Event Chain diagrams are based on a Gantt chart format, planners can provide team members and other stakeholder an easy to understand visualization that combines the information about risk model and the resultant analysis.

Thursday, 7 February 2019

Managing Risks in Large Projects

Managing risk is inherent to managing projects. In fact, managing project risk could be considered the single most important aspect of project management as all projects have risks and uncertainties that can are the underlying causes of missed deadlines and cost overruns. While all projects face these obstacles, large projects are especially vulnerable due to complexity. As projects grow in scope, they also experience an almost exponential growth in complexity and a concurrent growth in an exposure to risk events and uncertainties and can result in out of control costs and schedule and project failure. It is therefore critical that additional risk management strategies are put in place to give your team the best chance to be successful. Here is our advice on how to augment the standard project risk management steps when you are managing a large project.


Create a Risk Register
There are many standard formats for risk registers and the basic required data should include name, id, date identified, person identifier, description, owner/manager, pre and post mitigation probability and impacts, response, actions and status.
For large projects, you can include additional information that will help you better understand the scale of the risk and how effectively it is being managed. We recommend that you include current probability and impact, sunrise and sunset, proximity, location or facility, risk response effectiveness, and any other information that can help you to effectively assess, monitor, and control your risks.

Identify Risks
Risks can be both threats and opportunities. Each risk has both a probability of occurrence and potential impacts on project objectives. There are many well-known strategies that you can use including subject matter expert (SME) opinions, brainstorming, Delphi, root cause analysis, etc. In all cases, use a Bayesian approach, that uses historical data combined with new or emerging information to identify and assess risks.
For large projects, use a risk breakdown structure (RBS) as the basis for risk identification. Large projects are exposed to risks from multiple sources and the sheer volume can make it easy to overlook them A RBS breaks down the possible sources of risks (eg. Internal vs External) into smaller easier to comprehend blocks and makes the identification easier.

Assess Probability and Impact
Risks have both a probability and impact. Probability is a percentage between 0- 100 that the risk could occur, but it can also be ranges such as 1 in 2 (very likely) to 1-100 (very unlikely). Impacts to major project objectives (risk categories), such as schedule, cost, quality, and performance can also be assessed. Use probability and impact matrixes that outline how risk’s are assessed. For example if you are using the common 1 -5 scoring method, the matrixes should provide guidance what each score for probability or impact means. For impacts, 1 could mean less than 1% of the budget and 5 would equal more than 20%. Alternatively, these could be based on fixed amounts.
For large projects, we recommend Monte Carlo simulation to quantify the impact of risks and uncertainties on your project. The complexity of large projects creates situations where simple subjective assessments cannot accurately capture the possible range of outcomes. The assessment should include not only risks from the risk register, but uncertainties or aleatory risk, which is risk that cannot be managed but must be accounted for.

Plan risk Responses
Risk responses are actions or groups of actions that your project team will perform to reduce the impacts of risks on your schedule. At a high level risk responses are the strategies Avoid, Transfer, Mitigate or Accept. Each strategy should include actions with completion dates and the person responsible. Mitigation activities can be plotted on a Mitigation Waterfall Chart that presents a time phased visualization of how the planned actions will reduce the risk score.
For large projects, prioritize your risk responses based on expected values. Calculate the expected value for the cost of risks including risk response activities. Managing project risks is a trade-off and involves coming up with strategies that spend scarce resources to reduce cost or schedule. The cost of managing some risks may outweigh their costs and your resources could be allocated to managing other risks.

Monitor and Control Risks
Project risk management is a continuous and iterative process. As part of project status meetings, include a review of your risks and update information as required. During project execution, your list of risks and their priority will change. At the beginning of each major phase of the project, have a dedicated session, a risk workshop, to do a thorough revaluation of your risks, including identification, assessment, and responses for new and emerging risks.
For large projects, perform Monte Carlo schedule risk analysis on a regular basis. Small slippages are often the first sign of a project that is in trouble. While Earned Value will provide the basis for linear forecast of your schedule, it cannot account for future risks and uncertainties. In projects that are beginning to experience issues, risks and uncertainties do not remain static, but often trend upwards. Monte Carlo simulation will provide a more realistic forecast and identify some of the key areas that you can address to bring your project back under control.

Project Risk Analysis for Oil And Gas Projects


Years ago, we worked on team that developed economic and risk analysis software for the oil and gas industry. Like many people we assumed that the energy industry was enormously profitable because of the simple business model that generated large profits selling a product that is an indispensable component of modern society. In fact, what we discovered was that the ROI (return on investment) was relatively modest and generating profits and remaining viable in this industry is extremely difficult. Competition among producers is fierce and finding and extracting fossil fuels is difficult and fraught with obstacles. The modest average ROI that the industry masks an extreme variance where some projects are massively successful while many fail dismally. While there are many factors that can determine the success of failure in this industry, failure to properly manage project risks and by extension control cost and schedule overruns is often a key factor.
Project cost and schedule risk analysis is an important process in the management of energy portfolios.  Capital cost represents about 40 of all costs in the portfolios. Risks can significantly increase costs due to project delays and other cost escalations. Cost escalations of more than 30% are common and especially prevalent in new plays where developers have less experience with local conditions. The impact of risks on exploration projects is even higher; therefore, it is extremely important to identify and manage critical risks as part of cost control measures. 
Risk impacts to project cost and schedule must be analyzed consistently for all projects in the portfolio and propagate towards corporate portfolio management. Risks can have multiple impacts. For example, a risk could be identified due to a safety concern, so while it will affect safety, it can also impact reputation, cost, and schedule. In addition each project can have multiple risks, each which adds more uncertainty to your project plan.
With multiple risks with multiple impacts, identifying and managing critical or the most important risks is key.  Critical risks are those risks which have the most potential to impact key project objectives How much budget and schedule exposure is there due to project risks? Which risks are most critical? How could they affect cost and schedule, and profitability?
This is not to imply that not managing risks is the norm, it isn’t. However, often the method used are inadequate, as the use indirect methods to identify critical risks which are of dubious quality. Qualitative methods are the most subjective and prioritization of risks is unclear as does not take into project schedule and cost models. Traditional quantitative methods model risks indirectly using abstractions such as correlation, which leave the root causes of project uncertainty unclear. It may indicate that a task or group of task have a lot of uncertainty,  but is this because of one risk or many and which risk is the most important? In addition, schedule risk is often ignored as a priority as opposed to minimizing cost risk. However, the cliché “Time is money” particularly relevant in this context as time dependent cost risk is often the main driver in cost uncertainty and budget overruns.
The most accurate method for assessing cost risk is to include schedule driven costs or time dependent costs as part of the analysis. This requires resource loaded schedules that include resource rates and allocations. RiskyProject simplifies this process by combining the two major r components of this process: a risk register and project plan. The risk register allows you to identify, assess, manage and control your risks.
The plan includes schedule,costs, and resources. Project activities have durations, start and finish times, lags, costs, and resources.  Each one of these activity parameters can be affected by risk.

Project risks are events that potentially could impact your project schedule, cost, or other parameters, but you are unsure if they will occur. Risk are characterized with probabilities of less than 100% but more than 0. In addition, risk impacts must be quantified in terms of cost and time (fixed or relative). The risks are then assigned to each activity.
Once the risk assignment is complete, a Monte Carlo simulation is performed and the results can be used to prioritize your risks and also provide a reasonably accurate assessment of the potential unmanaged impact of each risk to the project. This process allows you to quickly identify cost and schedule uncertainty at both the project and activity level and prioritize risks based on their impact on cost or schedule
The next step is to generate mitigation plans for the most critical risks. These mitigation plans can include multiple activities that have planned finish times, owners, predicted costs, and other properties. Once the risk plans have been approved they can be added into the baseline schedule with associated cost and duration and is considered the post-mitigated baseline The simulation is rerun with planned reductions to the risk probability and impacts due to the mitigation activities and also accounts for the cost of the mitigation plans.

Through this process, we can generate the most accurate quantitative comparison of the pre and post-mitigation costs of the project. Depending upon the goals of the management team, this process can be run multiple times to generate a project plan that meets both the companies cost objectives and risk appetite.