2
The Concept of Risk and Uncertainty and the Sources and Types of Risk
Man plans, God smiles
(Hebrew proverb)
Fortune favours the prepared
(Louis Pasteur)

2.1 INTRODUCTION

Risk affects every aspect of human life; we live with it every day and learn to manage its influence on our lives. In most cases this is done as an unstructured activity, based on common sense, relevant knowledge, experience and instinct.
This chapter outlines the basic concept of risk and uncertainty and provides a number of definitions of them. It also discusses the dimensions of risk and the perception of risk throughout an organisation. Different sources and types of risk are also discussed.

2.2 BACKGROUND

Uncertainty affects all investments. However, uncertainty can often be considered in terms of probability provided sufficient information is known about the uncertainty. Probability is based on the occurrence of any event and thus must have an effect on the outcome of that event. The effect can be determined on the basis of the cause and description of an occurrence. For example, the cause, description and effect can be illustrated by the following:
‘Crossing the road without looking’ will most likely result in ‘injury’.
Figure 2.1 illustrates the concept of risk in terms of uncertainty, probability, effect and outcome.
Figure 2.1 The concept of risk (Merna and Smith 1996) (Reproduced by permission of A. Merna)
004
Once the probability, cause and effect of an occurrence can be determined then a probability distribution can be computed. From this probability distribution, over a range of possibilities, the chances of risk occurring can be determined, thus reducing the uncertainty associated with this event.
The authors suggest that uncertainty can often be interpreted as prophecy, since a prophecy is not based on data or experience. A prediction, however, is normally based on data or past experience and thus offers a basis for potential risk.

2.3 RISK AND UNCERTAINTY: BASIC CONCEPTS AND GENERAL PRINCIPLES

According to Chapman and Ward (1997):
All projects involve risk – the zero risk project is not worth pursuing. Organisations which better understand the nature of these risks and can manage them more effectively can not only avoid unforeseen disasters but can work with tighter margins and less contingency, freeing resources for other endeavours, and seizing opportunities for advantageous investment which might otherwise be rejected as too risky.
Risk and uncertainty are distinguished by both Bussey (1978) and Merrett and Sykes (1983) as:
A decision is said to be subject to risk when there is a range of possible outcomes and when known probabilities can be attached to the outcome.
 
Uncertainty exists when there is more than one possible outcome to a course of action but the probability of each outcome is not known.
In today’s business, nearly all decisions are taken purely on a financial consequences basis. Business leaders need to understand and know whether the returns on a project justify taking risks, and the extent of these consequences (losses) if the risks do materialise. Investors, on the other hand, need some indication of whether the returns on an investment meet their minimum returns if the investment is fully exposed to the risks identified. (Merna 2002) suggests:
we are at a unique point in the market where players are starting to recognise that risks need to be quantified and that information about these projects needs to be made available to all participants in the transaction.
Therefore identifying risks and quantifying them in relation to the returns of a project is important. By knowing the full extent of their gains and/or losses, business leaders and investors can then decide whether to sanction or cancel an investment or project.

2.4 THE ORIGIN OF RISK

The origin of the word ‘risk’ is thought to be either the Arabic word risq or the Latin word riscum (Kedar 1970). The Arabic risq signifies ‘anything that has been given to you [by God] and from which you draw profit’ and has connotations of a fortuitous and favourable outcome. The Latin riscum, however, originally referred to the challenge that a barrier reef presents to a sailor and clearly has connotations of an equally fortuitous but unfavourable event.
A Greek derivative of the Arabic word risq which was used in the twelfth century would appear to relate to chance of outcomes in general and have neither positive nor negative implications (Kedar 1970). The modern French word risqué has mainly negative but occasionally positive connotations, as for example in ‘qui de risque rien n’a rien’ or ‘nothing ventured nothing gained’, whilst in common English usage the word ‘risk’ has very definite negative associations as in ‘run the risk’ or ‘at risk’, meaning exposed to danger.
The word ‘risk’ entered the English language in the mid seventeenth century, derived from the word ‘risque’. In the second quarter of the eighteenth century the anglicised spelling began to appear in insurance transactions (Flanagan and Norman 1993). Over time and in common usage the meaning of the word has changed from one of simply describing any unintended or unexpected outcome, good or bad, of a decision or course of action to one which relates to undesirable outcomes and the chance of their occurrence (Wharton 1992). In the more scientific and specialised literature on the subject, the word ‘risk’ is used to imply a measurement of the chance of an outcome, the size of the outcome or a combination of both. There have been several attempts to incorporate the idea of both size and chance of an outcome in the one definition. To many organisations risk is a four-letter word that they try insulate themselves from.
Rowe (1977) defines risk as ‘The potential for unwanted negative consequences of an event or activity’ whilst many authors define risk as ‘A measure of the probability and the severity of adverse effects’. Rescher (1983) explains that ‘Risk is the chancing of a negative outcome. To measure risk we must accordingly measure both its defining components, and the chance of negativity’. The way in which these measurements must be combined is described by Gratt (1987) as ‘estimation of risk is usually based on the expected result of the conditional probability of the event occurring times the consequences of the event given that it has occurred’.
It follows then that in the context of, for example, a potential disaster, the word ‘risk’ might be used either as a measure of the magnitude of the unintended outcome, say, 2000 deaths, or as the probability of its occurrence, say, 1 in 1000 or even the product of the two – a statistical expectation of two deaths (Wharton 1992). Over time a number of different, sometimes conflicting and more recently rather complex meanings have been attributed to the word ‘risk’. It is unfortunate that a simple definition closely relating to the medieval Greek interpretation has not prevailed – one which avoids any connotation of a favourable or unfavourable outcome or the probability or size of the event.
The model shown in Figure 2.2 suggests that risk is composed of four essential parameters: probability of occurrence, severity of impact, susceptibility to change and degree of interdependency with other factors of risks. Without any of these the situation or event cannot truly be considered a risk. This model can be used to describe risk situations or events in the modelling of any investments for risk analysis.
The use of a risk model helps reduce reliance upon raw judgement and intuition. The inputs to the model are provided by humans, but the brain is given a system on which to operate (Flanagan and Norman 1993).
Figure 2.2 Typical risk parameters (Adapted from Allen 1995)
005
Models provide a backup for our unreliable intuition. A model can be thought of as having two roles:
1. It produces an answer.
2. It acts as a vehicle for communication, bringing out factors that might not be otherwise considered.
Models provide a mechanism by which risks can be communicated through the system. A risk management system is a model, it provides a means for identification, classification and analysis and then a response to risk.

2.4.1 Dimensions of Risk

A common definition of risk – the likelihood of something undesirable happening in a given time – is conceptually simple but difficult to apply. It provides no clues to the overall context and how risks might be perceived. Most people think of risk in terms of three components: something bad happening, the chances of it happening, and the consequences if it does happen. These three components of risk can be used as the basis of a structure for risk assessment. Kaplan and Gerrick (1981) proposed a triplet for recording risks which includes a set of scenarios or similar occurrences (something bad happens), the probabilities that the occurrences take place (the chances something bad happens), and the consequence measures associated with the occurrences.
In some ways, this structure begs the question of definition because it is still left to the risk assessors to determine what ‘bad’ actually means, what the scenarios or occurrences are that can lead to something bad, and how to measure the severity of the results. The steps involved in defining and measuring risk include:
1. Defining ‘bad’ by identifying the objectives of an organisation and the resources that are threatened.
2. Identifying scenarios whose occurrence can threaten the resources of value.
3. Measure the severity or magnitude of impacts.
The severity or magnitude of consequences is measured by a value function that provides the common denominator. The severity can be measured in common units across all the dimensions of risk by translating the impact into a common unit of value. This can be a dimensionless unit such as the utility functions used in economics and decision analysis or some common economic term (Kolluru et al. 1996).
The issue here is selecting an appropriate metric for measuring impacts and then determining the form of the effects function. This form has to be capable of representing risk for diverse stakeholders and of expressing the impacts to health, safety and the environment as well as other assets.
One response, still surprisingly common, is to shy away from risk and hope for the best. Another is to apply expert judgement, experience and gut feel to the problem. In spite of this, substantial investments are decided on the basis of judgement alone, with little or nothing to back them up.

2.5 UNCERTAINTIES

Risk and uncertainty as distinguished by both Bussey (1978) and Merrett and Sykes (1973) were discussed earlier in this chapter. The authors Vernon (1981) and Diekmann et al. (1988), however, consider that the terms risk and uncertainty may be used interchangeably but have somewhat different meanings, where risk refers to statistically predictable occurrences and uncertainty to an unknown of generally unpredictable variability.
Lifson and Shaifer (1982) combine the two terms by defining risk as:
The uncertainty associated with estimates of outcomes.
Uncertainty is used to describe the situation when it is not possible to attach a probability to the likelihood of occurrence of an event. Uncertainty causes a rift between good decision and good outcome. The distinguishing factor between risk and uncertainty is that risk is taken to have quantifiable attributes, and a place in the calculus of probabilities, whereas uncertainty does not (Finkel 1990).
Hetland (2003) believes the following assertions clarify uncertainty:
• Risk is an implication of a phenomenon being uncertain.
• Implications of a phenomenon being uncertain may be wanted or unwanted.
• Uncertainties and their implications need to be understood to be managed properly.
Smith et al. (2006) suggest that risks fall in to three categories: known risks, known unknowns and unknown unknowns.
Known risks include minor variations in productivity and swings in materials costs and inevitably occur in construction and manufacturing projects. These are usually covered by contingency sums to cover for additional work or delay, often in the form of a percentage addition to the estimated cost.
Known unknowns are the risk events whose occurrence is predictable or foreseeable with either their probability of occurrence or likely effect known. A novel example of this is as follows. An automobile breaker’s yard in a borough of New York has the following sign on its gate.
These premises are protected by teams of Rottweiler and Doberman pinscher three nights a week. You guess the nights.
A potential felon can deduce from this sign that there is a 3/7 chance of being confronted by the dogs, and possibly being mauleds and a 4/7 chance of success. Therefore there is a better chance of not being caught than being caught, however, without any data regarding the respective nights – you guess the nights.
Unknown unknowns are those events whose probabilities of occurrence and effect are not foreseeable by even the most experienced practitioners. These are often considered as force majeure events. An example of unknown unknowns is common in the pharmaceuticals industry. In the first stage of a drug development process the side effects and their probabilities are unknown although it is known that all drugs have side effects.
Uncertainty is said to exist in situations where decision-makers lack complete knowledge, information or understanding concerning the proposed decision and its possible consequences. There are two types of uncertainties: uncertainty arising from a situation of pure chance, which is known as ‘aleatory uncertainty’; and uncertainty arising from a problem situation where the resolution will depend upon the exercise of judgement, which is known as ‘epistemic uncertainty’.
An example of aleatory risk is the discovery of the drug Viagra. Although this drug was initially being developed as a treatment for angina it was found during clinical trials that the drug had side effects which could help prevent sexual dysfunctional syndrome in males.
The situations of uncertainty often encountered during the earlier stages of a project are ‘epistemic’. The phenomenon of epistemic uncertainty can be brought about by a number of factors, such as:
• lack of clarity in structuring the problem
• inability to identify alternative solutions to the situation
• the amount and quality of the information available
• futuristic nature of decision making
• objectives to be satisfied within decision making
• level of confidence concerning the post-decision stage of implementation
• the amount of time available
• personal qualities of the decision-maker.
Many of the above factors have been encountered in private finance initiative (PFI) types of investments where risk assessments are required to consider events over long operation periods once a project has been commissioned, in some cases 25 years or more. Rowe (1977) distinguished uncertainty within the decision-making process as descriptive uncertainty and measurement uncertainty. Descriptive uncertainties represent an absence of information and this prevents the full identification of the variables that explicitly define a system. As a result, the decision-maker is unable to describe fully the degrees of freedom of a system, for example problem identification and structuring, solution identification, degree of clarity in the specification of objectives and constraints.
Measurement uncertainties also represent the absence of information; however, these relate to the specifications of the values to be assigned to each variable in a system. As a result the decision-maker is unable to measure or assign specific values to the variables comprising a system, for example the factors of information quality, the futurity of decisions, the likely effectiveness of implementation.
Table 2.1 Risk-uncertainty continuum (Adapted from Rafferty 1994)
RISK UNCERTAINTY
QuantifiableNon-quantifiable
Statistical AssessmentSubjective Probability
Hard DataInformed Opinion
The need to manage uncertainty is inherent in most projects which require formal project management. Chapman and Ward (1997) consider the following illustrative definition of such a project:
An endeavour in which human, material and financial resources are organised in a novel way, to undertake a unique scope of work of given specification, within constraints of cost and time, so as to achieve unitary, beneficial change, through the delivery of quantified and qualitative objectives.
This definition highlights the one-off, change-inducing nature of projects, the need to organise a variety of resources under significant constraints, and the central role of objectives in project definition. It also suggests inherent uncertainty which requires attention as part of an effective project management process.
The roots of this uncertainty are worth clarification. Careful attention to formal risk management processes is usually motivated by the large-scale use of new and untried technology while executing major projects, and other obvious sources of significant risk.
A broad definition of project risk is ‘the implications of the existence of significant uncertainty about the level of project performance achievable’ (Chapman and Ward 1997).
Uncertainty attached to a high-risk impact event represents a greater unknown than a quantified risk attached to the same event. Rafferty (1994) developed a ‘risk-uncertainty continuum’ as given in Table 2.1.

2.6 SOURCES OF RISK

There are many sources of risk that an organisation must take into account before a decision is made. It is therefore important that these sources of risk are available, thus allowing the necessary identification, analysis and response to take place. Many of the sources of risk summarised in Table 2.2 occur at different times over an investment. Risks may be specific to the corporate level, such as political, financial and legal risks. At the strategic business level, economic, natural and market risks may need to be assessed before a project is sanctioned. Project risks may be specific to a project, such as technical, health and safety, operational and quality risks. At the project level, however, the project manager should be confident that risks associated with corporate and strategic business functions are fully assessed and managed. In many business cases risks assessed initially at corporate and strategic business levels have to be reassessed as the project progresses, since the risks may affect the ongoing project.
Table 2.2 Typical sources of risk to business from projects (Merna and Smith 1996)
HeadingChange and uncertainty in or due to:
PoliticalGovernment policy, public opinion, change in ideology, dogma, legislation, disorder (war, terrorism, riots)
EnvironmentalContaminated land or pollution liability, nuisance (e.g., noise), permissions, public opinion, internal/corporate policy, environmental law or regulations or practice or ‘impact’ requirements
PlanningPermission requirements, policy and practice, land use, socio-economic impacts, public opinion
MarketDemand (forecasts), competition, obsolescence, customer satisfaction, fashion
EconomicTreasury policy, taxation, cost inflation, interest rates, exchange rates
FinancialBankruptcy, margins, insurance, risk share
NaturalUnforeseen ground conditions, weather, earthquake, fire or explosion, archaeological discovery
ProjectDefinition, procurement strategy, performance requirements, standards, leadership, organisation (maturity, commitment, competence and experience), planning and quality control, programme, labour and resources, communications and culture
TechnicalDesign adequacy, operational efficiency, reliability
RegulatoryChanges by regulator
HumanError, incompetence, ignorance, tiredness, communication ability, culture, work in the dark or at night
CriminalLack of security, vandalism, theft, fraud, corruption
SafetyRegulations (e.g., CDM, Health and Safety at Work), hazardous substances (COSSH), collisions, collapse, flooding, fire and explosion
LegalThose associated with changes in legislation, both in the UK and from EU directives
The above list is extensive but not complete
Reproduced by permission of A. Merna
A source of risk is any factor that can affect project or business performance, and risk arises when this effect is both uncertain and significant in its impact on project or business performance. It follows that the definition of project objectives and performance criteria has a fundamental influence on the level of project risk. Setting tight cost or time targets with insufficient resources makes a project more cost and time risky by definition, since achievement of targets is more uncertain if targets are ‘tight’. Conversely, setting slack time or quality requirements implies low time or quality risk.
However, inappropriate targets are themselves a source of risk, and the failure to acknowledge the need for a minimum level of performance against certain criteria automatically generates risk on those dimensions. If, for example, a corporate entity sets unachievable targets to an SBU then it is highly likely that the projects undertaken by the SBU will suffer owing to the risk associated with meeting such targets.
Morris and Hough (1987) argue for the importance of setting clear objectives and performance criteria which reflect the requirements of various parties, including stakeholders who are not always recognised as players (regulatory authorities, for example). The different project objectives held by interested parties and stakeholders and the interdependencies between different objectives need to be appreciated. Strategies for managing risk cannot be divorced from strategies for managing or accomplishing project objectives.
Whatever the underlying performance objectives, the focus on project success and uncertainty about achieving it leads to risk being defined in terms of a ‘threat to success’. If success for a project, and in turn the SBU, is measured solely in terms of realised cost relative to some target or commitment, then risk might be defined in terms of the threat to success posed by a given plan in terms of the size of possible cost overruns and their likelihood. This might be termed ‘threat intensity’ (Chapman and Ward 1997).
From this perspective it is a natural step to regard risk management as essentially about removing or reducing the possibility of underperformance. This is unfortunate, since it results in a very limited appreciation of project risk. Often it can be just as important to appreciate the positive side of uncertainty, which may present opportunities rather than threats.
On occasion opportunities may also be very important from the point of view of morale. High morale is as central to good risk management as it is to the management of teams in general. If a project team becomes immersed in nothing but threats, the ensuing doom and gloom can destroy the project. Systematic searches for opportunities, and a management willing to respond to opportunities identified by those working for them at all levels (which may have implications well beyond the remit of the discoverer), can provide the basis for systematic building of morale.
More generally, it is important to appreciate that project risk by its nature is a very complex beast with important behavioural implications. Simplistic definitions such as ‘risk is the probability of a downside risk event multiplied by its impact’ may have their value in special circumstances, but it is important to face the complexity of what project risk management is really about if real achievement is to be attained when attempting to manage that risk at any level in the organisation.

2.7 TYPICAL RISKS

2.7.1 Project Risks

The requirement is not only to manage the physical risks of the project, but also to make sure that other parties in the project manage their own risks. For example, the International Finance Corporation (IFC) division of the World Bank has a project team which travels round the locations in which the IFC has an interest and ensures not only that risks are controlled effectively, but that responsibilities are allocated and risks transferred by contract or insurance as appropriate. In this example the IFC would be similar to the corporate entity checking on its various projects undertaken by SBUs.
Risk and uncertainty are inherent to all projects and investors in projects or commercial assets are exposed to risks throughout the life of the project. The risk exposure of an engineering project, for example, is proportional to the magnitude of both the existing and the proposed investment. Generally, the post-sanction period up to the completion of construction is associated with rapid and intensive expenditure (cash burn) for the investor(s), usually under conditions of uncertainty, and consequently this stage of the process is particularly sensitive to risks. The subsequent operational phase is subject to risks associated with revenue generation and operational costs. Hence the two phases that are most susceptible to risk are:
1. the implementation stage (pre-completion) – relative to construction risks
2. the operational phase (post-completion) – relative to operational risks, the first few years of operation having the highest degree of susceptibility.
The most severe risks affecting projects are summarised by Thompson and Perry (1992) in project management terms as:
• failure to keep within cost estimate
• failure to achieve the required completion date
• failure to achieve the required quality and operational requirements.
Many project management practitioners suggest the following influence the risk associated with projects:
• project size
• technology maturity (the incorporation of novel methods, techniques, materials)
• project structural complexity.
In effect the larger the project the greater the risk. Increase in size usually means an increase in complexity, including the complexity of administration, management, communication amongst participants and so on; for example, inaccurate forecasts, late deliveries (supply chain), equipment break downs and the like.
Figure 2.3 illustrates the financial risk timeline. The maximum point of financial risk is when the project is near completion when debt service is at its highest. As the project moves through its life cycle and starts to generate regular revenues, the financial exposure is reduced considerably.
The risks which influence projects can also be categorised as global and elemental risks.
Figure 2.3 Financial risk timeline
006

2.7.2 Global Risks

Global risks originate from sources external to the project environment and although they are usually predictable their effect on the outcome may not always be controllable within the elements of the project. The four major global risks are political, legal, commercial and environmental risks (Merna and Smith 1996). These types of risk are often referred to as uncontrollable risks since the corporate entity cannot control such risks even though there is a high probability of occurrence. Normally these risks are dealt with at corporate level and often determine whether a project will be sanctioned.

2.7.3 Elemental Risks

Elemental risks originate from sources within the project environment and are usually controllable within the elements of the project. The four main elemental risks are construction/manufacture, operational, financial and revenue risks (Merna and Smith 1996). These types of risk are usually considered as controllable risks and are often related to the different phases of a project and mainly assessed at SBU and project levels.

2.7.4 Holistic Risk

Many organisations have developed risk management mechanisms to deal with the overt and insurable risks associated with projects. In most cases risk identification, analysis and response are seen to be the most important elements to satisfy clients and other project stakeholders.
There are, however, risks associated with intangible assets such as market share, reputation, value, technology, intellectual property (usually data, patents and copyrights), changes in strategy/methods, shareholder perception, company safety and quality of product. These are extremely important for organisations operating a portfolio of projects or business assets (Davies 2000).
Holistic risk management is the process by which an organisation firstly identifies and quantifies all of the threats to its objectives, and having done so manages those threats within, or by adapting, its existing management structure. Holistic risk management addresses many of the elements identified in the Turnbull Report (1999), and attempts to alleviate many of the concerns of shareholders.

2.7.5 Static Risk

This relates only to potential losses where people are concerned with minimising losses by risk aversion (Flanagan and Norman 1993). A typical example would be the risk of losing markets for a particular product or brand of goods by not risking the introduction of new products or goods onto the same market. Many established organisations have tried to mitigate this risk by entering into joint ventures with more dynamic companies, often from booming economies.

2.7.6 Dynamic Risk

This is concerned with maximising opportunities. Dynamic risk means that there will be potential gains as well as potential losses. For example, Marconi tried to gain by changing from a well-established market in the defence industry to new uncertain markets in the telecom industry. Dynamic risk is risking the loss of something certain for the gain of something uncertain. Every management decision has the element of dynamic risk governed only by the practical rules of risk taking. During a project, losses and gains resulting from risk can be plotted against each other and compared (Flanagan and Norman 1993).

2.7.7 Inherent Risk

The way in which risk is handled depends on the nature of the business and the way that business is organised internally. For example, energy companies are engaged in an inherently risky business – the threat of fire and explosion is always present, as is the risk of environmental impairment. Financial institutions on the other hand have an inherently lower risk of fire and explosion than an oil company, but they are exposed to different sorts of risk. However, the level of attention given to managing risk in an industry is as important as the actual risk inherent in the operations which necessarily must be performed in that industry activity. For example, until very recently repetitive strain injury (RSI) was not considered to be a problem, but it is now affecting employers’ liability insurance (International Journal of Project and Business Risk Management 1998).
Figure 2.4 The effective bid process
007

2.7.8 Contingent Risk

This occurs when an organisation is affected directly by an event in an area beyond its direct control but on which it has a dependency, such as weak suppliers (International Journal of Project and Business Risk Management 1998). Normally a percentage of the overall project value is put aside to cover costs of meeting such risks should they occur.
The problem with assigning a contingency sum arises when such a sum is assigned to every supplier, irrespective of whether supply is considered as a risk.
Figure 2.4 illustrates how organisations bidding for a tender simply apply a 10% risk contingency. However, organisations may lose out to competitors assessing supplier risk for each individual supplier. In the example above it is no surprise to find that Bid 4 won the tender.
Hussain (2005) proposes that all bids should be accompanied by a risk envelope so that clients can assess the risks identified by each bidder to determine potential additional costs or savings. The risk envelope is developed on the basis of:
• analysis of each risk based on its probability of occurring
• analysis of each risk for its impact on the project should it actually occur
• a priority rating of the overall importance of each risk
• a set of preventive actions to reduce the likelihood of the risks occurring
• a set of contingent actions to reduce the impact should the risk eventuate.
The risk envelope can be used by clients to identify worst case scenarios and help in realising a realistic budget. The cost of managing each risk identified by bidders can be compared by the client in a similar way to that for other items identified in the bid such as the cost of concrete, falsework, excavation and the like. Hussain (2005) suggests that the risk envelope should form an essential part of the bid award process.

2.7.9 Customer Risk

Dependency on one client creates vulnerability because that client can take its business away, or be taken over by a rival. The risk can be managed by creating a larger customer base (International Journal of Project and Business Risk Management 1998).

2.7.10 Fiscal/Regulatory Risk

Only by keeping abreast of potential changes in the environment can a business expect to manage these risks. Recent examples in the UK include awards to women for discrimination in the armed forces, RSI and windfall profits tax in exceptional years (International Journal of Project Business Risk Management 1998). In October 2001, Railtrack Plc, a company listed on the London Stock Exchange, was put into administration by the UK Transport Secretary without any consultation with its lenders or shareholders. Shareholders taking the usual risks of rises and falls in stock market value were quickly made aware of this risk.

2.7.11 Purchasing Risk

Purchasing risk is a vital part of modern commercial reality but recently the subject has gained prominence in the work of leading academics and management theoreticians. Many businesses are designing and implementing new performance measurement systems and finding a particular challenge in developing measures for some key elements of purchasing contribution which are now regarded as strategic but which have not been historically analysed and measured in any serious way. The area of commercial risk is a prominent example of such a challenge. In the past, effective risk management has been cited as one of the key contributions that effective purchasing can make to a business, but its treatment has been largely a negative one; the emphasis has been on ensuring minimum standards from suppliers to ensure a contract would not be frustrated. The issues now being addressed by leading-edge practitioners in the risk area are much broader and are perhaps more correctly identified using terminology such as management of uncertainty (International Journal of Project Business Risk Management 1998).

2.7.12 Reputation/Damage Risk

This is not a risk in its own right but rather the consequence of another risk, such as fraud, a building destroyed, failure to attend to complaints, lack of respect for others. It is the absence of control which causes much of the damage rather than the event itself. In a post-disaster situation a company can come out positively if the media are well handled (International Journal of Project Business Risk Management 1998).

2.7.13 Organisational Risk

A poor infrastructure can result in weak controls and poor communications with a variety of impacts on the business. Good commu-nication links will lead to effective risk management. This can only be performed if members of teams and departments are fully aware of their responsibilities and reporting hierarchy, especially between different organisational levels.

2.7.14 Interpretation Risk

This occurs where management and staff in the same organisation cannot communicate effectively because of their own professional language (jargon). Engineers, academics, chemists and bankers all have their own terms, and insurers are probably the worst culprits, using words with common meanings but in a specialised way. Even the same words in the same profession can have different meanings in the UK and the USA.

2.7.15 IT Risk

The IT industry is one of the fastest growing industries at present. Huge amounts of money continue to be invested in the IT industry. Owing to pressures to maintain a competitive edge in a dynamic environment, an organisation’s success depends on effectively developing and adopting IT. IT projects, however, still suffer high failure rates (Ellis et al. 2002).
IS (information software) development is a key factor which must be considered. Smith (1999) identifies a number of software risks. These include personal shortfalls, unachievable schedules and budget, developing the wrong functions, wrong user interface, a continuing stream of changes in requirements, shortfalls in externally furnished components, shortfalls in externally performed tasks, performance shortfalls and strained technical capabilities. In addition, Jiang and Klein (2001) cite the dimension of project risk based on project size, experience in the technology, technical application and complexity.
Software risks which are regularly identified include:
• project size
• unclear misunderstood objectives
• lack of senior management commitment
• failure to gain user involvement
• unrealistic schedule
• inadequate knowledge/skills
• misunderstood requirements
• wrong software functions
• software introduction
• failure to manage end user expectation.

2.7.16 The OPEC Risk

OPEC was founded at the Baghdad Conference on September 1960, by Iran, Iraq, Kuwait, Saudi Arabia and Venezuela. The five founding members were later joined by nine other members: Qatar, Indonesia, Socialist Peoples Libyan Arab Jamahiriya, United Arab Emirates, Algeria, Nigeria, Ecuador, Gabon and Angola. OPEC’s member countries hold about two-thirds of the world’s oil reserves. In 2005, OPEC accounted for c. 41.75% of the world’s oil production, compared with 23.8% by Organisation for Economic Co-operation and Development (OECD) members and 14.8% by the former Soviet Union. OPEC member countries have, on a number of occasions, tried to adjust their crude oil supplies to improve the balance between supply and demand. OPEC’s mission is to coordinate and unify the petroleum policies of member countries and ensure stabilisation of oil prices. OPEC has, however, had mixed success at controlling prices.
OPEC first sent shock waves throughout the world economy in 1973 by announcing a 70% rise in oil prices and by cutting production. The effects were immediate, resulting in fuel shortages and high inflation in many parts of the world. This brief example illustrates that risks associated with the oil price cannot be dismissed at any time when assessing the economic viability of an investment (Merna and Njiru 2002).
From 1982 to 1985 OPEC attempted to set production quotas low enough to stabilise prices. These attempts met with repeated failures as various members of OPEC produced beyond their quotas. During most of this period Saudi Arabia acted as the swing producer cutting its production to stem free falling prices. In August of 1985, the Saudis tired of this role. They linked their prices to the spot market for crude and by early 1986 increased production from 2 million barrels per day (MMBPD) to 5 MMBPD. Crude oil prices plummeted below $10 per barrel by mid-1986.
During the Gulf War, the United Nations announced a trade embargo against Iraq. The squeeze on the market strengthened OPEC’s position. In 1997, OPEC raised production by 10% without taking account of the Asian crisis. As a result, prices fell by 40%, to $10 per barrel. OPEC reacted to the global economic crisis, which had caused the price of oil to fall below $20 per barrel, by reducing production for six months in the hope of forcing it up in 2002. Increasing oil demand in the US, China and India sent the price soaring to a historic high of more than $50 per barrel. It reached $70 in April 2006.
At the time of writing this book, oil prices have risen to approximately $93 per barrel (Brent Crude), a consequence not only of the current situation in the Middle East, but of uncertainty in other oil-producing countries. Although ‘buying forward’ is a common response to this risk, the large fluctuations in oil price make this technique a very risky option.
Other commodities such as steel, aluminium, timber and cement, common materials used in the construction industry, have also increased in cost as a result of greater demand by booming economies. Many construction companies are now ‘buying forward’ such materials to mitigate the risk associated with price and availability.

2.7.17 Process Risk

This arises from the project management process itself. Process risks arise when the fundamental requirements for running a project are established. The management and decision-making process for operating the project, including the communication methods and documentation standards to be adopted, will also be areas of risk.
The early stages of concept and planning are when project objectives are at their most flexible. The formation of a project’s scope and the iterations of its requirements through feasibility studies provide the greatest opportunity for managing risks. This is the case because the early stages of a project have the option of ‘maybe’ alternatives through to the ‘go/no go’ decision, an option which is less available after a contract has been signed. When risks arise at a later stage in the project life cycle, the impact may generally be greater.
It is also important to note that there is an inherent risk in moving through the project life cycle, for example moving on to the design and planning phase before the basic concept has generally been evaluated.
Chapman and Ward (1997) believe that a thorough risk analysis should be part of the project process. For example, a review at the design stage may initiate consideration of the implications for the design further in the project life cycle. A change in design may reduce the risks associated with the manufacturing process/phase. Similarly decisions made at the corporate level may have implications at SBU and project levels.

2.7.18 Heuristics

Regardless of the industry, type of organisation or style of management, the control of risks associated with human factors will affect project and portfolio success. The human contribution to project success, or failure, encompasses the actions of all those involved in the planning, design and implementation of a project. Obviously there is potential for human failure at each stage of the project life cycle. Managing the risks associated with human failure remains a challenge for successful project management.
There has been a considerable amount of work done in the area of heuristics to identify the unconscious rules used when making a decision under conditions of uncertainty. Hillson (1998) argues that if risk management is to retain its credibility, this aspect must be addressed and made a routine part of the risk management process. A reliable means of measuring risk attitudes needs to be developed, which can be administered routinely as part of a risk assessment in order to identify potential bias among participants.
A number of studies have been undertaken to identify the benefits which can be expected by those implementing a structured approach to risk management (Newland 1997). These include both ‘hard’ and ‘soft’ benefits. Hard benefits include:
• better formed and achievable project plans, schedules and budgets
• increased likelihood of the project meeting targets
• proper risk allocation
• better allocation of contingency to reflect the risk
• ability to avoid taking on unsound projects
• identification of the best risk owner.
Soft benefits include:
• improved communication
• development of common understanding of project objectives
• enhancement of team spirit
• focus of management attention on genuine threats
• facilitation of appropriate risk taking
• demonstrated professional approach towards customers.

2.7.19 Decommissioning Risk

The purpose of decommissioning is often to return a former operational plant back to brown- or greenfield site status. Over the course of operations, many industries (mining, quarrying, chemical industries, nuclear) have to plan for the end of lifetime costs for their plants, whether dismantling or reconditioning the sites. These characteristics of the project have financial consequences in regard to cost estimating and financing, for which there does not exist one single answer to date, and thus by definition creates risk. In today’s economic climate it is essential that these risks are taken into account before a project is sanctioned.

2.7.20 Institutional Risks

The term ‘institutional’ is used to summarise risks caused by organisational structure and behaviour. These risks occur in organisations and state bodies and affect projects both large and small (Kahkonen and Artto 1997). Typically dogma, beauracracy, culture and poor practice can lead to increased risks, usually pure risks.

2.7.21 Subjective Risk and Acceptable Risk

The extent to which a person feels threatened by a particular risk, regardless of the probability of the risk occurring, is subjective risk. Subjective risk may, amongst other things, be affected by an individual’s personal level of risk aversion or risk preference. The severity of the consequences of the individual should the risk occur, the psychological factors and familiarity of the risk will all contribute to subjective risk.
Acceptable risk is the amount of subjective risk an individual or organisation is prepared to accept. In most cases acceptable risk is treated by organisations in such a way that should it occur the existence of the organisation is not threatened.

2.7.22 Pure Risks and Speculative Risks

Pure risks are those risks which only offer the probability of loss and not profit. Pure risks only present the possibility of undesirable consequences. The majority of pure risks, but not all pure risks, can be insured against.
In contrast to pure risks, speculative risks produce either a profit or a loss and can be expected to offer either favourable or unfavourable consequences. Business risks which are voluntarily and deliberately undertaken fall into the category of speculative risks.

2.7.23 Fundamental Risks and Particular Risks

Fundamental risks are risks such as natural disasters that affect whole or significant proportions of society which organisations and individuals have little or no control over. Management of these risks often only permits reducing the effects of such risks.
Particular risks are those risks that can be controlled in order to make a wider range of risk management options available, as they are particular to an organisation or individual.

2.7.24 Iatrogenic Risks

These are actions taken that may themselves generate further risks. An example would be increasing car security systems for unoccupied cars which may result in car jacking as a consequence of mitigating the risk of theft. Basically the consequences of managing a risk can lead to further risks that may have a greater impact than the initial risk.

2.7.25 Destructive Technology Risk

The authors define destructive technology as the possibility of new advanced technology completely taking over the old technology, which would make the old technology become prematurely obsolete. There are now more ‘destructive technologies’ around than at anytime in the past 10 years, especially in industries associated with IT and electronic development. The authors believe that destructive technologies present great threats to established businesses but can also create rewarding new opportunities.

2.7.26 Perceived and Virtual Risks

1. Perceived through science: cholera, for example, needs a microscope to see it and scientific training to understand it.
2. Perceived directly: climbing a tree, riding a bike or driving a car are all risks apparent by the actions and consequences.
3. Virtual risk: these are risks scientists do not fully understand or cannot agree on their impact. Examples include BSE vs CJD, global warming, low level radiation, pesticide residues, HRT, mobile phones, passive smoking, and eye laser treatment. These can be products of the imagination upon the imagination.

2.7.27 Force Majeure

A contract may provide liability to be excluded for any disruption to business continuity because something abnormal and unforeseeable by the parties to the contract is beyond their control. This is known as force majeure.
Force majeure (French for greater force) is a common clause in contracts which essentially frees one or both parties from liability or obligation when an extraordinary event or circumstance beyond the control of the parties such as war, strike, riot, act of God (flood, earthquake, volcano) prevents one or both parties from fulfilling their obligations under the contract. However, force majeure is not intended to excuse negligence or other malfeasance of a party of external forces such as predicted rain stops in an outdoor event or where the intervening circumstances are specifically contemplated.
Time critical and other sensitive contracts may be drafted to limit the shield of this clause where a party does not take reasonable steps (or specific precautions) to prevent or limit the effects of the outside interference, either when they become likely or when they actually occur.
Force majeure may also work to excuse all or part of the obligations of one or both parties. For example, a strike may prevent the delivery of goods, but not timely payment for the portion delivered. Similarly a widespread power outage would not be a force majeure excuse if the contract requires the provision of backup power or other contingency plans for continuity.
The importance of the force majeure clause in a contract, particularly one of any length of time, cannot be understated as it relieves a party from an obligation under the contract (or suspends that obligation). What is permitted to be a force majeure event or circumstance can be a source of much controversy in the negotiation of a contract and a party should generally resist any attempt by the other party to include something that should fundamentally be at the risk of that other party. For example, in a coal supply agreement, the mining company may seek to have ‘geological risk’ included as a force majeure event; however, the mining company should be doing extensive exploration and analysis of its geological reserves and should not even be negotiating a coal supply agreement if it cannot take the risk that there may be a geological limit to its coal supply from time to time. The outcome of that negotiation, of course, depends on the relative bargaining power of the parties and there will be cases where force majeure clauses can be used by a party effectively to escape liability for bad performance.
It should be noted that under international law force majeure refers to an irresistible force or unseen event beyond the control of a state making it materially impossible to fulfil an international obligation.

2.7.27.1 Typical Force Majeure Clause

No party shall be liable for any failure to perform its obligations where such failure is as a result of acts of nature (including flood, fire, earthquake, storm, hurricane or other natural disaster), war, invasion, act of foreign enemies, hostilities (whether war is declared or not), civil war, rebellion, revolution, insurrection, military or usurped power or confiscation, terrorist activities, nationalisation, government sanction, blockage, embargo, labour dispute, strike, lockout or interruption or failure of electricity or telephone service and no other party will have the right to terminate this agreement under a certain termination clause.
Any party asserting force majeure as an excuse shall have the burden of proving that reasonable steps were taken (under the circumstances) to minimise delay or damages caused by foreseeable events, that nonexcused obligations were substantially fulfilled and that the other party was timely notified of the likelihood or actual occurrence which would justify such an assertion, so that other prudent precautions could be contemplated.

2.7.27.2 Events of Force Majeure

Events of force majeure shall mean and be limited to the circumstances set forth in Contract article relating to events of force majeure but only if and to the extent that:
1. such circumstance is not within the reasonable control of the party affected
2. such circumstance despite the exercise of reasonable diligence cannot be prevented, avoided or removed by such party
3. such event materially adversely affects the contractor to construct or operate the facility
4. the contractor has taken all reasonable precautions in order to avoid the effect of such event on the contractor’s ability to construct or operate the facility
5. such event is not the direct or indirect result of failure by the contractor to perform any of his obligations under any of the project documents, and
6. such party has given the other party prompt notice describing such event, the effect thereof and the actions being taken in order to comply with this paragraph.

2.7.27.3 Instances of Force Majeure

Subject to the provisions of contract article relating to events of force majeure shall mean the following:
1. acts of war or the public enemy whether war be declared or not
2. public disorders, insurrections, rebellion, sabotage, riots, violent demonstrations or vandalism
3. explosions, fires, earthquakes, avalanche or other natural calamities
4. strikes, lockouts, or other industrial action of workers or employees
5. ionising radiations or contamination by radio activity from any nuclear fuel or nuclear waste
6. any order, legislation, enactment, judgement, ruling or decision made or taken by Government or judicial authority
7. unforeseeable unfavourable climatic or unforeseeable unsuitable ground conditions or sub-surfaces or latent physical conditions at the site which differ materially from those indicated in the Site Investigation Report or previously unknown physical conditions at the site of an unusual nature which differ materially for those ordinarily encountered and generally recognised as inherent in work of the character provided for in an agreement
8. delays in obtaining Governmental authorisations
9. any other event which is not within reasonable control of the party affected.

2.8 PERCEPTIONS OF RISK

According to MacCrimmon and Wehrung (1986), different people will respond to seemingly similar risky situations in very different ways. Furthermore they state that there is no reason to believe that a person who takes risks in one specific situation will necessarily take risks in all situations: a trapeze performer (characterised as a risk taker) might not be cautious in financial matters, whereas a commodity broker (also characterised as a risk taker) might not be physically cautious. Although there is no standard way to assess a person’s willingness to take risks, the general classification of managers into categories such as risk taking, risk neutral and risk averse can often be made.
Empirical evidence concerning individual risk response is often ignored in the risk analysis process. Experience, subjectivity and the way risk is framed all play a major role in decision making (Tversky and Kahneman 1974, Sitkin and Pablo 1992). Risk perception has a crucial influence on risk-taking behaviour. The perceived importance attached to decisions influences team behaviour and the consequent implementation methods (Sitkin and Pablo 1992). The level of perceived importance will also influence individual or group behaviour and link to the consequences of such behaviour (Ziegler et al. 1996).
Subjectivity is a key factor in assessing risk. Whether a problem is perceived in terms of potential gains or losses will not be assessed as a simple mathematical calculation of the problem, but as a subjective fear, often linked to the consequences of outcomes. There might be a tendency to overestimate ‘fabulous’ risk and to confuse probability with consequence; therefore there might be a temptation to focus on lowprobability events or situations which would have a high impact if they were to occur, rather than high-probability risks with a much lower potential for consequential loss. There is also considerable variance in the estimation of risk, so the same set of circumstances might be evaluated differently by individuals. Basically, people are poor assessors of risk. Evidence suggests that individuals do not understand, trust or accurately interpret probability estimates (Slovic 1967, Fischhoff et al. 1983, March and Shapira 1987).
Risks are perceived by different stakeholders at different business levels. For example, the corporate level may concern itself with risks associated with political, legal, regulatory, reputation and financial factors affecting both the corporation and SBUs. These risks are usually assessed using qualitative methods. Enron, an American energy corporation, and Allied Irish Bank (AIB) have recently had their reputations damaged as a result of fraudulent activities within their organisations. SBUs may consider the above risks in greater detail in respect to their own businesses and consider risks associated with the business, projects, environment, market, safety and planning. At the project level a more detailed risk assessment, often quantitative, will concern the particular project. These risks may include the programme, planning, construction, manufacturing, production, quality, operation and maintenance, technical and specific risks associated with a project.

2.9 STAKEHOLDERS IN AN INVESTMENT

All investments have stakeholders, whether internal or external to an investment. It is important that all stakeholders are aware of the potential risks that could occur over an investment’s life. Shareholders, for example, who provide funds in the form of equity should be made aware of the risks a corporation is taking on their behalf.
Although shareholders assume risk by ‘default’ they either retain or sell their shares. However, should a corporate entity make a decision regarding a particular investment, unknown to shareholders, this could result in a dramatic fall in the value of their shares.
Johnson and Scholes (1999) define stakeholders as:
Those individuals or groups who depend on the organisation to fulfil their own goals and on whom, in turn, the organisation depends.
It is therefore important to include external stakeholders who often have an adverse impact on a project, for example environmentalist groups and conservationists.
Mills and Turner (1995) suggest political, economic, social and technological (PEST) analysis to investigate stakeholders’ position in a project. This approach focuses on analysing each stakeholder’s influence on the political, economic, social and technological aspects of the project. The correct position of each stakeholder can be inferred from the stakeholder’s specific roles at corporate, business and project levels proportionally.
Table 2.3 Internal and external stakeholders (Adapted from Winch 2002)
008
Winch (2002) states that it is useful to categorise the different types of stakeholders in order to aid the analysis, and hence managements of the problem. A first-order classification places them in two categories -internal stakeholders which are in legal contract with the client, and external stakeholders which also have a direct interest in the project. Internal stakeholders can be broken down into those clustered around the client on the demand side, and those on the supply side. External stakeholders can be broken down into private and public sectors. This categorisation, with some examples, is shown in Table 2.3.
It is important that managers focus on those individuals or groups who are interested and able actually to prevent them delivering a successful outcome for the project. This reflects the fact that the vested interest of stakeholders may not always be a positive one.

2.9.1 Stakeholder Identification

At the individual level, identification of the people or groups who influence an investment or project process or its outcome is crucial. It begins the process of eliciting information about the potential contribution to the business risks during and beyond the investment’s life cycle and is the first step in dealing with human factors in risk management. Key information will be gained concerning stakeholders’ abilities, perceptions, values and motivation. However, even in today’s risk business environment project managers are only aware of a minority of stakeholders within a project and dismiss many of those which are external as unimportant and beyond their control. Therefore, many ‘contributors’ to the project and the risks they import may not be covered by the risk analysis process.

2.9.2 Stakeholder Perspectives

The stakeholders’ perspectives are of particular importance to risk management as they concern the way each stakeholder ‘sees’ and interprets, for example, the project, its objectives, other stakeholders, potential gains and losses, and the relationship with the investment or project. Diverse perspectives and perceptions of the stakeholders concerning their tasks, roles and objectives have been recognised as important factors in risk (Sawacha and Langford 1984, Pidgion et al. 1992, Pinkley and Northcroft 1994).
Establishing stakeholders’ perspectives or mental models concerning the business or project will identify, amongst other risks, potential areas of conflict, varying approaches to roles and responsibilities, and widely differing attitudes to risk and risk management. Identifying stakeholders’ perspectives enables the development of appropriate intervention strategies to reduce risk and uncertainty through project risk management.

2.9.3 Stakeholder Perceptions

How risk is defined determines the response of an individual stakeholder to risk. Risk is often conceptualised as a hazard, a breakdown, or a failure to deliver to time and budget, rather than in wider terms of uncertainty about precise outcomes of planned actions and project processes (March and Shapira 1992). As with other stakeholders, what managers consider as risk depends, amongst other factors, on their perceptions, which may be based on flawed notions of control. Many key risk elements may be excluded from the risk management plan if they are not viewed as risks but as routine tasks for management. Areas of ambiguity cause psychological discomfort for project managers and encourage them to avoid in-depth exploration of the problem, preferring instead to focus on more tangible areas of management tasks. Cultural factors also contribute to misconceptions and misunderstanding (Hugenholtz 1992). Individual stakeholder perspectives can be regarded as ‘lenses’ through which issues are assessed (Pinkley and Northcroft 1994). Perceptions of stakeholders are largely social and subjective processes, which cannot be easily reduced to elements of mathematical models of risk (Pidgion et al. 1992). The stress placed on quantification processes, such as quantitative risk analysis, often fails to prompt a manager to take account of other areas that are more difficult or impossible to quantify. Thus a large element of potential risk is excluded and may even go unrecognised.

2.10 SUMMARY

Risk is an unavoidable feature of human existence and over time humans have developed procedures for survival in a constantly changing environment. The same philosophy is seen to form modern risk management practices.
One of the reasons for the development of risk management has been the failure of projects to meet their budgets, completion dates, quality and performance or generate sufficient revenues to service the principal and interest payments. The lessons to be learned from each failed project serve as a useful introduction to the need for better performance in risk management.
Clearly all risks need to be assessed at all levels. Corporate risks can affect the corporation in terms of reputation or the ability to raise finance, SBUs need to consider the risks associated with a portfolio of projects. The project manager should be confident about managing the risks associated with a project and that those risks outside his or her remit have been assessed at corporate and SBU levels. Management at all levels should be aware that risk can provide benefits and should not be considered purely on a negative basis.
This chapter has described the concept of risk and uncertainty, and their sources, the origin of risk and the dimensions of risk. Different types of risk have been outlined and different perceptions of risk discussed. Stakeholders involved in projects or investments were also discussed.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.254.245