Introduction
This chapter provides an overview of risk management, which was identified by the PCIM project control methodology research as the second most common factor that can inhibit effective cost and time control. Risk management is an inseparable and integral part of project management and critical for driving a project successfully. In fact, one of the benefits of applying project controls to a project is to unearth emerging risks to the cost and time performance of projects for corrective actions to be taken as appropriate. Risk management is also important for project control because during project delivery, risk analysis can be used to give probabilistic forecasts that provide levels of confidence in meeting the budget and schedule objectives using past project performance, which takes account of future risks and uncertainties in relation to the project.
Project Risks and Categorization of Risks
Risk is an uncertain event or set of circumstances that, should it occur, will influence the achievement of the project’s objectives. It is the combination of the probability of an event and its consequence. Risks can be categorized according to their visibility or their origin.
Categorization of project risks based on their visibility
• Known risks: These are risks that are everyday feature of a situation.
• Known unknowns: These are risks that can be predicted or foreseen and anticipated.
• Unknowns-unknowns: These are risks that are due to events whose cause and effect cannot be predicted or emerge over time.
Categorization of project risks based on their origin
• Global risks or external risks: These are usually outside the control of the project parties and generally stem from the macroenvironment, for example, currency exchange, material cost inflation, economic downturn, health pandemic, and so on.
• Elemental risks or internal risks: These are risks associated with the key elements of a project; they are often specific to the project, for example, design failure, delay, scope creep, and so on.
Need for Systematic Approach to Risk Management
Risk management is the identification of future probable events, analysis of the events to determine probability of occurrence and their potential impact on project, and developing strategies for managing the risks. Effective risk management requires a systematic approach of (1) risk classification, (2) risk identification, (3) risk analysis, and (4) risk response. Figure 10.1 presents the systematic approach to risk management that should be adopted for projects.
Risk Classification
It is important to decide on a risk classification system appropriate for the project at the outset. This will be used to group the risks and help clarify the relationships among the risks. It helps kickstart the risk management process and bring some order into the mostly qualitative starting point. Different classification systems can be used, but mostly macrolevel classifications are employed. Some of the classification systems utilized are discussed below.
• PEST or PESTLE: This acronym stems from the classification of project risks in relation to their origin using the following macroenvironmental view: political risks, economic risks, social risks, technological risk, legal and contractual risks, and environmental issues that may affect the project.
Figure 10.1 Systematic approach to risk management
• SPORT: This approach is similar to the PEST classification discussed previously and classifies risk according to macrolevel issues such as social risks, political risks, organizational risks, regulatory risks, and technological risks.
• Disciplinary or organizational function approach: This classification approach uses the discipline or organizational function that the risks relate to. This is the most common classification systems adopted for many projects. Examples of the classification includes health and safety risks, commercial risks, finance risks, information technology (IT) risks, and so on Figure 10.2 shows an example of this.
• Predetermined approach by the organization: Many organizations have devised their own risk classification system based on their management structure, functions, and culture. This would have usually emerged over time within the organizations and might have been devised by the finance department. The predetermined classification system may consist of one of the aforementioned approaches or a combination of at least two of them.
Figure 10.2 Disciplinary or organizational function project risk classification approach
Risk Identification
Risk identification is the process of unearthing and documenting the risks and threats to the successful delivery of a project in a comprehensive, practical, and structured manner. The aim of risk identification is to identify the maximum possible risks at the initial stage of a project. In essence, risk identification should involve the compilation of a list of risks that is comprehensive and as complete as possible. There are different methods, tools, and techniques that can be used, for example, documentation reviews, brainstorming, Delphi technique (see Chapter 6 for more information on the Delphi technique), interviewing, and so on. It is not usually possible to uncover the entire risks specific to the project at the initial stage because of the progressive elaboration characteristic of projects. The progressive elaboration concept of projects is that you know less about the project at the early stage such as the initiation and planning stages of a project compared to the later stages of the project when you have more information. In essence, you gain more information and knowledge about projects as you progress through a project’s life cycle. There is no single best method for risk identification; however, a combination and usage of several risk identification tools can be effective.
In practice, it is very common for risks to be described vaguely or incompletely, for example, “specialist vending equipment may be delivered late.” This description is incomplete as it does not provide a good picture of the risk. Irrespective of the identification techniques used, it is essential to describe risks clearly based on the cause-and-effect relationship as depicted in Figure 10.3 and explained below.
• Cause: Description of the source of the risk, that is, the situation that gives rise to the risk. These are usually called risk drivers.
• Risk: Description of the area of uncertainty.
• Effect: Description of the impact(s) that the risk would have on the project objectives should the risk materialize.
Using the example provided above, the risk should be correctly described as below.
Correct description: Due to the Covid-19 pandemic in China (cause), there is a risk that the specialist venting system ordered from the country will now not be delivered on time (risk), which would delay the completion of the mechanical and electrical (M&E) work package (effect).
The Risk Register
The risks are recorded in a risk register maintained in a project. This could be on a spreadsheet or in a proprietary risk management software package. The risk register provides a comprehensive description of the risks that may exist in the project. The risk register should provide the following information: risk identifier, description of the causes and the impact (cost and time), probability of impacts, timing of likely impacts, responses and mitigations plans, and effect, ownership of the management of the risk and so on. There are different ways of developing a risk register, but a consistent approach should be adopted during a project.
Figure 10.3 How to correctly describe risks
This is the process of digging deeper into the identified risks to understand them so that effective decisions can be made in relation to how they are managed. It is a prerequisite for effective risk management. Risk analysis can be carried out either qualitatively or quantitatively and this facilitates the ranking and prioritization of the identified risks, hence helping managers decide where actions are most needed (better allocation of resources). The assessment of risks, in general, can be categorized as qualitative risk analysis and quantitative risk analysis.
Qualitative Risk Analysis
This involves determining what impact the identified risks will have on the project objectives and the probability that they will occur. It also involves ranking the risks in priority order according to their effect on the project objectives. It helps determine if quantitative risk analysis should be performed or if it is possible to develop risk response plans straight away. The most common form of qualitative risk analysis is the probability/severity matrix also called a risk matrix. It is a qualitative method of analyzing risks that assesses and scores in simple numerical terms the likelihood that a risk event will occur, and the potential severity of the impact that the risk event will have. The qualitative assessment provides a rating scale by significant levels, for example, “high,” “moderate,” and “low” of the consequences and the probability of risks. This is usually depicted visually using a matrix as shown in Figure 10.4.
Figure 10.4 Qualitative risk analysis: Impact and likelihood
Quantitative Risk Analysis Techniques
This is a more rigorous risk analysis process and involves a numerical analysis of the overall effect of risks on the project objectives such as cost and schedule objectives. It is focused on assigning quantifiable quantities to the identified risks of a project and carrying out robust numeric analysis to examine the viability of a project’s cost or time objectives because of risks posed to them. It enables a more detailed understanding of (1) the probability of meeting the project’s objective, given all known risks, (2) how much the overrun or delay to a project could be, and therefore how much contingency is required to achieve the company’s desired level of cost and time certainty, and (3) the areas of the project that pose the most risk because of the project’s profile and financial quantum of all the identified risks on a project. Quantitative risk analysis provides a more detailed understanding of the risks facing a project including various probability levels and helps to decide on the contingency sum required for the project. There are several quantitative risk analysis techniques that can be utilized for projects. These are described below.
Sensitivity Analysis
Sensitivity analysis is a form of risk analysis that can help determine the effect of a risk on the whole project when a risk variable changes. It is a practical method of investigating risks on a project by varying the values of key factors and measuring the outcome, thereby highlighting the key factors that may affect the project outturn, should they be varied. Due to this, the sensitivity analysis is on occasion called a “what-if” analysis. It highlights the key factors that could have a significant impact on the overall project should they change. In practice, a sensitivity analysis should be performed for all identified risks to establish which have potentially the highest impact on the project outcome.
Decision Tree
Decision trees are a pictorial method of showing a sequence of interrelated decisions highlighting possible courses of action and future possible outcomes (see Figure 10.5). It is a quantitative method of modeling options for delivering an investment project that shows the possible effects of each project decision given the prevailing risks associated with the outcome of each option. The aim of the decision tree is to produce an expected value (EV) for each option in the decision-making process.
The EV is calculated as follows:
• Draw a decision tree with the possible options and their consequences. Start drawing using nodes and branches with nodes representing an option and branches representing alternative outcomes.
• Assign each outcome a probability of occurrence allowing for all the outcomes of the options in contention for delivering the investment project to be explored to support the best course of action.
• Determine the risks and allocate payoffs for each possible outcome.
• Calculate the expected monetary value for every chance node by multiplying the allocated payoff with the assigned probability in order to determine which options(s) is expected to provide the most value.
Costing Risk: Expected Monetary Value
Risks usually impact a project and this impact usually has a cost implication. In order to plan for the impact of risks and set a realistic budget to deliver a project, it is important to cost risks. Costing of risk is the most basic quantitative method for calculating a risk allowance in a project. The process of costing risk is like the process of calculating the expected value in the decision tree quantitative risk analysis approach. There are two approaches: the simple costing method and the three-point estimating or probabilistic method.
Simple Costing Method
• Assign a likely cost to all the risks in the risk register along with a, usually subjective, probability of occurrence. Then multiply the cost by the probability to give an expected value as shown in Table 10.1.
• Total the expected value for each risk to get an overall risk allowance.
• Expected value = probability × cost impact.
• For example, the delay to completion risk has a 15 percent chance of occurring and may cost £400,000.
• Therefore, the expected value of the risk is 0.15 × £400,000 = £60,000.
Table 10.1 Example of expected monetary value
Risk | Cost impact | Probability (%) | EMV |
Delay to completion | £400,000 | 15 | £60,000 |
Procurement of inexperienced contractor | £200,000 | 10 | £20,000 |
Productivity | £180,000 | 15 | £27,000 |
Estimating inaccuracy | £250,000 | 10 | £25,000 |
Contractor bankruptcy | £500,000 | 4 | £20,000 |
Poor quality | £300,000 | 5 | £15,000 |
Overall risk allowance |
|
| £167,000 |
Three-Point Estimating or Probabilistic Method. The probabilistic method is a more in-depth version of the simple method and sometimes called “three-point estimating,” which is carried out as follows.
Apply a meaningful, probability to each risk in the register over a range of three assumptions (best, likely, and worst case). The probabilities for all three should equal to 1 (100 percent).
Use these to generate an expected value per assumption by multiplying the probability of each assumption by the financial impact of each assumption. Then add the three assumptions to generate an expected value for each risk.
Total all the expected value for all the identified risks to get an overall risk allowance from the risk register.
Monte Carlo Simulation
Monte Carlo simulation is another probability-based method of risk analysis. It is a computerized mathematical technique that defines the consequences of each risk by a probability distribution. The simulation creates multiple scenarios by randomly sampling values from the probability distribution with modern computers allowing hundreds of trials.
Quantitative Schedule Risk Analysis (QSRA)
The QSRA uses statistical techniques to test the level of confidence in achieving the project completion date. This involves the application of Monte Carlo simulation to the schedule of a project for the risk information of project activities to be linked to the baseline schedule. The two elements of the QSRA are duration uncertainty, which provides a minimum, most likely, and maximum spread of activity durations, and risk impact, which assesses the minimum, most likely, and maximum impacts. This enables sensitivity information of each of the activities on the project schedule to be analyzed in relation to the possible effect of the uncertainty stemming from them on the eventual project duration.
Quantitative Cost Risk Analysis (QCRA)
QCRA is used to analyze the cost certainty of a project to estimate the probable cost outturn. This involves the application of Monte Carlo simulation to the risk register to enable the computation of the cost of the risks facing a project. This facilitates the identification of current impact of the risks to the project budget and informs what contingency should be provided. The overarching aim of the QCRA on a project is to estimate the right level of financial contingency to add to the project estimate to account for the identified risks on the project. Therefore, to implement a QCRA on a project, the risk register needs to be costed fully with the likely impact of a risk identified as a three-point estimate similar to the PERT/cost described in Chapter 8, that is minimum, most likely, and maximum. A QCRA is performed using risk software packages (such as @Risk, Active Risk Manager, Primavera Risk Analysis) where cumulative distribution graphs such as the S-curves can be created to inform outcomes at various confidence intervals between 0 and 100 percent.
Risk Response
The risk response stage during risk management comprises the utilization of an appropriate mitigation strategy (a future plan of action involving considered and agreed methods of dealing with every identified risk). The main aim of any response and mitigation strategy is to initiate and implement appropriate action to prevent the risks from occurring. All strategies must be agreed, recorded, and documented with responsibilities clearly stated and communicated to the appropriate stakeholders. Risk response can be passive or active.
• Passive risk response: This implies the rejection of a considered mitigation strategy; at its best, it serves merely to monitor identified risks. This is not usually recommended in a project.
• Active risk response: This implies the formulation of a mitigation strategy that may be one, or a combination, of the following risk mitigation strategy discussed below.
Avoidance Risk Response Strategy
This may involve changing some aspect of the project to prevent the threat from happening or not have an impact. Aspects of the project that may be changed include the scope, procurement route, activity sequence, design type, and so on.
• Example: On an IT project that has a tight delivery timescale, deciding against procuring a payroll IT system that is renowned for its difficulty to be integrated with other financial systems to another payroll IT solution that is more expensive but easy to integrate with other financial systems.
Reduction Risk Response Strategy
This is usually a proactive action by any of the project partners to either reduce the probability of the threat from occurring through some form of control and/or reduce the impact of the threat if it occurs at all.
• Example: To reduce the likelihood of an imported equipment to be fitted in a hospital project being delayed at a country’s port with a two-week turnaround for clearing of such equipment, it is ordered to arrive eight weeks before being fitted. To reduce the impact should this risk occur, the activity is planned to ensure it doesn’t fall on the critical path.
Fallback Risk Response Strategy
This involves putting in place a contingency for the actions that will be taken to reduce the impact of the threat should the risk come to fruition. It is a reactive measure and only affects impact but has no bearing on the probability of the risk.
• Example:
To reduce the risk of an American construction company misunderstanding the contract documents in German during a negotiation process for a project in Germany, a specialist legal documents translator from the host country was arranged to meet the team at the airport and join the negotiating party, but as a fallback John Smith who has a degree in German is also included as part of the team.
Transfer Risk Response Strategy
This is when a third party takes on the responsibility for some of the financial impact of the risk. It is a form of risk reduction but with only the mechanism to reduce the financial impact of the risk.
Example:
• Taking insurance for the risk of vandalization of an ongoing gas power generating project in a city with a reputation for environmental protests and activism.
• Liquidated damage clause (this is a contract provision that specifies an amount to be paid to the owner of the project by the party executing a project if the project is not completed on time, for example, £10,000 weekly until completion) in a project contract for a delay to completion of the project by the contractor delivering a software implementation project.
Acceptance Risk Response Strategy
This is a conscious and deliberate decision to retain a threat because it is deemed more economical to accept it than try to mitigate it. This approach is ideal for those risks that will not create a high amount of loss if they occur and the severity of the risk is lower than the risk tolerance level.
• Risk Tolerance: Risk tolerance is the level of risk above the risk appetite that an organization or a project is willing to accept.
• Risk Appetite: Risk appetite is the level of risk an organization or project has decided to accept to achieve its objectives. Risk appetite comprises two dimensions first, the attitude of an organization toward risk and second, risk capacity, that is, how much risk an organization or project can bear.
Example:
• There is a 5 percent chance that an imported specialist system will not be compatible with the electrical system of a metro rail project when installed in the country it is imported to. To mitigate this, a local engineer will have to make it compatible, causing a one day delay to the activity that has a float of two weeks anyway.
• Hence it is probably not worth the effort/money to act on this but rather wait and see if the equipment will not be compatible and then call the engineer.
Sharing Risk Response Strategy
This is a risk response mechanism where the key partners to a project portion a risk. This is usually done through a pain-gain formula. This is where both parties share the gain from the risk not occurring and share the pain if the risk does come to fruition.
• Example:
Stipulating a pain-gain agreement in the contract of a highly complex nuclear power project that if the project is delivered within budget, 25 percent of the £370 million contingency will be shared equally between the contractor and the client. But if delivered above the budget, the additional cost will be borne equally by the contractor and the client.
The significance of a risk in relation to a project will determine the project team’s response, see Table 10.2 for risk response strategy good practice. Good practice demands that all risks, irrespective of their significance should have a mitigation strategy. However, from the author’s experience, the reality is that the project management team will use the analysis stage to prioritize the risks as depicted in Figure 10.1 earlier. Therefore, low level risks may be accepted by the project team if their impact is deemed insignificant to the project. However, for moderate level risks, the recommended good practice is to always apply mitigation measures that will help reduce or remove the risks from the project or/and develop mitigating measures to reduce the impact of each risk. High level risks are usually seen as a significant threat to the project with the recommended good practice response to deal with these high level risks is for the project management team being proactive in dealing with these risks. This proactive response for high level risks could be elimination of the risk, transferring the risk to a party best able to manage the high risk or avoidance. In some cases, in the absence of an effective response to a high level risk, the avoidance response strategy may mean the termination of a project.
Table 10.2 Risk response strategy good practice
Level of risk | Recommended response strategy |
• Low level risk | • May be accepted if the impact on the project is insignificant or impact recoverable easily • These types of risks need to be monitored for any increase in their impact and mitigating measures need to be developed if impact becomes higher than acceptable |
• Moderate level risk | • Need mitigating measures to be applied to eliminate or reduce the likelihood of the risk • Effective control measures need to be established to limit and mitigate impact • The effectiveness of the mitigation and control measures need to be monitored and improved as required |
• High level risk | • Eliminate or avoid if possible • If elimination or avoidance is not possible, requires a proactive, robust, and effective response • Monitor and review response to the risk proactively to ascertain continued effectiveness or whether elimination of the risk is now possible • May require transfer to another party • May require termination of the project in the absence of an effective or a viable risk response |