Chapter 11

Project Management, Planning and Control: Managing Engineering,

Construction and Manufacturing Projects to PMI, APM and BSI Standards
(Fifth Edition), Chapter 16 (2007), Albert Lester, Butterworth-Heinemann

11. Risk Management

Every day we take risks. If we cross the street we risk being run over. If we go down
the stairs, we risk missing a step and tumbling down. Taking risks is such a common
occurrence, that we tend to ignore it. Indeed, life would be unbearable if we
constantly worried whether we should or should not carry out a certain task or take an
action, because the risk is, or is not, acceptable. With projects, however, this luxury of
ignoring the risks cannot be permitted. By their very nature, because projects are
inherently unique and often incorporate new techniques and procedures, they are risk
prone and risk has to be considered right from the start. It then has to be subjected to a
disciplined regular review and investigative procedure known as risk management.
Before applying risk management procedures, many organizations produce a risk
management plan. This is a document produced at the start of the project which sets
out the strategic requirements for risk assessment and the whole risk management
procedure. In certain situations the risk management plan should be produced at the
estimating or contract tender stage to ensure that adequate provisions are made in the
cost build-up of the tender document. The project management plan (PMP) should
include a résumé of the risk management plan, which will first of all define the scope
and areas to which risk management applies, particularly the risk types to be
investigated. It will also specify which techniques will be used for risk identification
and assessment, whether SWOT (strengths, weaknesses, opportunities and threats)
analysis is required and which risks (if any) require a more rigorous quantitative
analysis such as Monte Carlo simulation methods. The risk management plan will set
out the type, content and frequency of reports, the roles of risk owners and the
definition of the impact and probability criteria in qualitative and/or quantitative terms
covering cost, time and quality/performance. The main contents of a risk management
plan are as follows:
 • General introduction explaining the need for the risk management process;

• Project description. Only required if it is a stand-alone document and not part

of the PMP;

• Types of risks. Political, technical, financial, environmental, security, safety,

programme, etc.;

• Risk processes. Qualitative and/or quantitative methods, max. nos of risks to

be listed;

• Tools and techniques. Risk identification methods, size of P-I matrix,

computer analysis, etc.;

• Risk reports. Updating periods of risk register, exception reports, change

reports, etc.;

• Attachments. Important project requirements, dangers, exceptional problems,

etc.

The risk management plan of an organization should follow a standard pattern in

order to increase its familiarity (rather like standard conditions of contract) but each
project will require a bespoke version to cover its specific requirements and
anticipated risks. Risk management consists of the following five stages, which, if
followed religiously, will enable one to obtain a better understanding of those project
risks which could jeopardize the cost, time, quality and safety criteria of the project. The first
three stages are often referred to as qualitative analysis and are by far the most important stages of the
process.

11.1. Stage 1: Risk awareness

This is the stage at which the project team begins to appreciate that there are risks to
be considered. The risks may be pointed out by an outsider, or the team may be able
to draw on their own collective experience. The important point is that once this
attitude of mind has been achieved, i.e. that the project, or certain facets of it, are at
risk, it leads very quickly to …
 11.2. Stage 2: Risk identification
This is essentially a team effort at which the scope of the project, as set out in the
specification, contract and WBS (if drawn) is examined and each aspect investigated
for a possible risk.
To get the investigation going, the team may have a brainstorming session and use a
prompt list (based on specific aspects such as legal or technical problems) or a
checklist compiled from risk issues from similar previous projects. It may also be
possible to obtain expert opinion or carry out interviews with outside parties. The end
product is a long list of activities which may be affected by one or a number of
adverse situations or unexpected occurrences. The risks which generally have to be
considered may be:

Technical New technology or materials. Test failures;

Environmental Unforeseen weather conditions. Traffic restrictions;

Operational New systems and procedures. Training needs;

Cultural Established customs and beliefs. Religious holidays;

Financial Freeze on capital. Bankruptcy of stakeholder. Currency fluctuation;

Legal Local laws. Lack of clarity of contract;

Commercial Change in market conditions or customers;

Resource Shortage of staff, operatives or materials;

Economic Slow-down in economy, change in commodity prices;

Political Change of government or government policy.

Security Safety. Theft. Vandalism.

 
The following list gives the advantages and disadvantages of the more usual risk
identification methods:

Brainstorming

Advantages: Wide range of possible risks suggested for consideration;

Involves a number of stakeholders.
Disadvantages: Time consuming; Requires firm control by facilitator.

Prompt list

Advantages: Gives benefit of past problems;

Saves time by focusing on real possibilities; Easy to discuss.
Disadvantages: Restricts suggestions to past experience; Past problems may not be
applicable.

Checklist

Advantages: Similar to prompt list; Company standards

Disadvantages: Similar to prompt list.

Work breakdown structure

Advantages: Focused on specific project risks; Quick and economical.

Disadvantages: May limit scope of possible risks.

Delphi technique

Advantages: Offers wide experience of experts; Can be wide ranging.

Disadvantages: Time consuming if experts are far away; Expensive if experts have to
be paid; Advice may not be specific enough.
 Asking experts

Advantages: As Delphi.
Disadvantages: As Delphi.

At this stage it may be possible to identify who is best to manage each risk. This
person becomes the risk owner.

To reduce the number of risks being seriously considered from what could well be a
very long list, some form of screening will be necessary. Only those risks which pass
certain criteria need be examined more closely, which leads to the next stage …

11.3. Stage 3: Risk assessment

This is the qualitative stage at which the two main attributes of a risk, probability and
impact , are examined.

The probability of a risk becoming a reality has to be assessed using experience

and/or statistical data such as historical weather charts or closeout reports from
previous projects. Each risk can then be given a probability rating of HIGH,
MEDIUM or LOW.

In a similar way, by taking into account all the available statistical data, past project
histories and expert opinion, the impact or effect on the project can be rated as
SEVERE, MEDIUM or LOW.

A simple matrix can now be drawn up which identifies whether a risk should be taken
any further. Such a matrix is shown in Figure 11.1.
Figure 11.1 Probability versus impact table.

Each risk can now be given a risk number , so that it is now possible to draw up a
simple chart which lists all the risks so far considered. This chart will show the risk
number, a short description, the risk category, the probability rating, the impact rating
(in terms of high, medium or low) and the risk owner who is charged with monitoring
and managing the risk during the life of the project. Figure 11.2 shows the layout of
such a chart.

A quantitative analysis can now follow. This is known as …

11.4. Stage 4: Risk evaluation

It is now possible to give comparative values, often on a scale 1 to 10, to the
probability and impact of each risk and by drawing up a matrix of the risks, an order
of importance or priority can be established. By multiplying the impact rating by the
probability rating, the exposure rating is obtained. This is a convenient indicator
which may be used to reduce the list to only the top dozen that require serious
attention, but an eye should nevertheless be kept on even the minor ones, some of
which may suddenly become serious if unforeseen circumstances arise. An example
of such a matrix is shown in Figure 11.3. Clearly the higher the value, the greater the
risk and the more attention it must receive to manage it.
Figure 11.2 Risk Summary Chart

Figure 11.3 Exposure table

Figure 11.4 5*5 matrix

Another way to quantify both the impact and probability is to number the ratings as
shown in Figure 11.4 from 1 for very low to 5 for very high. By multiplying the
appropriate numbers in the boxes, a numerical (or quantitative) exposure rating is
obtained, which gives a measure of seriousness and hence importance for further
investigation.

For example, if the impact is rated 3 (i.e. medium) and the probability 5 (very high),
the exposure rating is 3×5 = 15.

Further sophistication in evaluating risks is possible by using some of the computer

software developed specifically to determine the probability of occurrence. These
programs use sampling techniques like ‘Monte Carlo simulations’ which carry out
hundreds of iterative sampling calculations to obtain a probability distribution of the
outcome.

One application of the Monte Carlo simulation is determining the probability to meet
a specific milestone (like the completion date) by giving three time estimates to every
activity. The program will then carry out a great number of iterations resulting in a
frequency/time histogram and a cumulative ‘S’ curve from which the probability of
meeting the milestone can be read off (see Figure 11.5).
At the same time a Tornado diagram can be produced, which shows the sensitivity of
each activity as far as it affects the project completion (see Figure 11.6). Other
techniques such as sensitivity diagrams, influence diagrams and decision trees have
all been developed in an attempt to make risk analysis more accurate or more reliable.
It must be remembered, however, that any answer is only as good as the initial
assumptions and input data, and the project manager must give serious consideration
as to the cost effectiveness of theses methods for his/her particular project.

Figure 11.5 Frequency/time histogram

Figure 11.6 Tornado diagram

11.5. Stage 5: Risk management

Having listed and evaluated the risks and established a table of priorities, the next
stage is to decide how to manage the risks; in other words, what to do about them and
who should be responsible for managing them. For this purpose it is advisable to
appoint a risk owner for every risk which has to be monitored and controlled. A risk
owner may, of course, be responsible for a number or even all the risks. There are a
number of options available to the project manager when faced with a set of risks.
These are:

• avoidance

• reduction

• sharing

• transfer

• deference

• mitigation

• contingency

• insurance

• acceptance.

These options are perhaps most easily explained by a simple example.

The owner of a semi-detached house decides to replace part of his roof with solar
panels to save on his hot water heating bill. The risks in carrying out this work are as
follows:

• Risk 1 The installer may fall off the roof;

• Risk 2 The roof may leak after completion;

• Risk 3 The panels may break after installation;

• Risk 4 Birds may befoul the panels;

• Risk 5 The electronic controls may not work;

 • Risk 6 The heat recovered may not be sufficient to heat the water on a cold
day;

• Risk 7 It may not be possible to recover the cost if the house is sold within 2–
3 years;

• Risk 8 The cost of the work will probably never pay for itself;

• Risk 9 The cost may escalate due to unforeseen structural problems.

These risks can all be managed by applying one or several of the above options:

• Risk 1 Transfer Employ a builder who is covered by insurance;

• Risk 2 Transfer Insist on a two-year guarantee for the work (at least two
season cycles);

• Risk 3 Insurance Add the panel replacement to the house insurance policy;

• Risk 4 Mitigation Provide access for cleaning (this may increase the cost);

• Risk 5 Reduction Ensure a control unit is used which has been proven for a
number of years;

• Risk 6 Contingency Provide for an electric immersion heater for cold spells;

• Risk 7 Deference Wait 3 years before selling the house;

• Risk 8 Acceptance This is a risk one must accept if the work goes ahead, or

• Risk 8 Avoidance Don’t go ahead with the work;

• Risk 9 Sharing Persuade the neighbor in the adjoining house to install a

similar system at the same time.

11.6. Monitoring
To keep control of the risks, a risk register should be produced which lists all the risks
and their method of management. Such a list is shown in Figure 11.7. Where risk
owners have been appointed, these will be identified on the register. The risks must be
constantly monitored and at preset periods, the register must be reassessed and if
necessary amended to reflect the latest position. Clearly as the project proceeds, the
risks reduce in number, so that the contingency sums allocated to cover the risk of the
completed activities can be allocated to other sections of the budget. However,
sometimes new risks emerge which must be taken into account. These must be
recorded in the register under the heading of risk closure.

11.7. Summary
The summary of the risk management procedure is then as follows:

1. Risk awareness;

2. Risk identification (checklists, prompt lists, brainstorming);

3. Risk owner identification;

4. Qualitative assessment;

5. Quantification of probability;

6. Quantification of impact (severity);

7. Exposure rating;

8. Mitigation;

9. Contingency provision;

10. Risk register;

11. Software usage (if any);

12. Monitoring and reporting.

Figure 11.7 Risk register (risk log)

To aid the process of risk management, a number of software tools have been
developed. The must commonly used ones are @Risk, Predict, Pandora and Plantrac
Marshal , but no doubt new ones will be developed in the future.