No government should ever imagine that it can always adopt a safe course; rather it should regard all possible courses of action as risky. This is the way things are: whenever one tries to escape one danger one runs into another. Prudence consists in being able to assess the nature of a particular threat and in accepting the lesser evil.
Machiavelli, Niccolo, Translated by Bull, G., ‘The Prince’, Penguin Books, 1961, p. 123.
The above quotation is a seminal statement about risk. It says that: risk does not go away. You may have put your finger on it to restrain it, but it pops up somewhere else in a different shape. This is the essence of contract strategy. How does one mould and shape the project circumstances in order to make the risks acceptable to someone else?
The project management model (see Part I, Section B Project Management Characteristics, figure I.B.1) can also be used as a risk management model. It starts with the objectives to determine which aspect will dominate the decision‐making process. Risk is uncertainty that will affect the outcome of these objectives.
Next, the means to help us ensure total scope definition are the product and work breakdown structures (P&WBS – see Part IV, Section F Scope). In developing the P&WBS, it not only helps us understand and define the scope but it also identifies our areas of ignorance – the identification of a major risk in itself. The P&WBS process thus becomes our tool for total risk identification by developing a risk breakdown structure (RBS). This is done as a project team exercise, using the diverse perspectives of the different disciplines so that there is identification within the project – a major step forward in the management of risk. The team's experience and judgement is used to categorise each work package into high‐, medium‐, or low‐risk elements; see Figure V.M.1. However, we should not forget that in this process, there is also the possibility to identify opportunities for doing something better, faster, or cheaper.
Risk assessment falls into three main components: Identification (what can possibly go wrong?), analysis (by how much will it go wrong?), and response (what can be done to avoid it going wrong, or how can we control it if it does go wrong?).
The first risk identification process should have been performed as part of the tender or proposal preparation process. The next risk identification review should be as soon as possible after the contract has been awarded. It is an ideal team‐building exercise to hold in conjunction with the client. This is not the end of the risk review process. It is a dynamic process10 since time generates risk. Consequently, the review process should be continued monthly and after key milestones or other events have been achieved.
In identifying risks, even with an experienced team, there is a strong possibility that they will fail to identify all the issues. The risk checklist11 (see paragraph 3 below) acts as a memory jogger and a catalyst to the synergy of the group. It helps to generate the ‘what’ of the model, the identified risk list and the risk register.
Consequently, when choosing the ‘who,’ the people for the team (see Section Q Selecting and Building the Team, Subsection 1), consideration must be given to selecting people on the basis of who is best at managing risk. In choosing who to include in the group risk process, it is useful to have some ‘negative thinking’ people because they are more likely to identify risks.
It is probably not possible to exclude taking on major risks, such as the first of a kind, a large scale‐up, technical uncertainty, or innovation. That's what project managers are for. However, don't have two of these at once – that will guarantee disaster. If you want to use new materials, use a proven application. If you want to use a new application, use proven materials.
Each identified risk must be allocated to an ‘owner’ in order to produce a risk responsibility matrix of ‘who owns what.’ The owners remain responsible until the risk is eliminated. A risk must not be allowed to be handed over to another team member. This removes another big risk, namely, interface problems.
At the execution plan stage of the risk management model, the risk owners develop risk memos. Risk memos are response plans and options for ‘how’ to handle the various ‘what if’ scenarios and the relationships or impact on other risks. It may be useful to hold a workshop to find solutions to some worst‐case scenarios and develop plans to avoid them. Writing risk memos (one page maximum) has a number of benefits; writing things down forces one to focus and crystallise one's plans. The risk memos should be distributed to the project team for information and reviewed by management. Most importantly, they become a library of information, which can be used by other/future projects. They record and become part of the know‐how of the company.
Risks that are identified as high impact and severity are designated to be started at the early start date in the critical path network of the execution plan.
Use a fault tree analysis to evaluate how the risks should be managed as follows:
The group process of identifying the risks, step a, will have produced an extensive identified risk list, which will need to be prioritised for effective decision‐making. See subsection 2 below for the prioritising processes. The first assessment, though, may be to take no action at all about a specific risk – provided one is clear about why.
Avoiding options in step b are: to reduce, alter, or adjust a risk or to design it out. Alternatively, transfer the risk to someone with better skills (subcontracting) or share the risk with someone who has greater capacity for dealing with the risk (not necessarily a joint venture – the ‘joint and several liabilities’ may be increasing the risk).
Managing controllable processes in step c involves a variety of planning and monitoring disciplines: safety, quality, and execution planning, and so on.
If the impact of a risk is too severe, then consideration should be given to transferring the risk (step d) to an insurance company. Trying to eliminate risks in steps b and c is important since it reduces the number of risks to be considered for insurance and hence the cost of premiums. Plot severity (cost impact) against probability and use the following guidelines:
Quantifying the residual risk (step e) in financial terms is totally dependent on historical data and experience.
Step f is deduced from step e and emphasizes the importance of the fault tree process because it reduces the contingencies (see Section E Estimating and Contingency, subsection 5). Consequently, it sets one's competitive edge.
The last part of the risk management model ‐ the ‘where’ are we – is to review the status of the risks at a regular risk review meeting. This is much more forward‐looking and pro‐active than a progress meeting that is primarily looking backwards.
The risks listed on the risk breakdown structure (see Figure V.M.1 above) should then move from their initial column of, say high risk, to medium risk and then to low risk and eventually disappear as they are conquered by the project.
You could jump to the final stage of the prioritisation process to produce a final risk register. However, this would miss the intermediate steps that make the team really understand the issues.
The first step in prioritising the vast number of risks produced by the group identification process is to classify them (using historical data, experience, or the gut feeling of the group) for severity or impact. The impact should be assessed as the maximum likely. It can be viewed from the perspective of capital cost, schedule, and safety, as well as operability or operating costs.
It is unnecessary to use more than three categories for this initial assessment: high, medium, and low.
The next step is to grade the risks for probability: Certain/high probability – 3, undecided/medium probability – 2, and uncertain/low probability – 1.
There can be so many identified risks that it is difficult to see the wood for the trees. In this case jump to the last step and rank the prioritising process by introducing a time factor: a time scale within three months – 3, four to six months – 2, and beyond six months – 1. If these durations seem long relative to the length of the project, reduce them proportionately, but do not increase them for longer projects.
Select those with the highest number for: impact X probability X time. Evaluate them for: immediate action, development of contingency plans or for transfer to others, or insurance (see Figure V.M.2). During a risk seminar (or team building) this can be a sub‐group exercise and should take the third step, in paragraph 2.5 and 2.6 below, into account.
The sequential third step is to examine how difficult they would be to manage or the effort required to resolve them using: difficult to manage – 3, reasonable manageability – 2, or easy to manage – 1.
Having addressed the urgent ones in paragraphs 2.4 and 2.4.1, we can now give time to the remainder and prioritise them (see Figure V.M.3) by plotting risk (Probability X Impact/Severity), against manageability or effort required. Tackle them in the order of 1 – high risk/low effort, 2 – low risk/low effort (get them out of the way) in order to deal with; 3 those left over from 2.4 and 2.4.1 – high risk/high effort. Finally, when you have time, 4 – low risk/high manageability effort. In team building, or a risk seminar, these are tackled in subgroups before sharing/discussing the results with the whole team.
The final step is to produce the final risk register using all four criteria and the rankings already defined of 3, 2, and 1, namely, Probability x Impact x Manageability x Time. This produces a maximum risk coefficient of 81, requiring immediate attention.
The risk coefficient is tabulated first on the risk register, followed by the description of the risk and then the action time factor so that it is easily seen and updated and followed by the other criteria; see Figure V.M.4. One's views of probability, impact, and manageability may change as work on the project progresses. As indicated above, time generates risk. They may need to be adjusted in the register, but time should be changed and the risk coefficient updated before each risk review meeting.
Repeating this process on a monthly basis means that eventually all risks rise to the top of the list (and the project manager's attention), due to the changing value of time.
An attempt has been made to list the main risk groupings/categories in the order of high impact but low probability to low impact, high probability.
It can be argued that the biggest risk of all is the people not performing their work correctly or effectively. The majority of the risks listed are the fault of people failing to perform a study, an analysis, or an investigation, or failing to train staff to have adequate skills and so on.
On the whole project managers are optimists. So remember that over‐optimism will lead to under‐estimation of cost and time and even to the risk themselves.
Projects don't seem to go wrong because of the big risks, despite the fact that there is limited ability to control them. Perhaps this is because people give them a great deal of attention. Projects go wrong because of the multitude of high probability, low impact risks, despite the fact that we have total ability to control them as part of the design, procurement, and construction work process. Work at them more.
People tend to be risk takers when dealing with a loss and risk averse when dealing with a gain.
Ideally a country risk assessment will be specific to an enquiry for a particular prospect that the business development people have in mind. It needs to be thorough since it should form part of the documentation for the approval‐to‐tender request.
For a client, much of the information will have been assessed prior to the feasibility stage when evaluating the market for their product.
The introduction to the country report will provide general data about the country: population, economics, rate of inflation, parliamentary system, culture, religion(s), and language(s). See also Section O, Site Checks. Most of this preliminary data can be obtained from financial institutions.
Credit rating of the country. Check with the national insurers:
ECGD | – A British government organization |
NCM | – A private Dutch company |
COFAS | – A private French company |
EXIM | – A U.S. government department |
HERMES | ‐ A private German company |
SACE | ‐ Italian joint stock company |
JBIC | ‐ Japanese public financial institution and export credit agency |