Chapter 15
Risk Management
Abstract
The need for risk management is emphasized with examples of successful applications. The five main stages of risk management, i.e., risk awareness, risk identification, risk assessment, risk evaluation, risk management as well as risk monitoring are described in detail in this chapter. The advantages and disadvantages of the different risk identification methods are discussed. Diagrams of a probability/impact matrix, risk summary chart, risk exposure table, frequency/time histogram, Tornado diagram and a risk register (risk log) are included.
Keywords
Delphi technique; Impact; Probability matrix; Risk assessment; Risk awareness; Risk evaluation; Risk identification; Risk management; Risk mitigation; Risk monitoring; Risk owner; Risk register (log)
Every day we take risks. If we cross the street, we risk being run over. If we go down the stairs, we risk missing a step and tumbling down. Taking risks is such a common occurrence that we tend to ignore it. Indeed, life would be unbearable if we are constantly worried whether or not we should carry out a certain task or take an action, because the risk is, or is not, acceptable.
With projects, however, this luxury of ignoring the risks cannot be permitted. By their very nature, because projects are inherently unique and often incorporate new techniques and procedures, they are risk prone and the risk has to be considered right from the start. It then has to be subjected to a disciplined regular review and investigative procedure known as risk management.
Before applying risk management procedures, many organizations produce a risk management plan. This is a document produced at the start of the project that sets out the strategic requirements for risk assessment and the whole risk management procedure. In certain situations the risk management plan should be produced at the estimating or contract-tender stage to ensure that adequate provisions are made in the cost build-up of the tender document.
The project management plan (PMP) should include a résumé of the risk management plan, which will first of all define the scope and areas to which risk management applies, particularly the risk types to be investigated. It will also specify which techniques will be used for risk identification and assessment, whether SWOT (strengths, weaknesses, opportunities and threats) analysis is required and which risks (if any) require a more rigorous quantitative analysis such as Monte Carlo simulation methods.
The risk management plan will set out the type, content, and frequency of reports, the roles of risk owners, and the definition of the impact and probability criteria in qualitative and/or quantitative terms covering cost, time and quality/performance.
The main contents of a risk management plan are as follows:
• General introduction. Explaining the need for the risk management process;
• Project description. Only required if it is a stand-alone document and not part of the PMP;
• Types of risks. Political, technical, financial, environmental, security, safety, programme, etc.;
• Risk processes. Qualitative and/or quantitative methods, maximum number of risks to be listed;
• Tools and techniques. Risk identification methods, size of P–I matrix, computer analysis, etc.;
• Risk reports. Updating periods of risk register, exception reports, change reports, etc.; and
• Attachments. Important project requirements, dangers, exceptional problems, etc.
The risk management plan of an organization should follow a standard pattern in order to increase its familiarity (rather like standard conditions of contract), but each project will require a bespoke version to cover its specific requirements and anticipated risks.
Risk management consists of the following five stages, which, if followed religiously, will enable one to obtain a better understanding of the project risks that could jeopardize the cost, time, quality and safety criteria of the project. The first three stages are often referred to as qualitative analysis and are by far the most important stages of the process.
Stage 1: Risk Awareness
This is the stage at which the project team begins to appreciate that there are risks to be considered. The risks may be pointed out by an outsider, or the team may be able to draw on their own collective experience. The important point is that once this attitude of mind is set, i.e., that the project, or certain facets of it, is at risk, it leads very quickly to risk identification.
Stage 2: Risk Identification
This is essentially a team effort at which the scope of the project, as set out in the specification, contract and WBS (if drawn), is examined and each aspect investigated for a possible risk.
To get the investigation going, the team may have a brainstorming session and use a prompt list (based on specific aspects such as legal or technical problems) or a checklist compiled from risk issues from similar previous projects. It may also be possible to obtain an expert opinion or carry out interviews with outside parties. The end product is a long list of activities that may be affected by one or a number of adverse situations or unexpected occurrences. The risks that generally have to be considered may be conveniently split into four main areas as shown in Table 15.1. Any applicable risk in each area can then be examined by a further screening process as shown by the samples given in the following:
Table 15.1
| Project Risks | |||
| Organization | Environment | Technical | Financial |
| Management | Legislation | Technology | Financing |
| Resources | Political | Contracts | Exchange rates |
| Planning | Pressure groups | Design | Escalation |
| Labour | Local customs | Manufacture | Financial stability of |
| Health and safety | Weather | Construction | (a) Project |
| Claims | Emissions | Commissioning | (b) Client |
| Policy | Security | Testing | (c) Suppliers |
| Technical | New technology or materials, test failures |
| Environmental | Unforeseen weather conditions, traffic restrictions |
| Operational | New systems and procedures, training needs |
| Cultural | Established customs and beliefs, religious holidays |
| Financial | Freeze on capital, bankruptcy of stakeholder, currency fluctuations |
| Legal | Local laws, lack of clarity of contract |
| Commercial | Change in market conditions or customers |
| Resource | Shortage of staff, operatives, plant or materials |
| Economic | Slow-down of economy, change in commodity prices |
| Political | Change of central or local government or government policies |
| Security | Safety, theft, vandalism, civil disturbance |
Some risks could be categorized in more than one area or section, such as civil unrest, which could be a political as well as a security problem.
The following gives the advantages and disadvantages:
| Brainstorming | |
| Advantages | Wide range of possible risks suggested for consideration, involves a number of stakeholders |
| Disadvantages | Time-consuming, requires firm control by the facilitator |
| Prompt List | |
| Advantages | Gives benefit of past problems, saves time by focusing on real possibilities |
| Disadvantages | Restricts suggestions to past experience, past problems may not be applicable |
| Checklist | |
| Advantages | Similar to prompt list: company standard |
| Disadvantages | Similar to prompt list |
| Table Continued | |
| Work Breakdown Structure | |
| Advantages | Focused on specific project risks |
| Quick and economical | |
| Disadvantages | May limit scope of possible risks |
| Delphi Technique | |
| Advantages | Offers wide experience of experts |
| Can be wide ranging | |
| Disadvantages | Time-consuming if experts are far away |
| Expensive if experts have to be paid | |
| Advice may not be specific enough | |
| Asking Experts | |
| Advantages | Similar to Delphi |
| Disadvantages | Similar to Delphi |
At this stage, it may be possible to identify who is the best person to manage each risk. This person becomes the risk owner.
To reduce the number of risks being seriously considered from what could well be a very long list, some form of screening will be necessary. Only those risks that pass certain criteria need be examined more closely, which leads to the next stage of risk management:
Stage 3: Risk Assessment
This is the qualitative stage at which the two main attributes of a risk, probability and impact, are examined.
The probability of a risk becoming a reality has to be assessed using experience and/or statistical data, such as historical weather charts or close-out reports from previous projects. Each risk can then be given a probability rating of High, Medium or Low.
In a similar way, by taking into account all the available statistical data, past project histories and expert opinion, the impact or effect on the project can be rated as Severe, Medium or Low.
A simple matrix can now be drawn up which identifies whether a risk should be taken any further. Such a matrix is shown in Fig. 15.1.
Each risk can now be given a risk number, so that it is possible to draw up a simple chart that lists all the risks considered so far. This chart will show the risk number, a short description, the risk category, the probability rating, the impact rating (in terms of High, Medium or Low) and the risk owner who is charged with monitoring and managing the risk during the life of the project.
Fig. 15.2 shows the layout of such a chart.
Stage 4: Risk Evaluation
It is now possible to give comparative values, often on a scale 1 to 10, to the probability and impact of each risk and by drawing up a matrix of the risks, an order of importance or priority can be established. By multiplying the impact rating by the probability rating, the exposure rating is obtained. This is a convenient indicator that may be used to reduce the list to only the top dozen that require serious attention, but an eye should nevertheless be kept on even the minor ones, some of which may suddenly become serious if unforeseen circumstances arise.
An example of such a matrix is shown in Fig. 15.3. Clearly, the higher the value, the greater the risk and the more attention it must receive to manage it.
Another way to quantify both the impact and probability is to number the ratings as shown in Fig. 15.4 from one for very low to five for very high. By multiplying the appropriate numbers in the boxes, a numerical (or quantitative) exposure rating is obtained, which gives a measure of seriousness and hence importance for further investigation.
For example, if the impact is rated 3 (i.e. medium) and the probability 5 (very high), the exposure rating is 3 × 5 = 15.
Further sophistication in evaluating risks is possible by using some of the computer software developed specifically to determine the probability of occurrence. These programs use sampling techniques such as ‘Monte Carlo simulations’ that carry out hundreds of iterative sampling calculations to obtain a probability distribution of the outcome.
One application of the Monte Carlo simulation is determining the probability to meet a specific milestone (e.g. the completion date) by giving three time estimates to every activity. The program will then carry out a great number of iterations resulting in a frequency/time histogram and a cumulative ‘S’ curve from which the probability of meeting the milestone can be read off (see Fig. 15.5).
At the same time, a Tornado diagram can be produced, which shows the sensitivity of each activity as far as it affects the project completion (see Fig. 15.6).
Other techniques such as sensitivity diagrams, influence diagrams and decision trees have all been developed in an attempt to make risk analysis more accurate or more reliable. It must be remembered, however, that any answer is only as good as the initial assumptions and input data, and the project manager must give serious consideration as to the cost effectiveness of these methods for his/her particular project.
Stage 5: Risk Management
Having listed and evaluated the risks and established a table of priorities, the next stage is to decide how to manage the risks; in other words, what to do about them and who should be responsible for managing them. For this purpose, it is advisable to appoint a risk owner for every risk that has to be monitored and controlled. A risk owner may, of course, be responsible for a number, or even all, of the risks. There are a number of options available to the project manager when faced with a set of risks. These are:
• Avoidance
• Reduction
• Sharing
• Transfer
• Deference
• Mitigation
• Contingency
• Insurance
• Acceptance
These options are perhaps most easily explained by a simple example.
The owner of a semi-detached house decides to replace part of his roof with solar panels to save on his water-heating bill. The risks involved in carrying out this work are as follows:
| Risk 1 | The installer may fall off the roof |
| Risk 2 | The roof may leak after completion |
| Risk 3 | The panels may break after installation |
| Risk 4 | Birds may befoul the panels |
| Risk 5 | The electronic controls may not work |
| Risk 6 | The heat recovered may not be sufficient to heat the water on a cold day |
| Risk 7 | It may not be possible to recover the cost if the house is sold within 2–3 years |
| Risk 8 | The cost of the work will probably never pay for itself |
| Risk 9 | The cost may escalate due to unforeseen structural problems |
These risks can all be managed by applying one or several of the following options:
| Risk 1 | Transfer | Employ a builder who is covered by insurance |
| Risk 2 | Transfer | Insist on a 2-year guarantee for the work (at least two season cycles) |
| Risk 3 | Insurance | Add the panel replacement to the house insurance policy |
| Risk 4 | Mitigation | Provide access for cleaning (this may increase the cost) |
| Risk 5 | Reduction | Ensure a control unit is used which has been proven for a number of years |
| Risk 6 | Contingency | Provide for an electric immersion heater for cold spells |
| Risk 7 | Deference | Wait for 3 years before selling the house |
| Risk 8 | Acceptance | This is a risk one must accept if the work goes ahead |
| Risk 8 | Avoidance | Don’t go ahead with the work |
| Risk 9 | Sharing | Persuade the neighbour in the adjoining house to install a similar system at the same time |
Monitoring
To keep control of the risks, a risk register should be produced that lists all the risks and their method of management. Such a list is shown in Fig. 15.7. When risk owners are appointed, these will be identified on the register. The risks must be constantly monitored and the register must be reassessed at preset periods, and if necessary amended to reflect the latest position. Clearly, as the project proceeds, the risks reduce in number, so that the contingency sums allocated to cover the risk of the completed activities can be allocated to other sections of the budget. These must be recorded in the register under the heading of risk closure. However, sometimes new rules emerge that must be taken into account.
The summary of the risk management procedure is then as follows:
1. Risk awareness
2. Risk identification (checklists, prompt lists, brainstorming)
3. Risk owner identification
4. Qualitative assessment
5. Quantification of probability
6. Quantification of impact (severity)
7. Exposure rating
8. Mitigation
9. Contingency provision
10. Risk register
11. Software usage (if any)
12. Monitoring and reporting
To aid the process of risk management, a number of software tools have been developed. The most commonly used ones are @Risk, Predict, Pandora and Plantrac Marshal, but new ones will be undoubtedly developed in the future.
Example of Effective Risk Management
One of the most striking and beneficial advantage of risk analysis is associated with the temporary jetties system known as Mulberry Harbour, which was towed across the Channel to support Allied landings in Normandy on D-Day, June 6, 1944.
The two jetties (A) at Gold beach for the British army and (B) at Omaha for the American army consisted of floating roadways, pontoons and caissons, protected by breakwaters, which were prefabricated at numerous sites across Britain and towed across the Channel where the caissons were sunk onto the seabed. All site construction of the roadways was carried out by British and American military engineers. The harbours were completed 12 days later on 18 June, and on 19 June an enormous storm blew up, which by 22 June destroyed the American and badly damaged the British harbour.
Fortunately, someone carried out a risk analysis that identified the possibility of such a disaster. As a result, the provision had been made for a large quantity of spare units to be ready at British ports to be towed out as replacements. By using these spare sections and cannibalizing the wrecked American harbour, the British harbour could be repaired and until it was abandoned following the capture of Cherbourg 8 months later, more than 7000 tons of vital military supplies per day were delivered to the allied armies in France.
Positive Risk or Opportunity
Although most risks are generally regarded as negative or undesirable, and indeed most mitigation strategies have been devised to reduce the impact or probability of negative risk, paradoxically, there is also such a thing as positive risk or opportunistic risk. This is basically the risk that any entrepreneur or investor takes when he/she invests in a new enterprise. A simple case of ‘Nothing ventured, nothing gained’. A case may also arise where a perceived negative risk becomes a positive risk or opportunity. For example, in an attempt to reduce the risk of skidding, a car manufacturer may invent an anti-skid device that can be marketed independently at a profit. If there had been no risk, there would have been no need for the antidote.
Local authorities tend to use the term ‘positive risk taking’ when referring to the proactive approach of providing services and facilities to certain sections of the community (usually challenged by a disability). However, in addition to discussing and agreeing on their risks with clients, the process is in effect a comprehensive programme of ascertaining, prioritizing and mitigating the perceived risks before they occur.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.