Effective Risk Management

Engineering is not exact science. There are a number of variables involved in it. The cost estimate and programs are only estimates. Several risks might impact them.

Risk has to do with the degree of uncertainty. There are different types of risks that are relevant to a project. Project risks can be categorised into known or unknown, individual, or overall.

A known risk is one that has been identified and analysed. For these types of risks, the ability and opportunity to react, plan and respond to the risk is obvious.

An unknown risk is more difficult to ascertain, based on timing and other factors that place the project management team in a reactionary mode to address risk concerns.

Individual risks are those determined to impact the development of activities within the project, while overall project risks have impacts that can be greater than the sum of the individual risks within a project.

Overall project risk can represent exposure to the implications of variations to the project’s outcome, which may be positive or negative.

Sometimes risks are divided into following types:

• Strategic risks
• Project risks
• Programme risks
• Health & Safety risks

The effect of risks and uncertainties threaten the achievement of project objectives and may cause failure to:

• Keep the project within the estimated cost
• Achieve the required completion date(s)
• Achieve the required functional performance

Project managers should take actions which reduce or eliminate the effects of risk or uncertainty. They should also ensure that the remaining risks are allocated to the parties in a manner likely to optimise project performance.

Risk Management Process

Risk management process comprises:

• Risk Analysis/Identification
• Risk Assessment
• Risk Management

A few terms commonly used in risk analysis/identification are:

1. The risk appetite is the degree of uncertainty an entity is willing to take in anticipation of a reward.
2. Risk tolerance is the degree, amount, or volume of risk that an organization or individual will withstand.
3. The risk threshold refers to measurements along the level of uncertainty or the level of impact at which a stakeholder may have a specific interest. Activities below the threshold are deemed to be acceptable risks, while those above the threshold are deemed to be intolerable risks

 Inputs to Risk Identification

The first process input to risk identification is the Project Management Plan. Within the Project Management Plan, all subsidiary plans and project baselines are kept in alignment and taken into consideration. The Project Management Plan provides the project baseline by which metrics and performance analysis pertaining to project scope, budget and schedules take place.

The next input is the Project Charter. The Charter delivers sponsor- and stakeholder-level details that pertain to their perspective on high-level project activities and thereby high-level risks. These activities and risks will be decomposed as the project team analyses project and business requirements.

The Stakeholder Register provides information pertaining to each stakeholder. It contains information in regard to their position on project activities – either pro or con – their position within the firm and their degree of influence on project activities, or their ability to influence project activities.

Expert judgment is also applied as a technique, whereby specialized training or subject matter expertise is provided by stakeholders, senior business managers, experienced project managers, consultants, and professional organizations.

In addition, brain storming sessions, checklist, historical record of similar projects etc. contribute significantly towards analysis and identification of potential risks.

Risk Assessment

The stage of the process is generally split into two substages, qualitative assessment and quantitative assessment.

Qualitative Analysis: A qualitative assessment allows the main risk sources or factors to be identified. The qualitative assessment is description of each risk and its impacts or a subjective labelling of each risk (e.g. high/medium/low) in terms of both its impact and its probability of occurrence.

The key aim is to identify the key risks, perhaps between five and ten, for each project (or part-project on large projects) which are then assessed and managed in more detail.

Quantitative Assessment: The qualitative assessment of risks often involves more sophisticated techniques, usually requiring computer software. This process requires:

• Measurement of uncertainty in cost and time estimates
• Probabilistic combination of individual uncertainties.

An initial qualitative assessment is essential. It brings considerable benefit in terms of understanding the project and its problems irrespective of whether or not a quantitative assessment is carried out. It may also serve to highlight possibilities for risk ‘closure’ i.e. the development of a specific plan to deal with a specific risk issue.

Risk Management Techniques:

Following techniques are normally applied for risk management:

• Identifying preventive measures to avoid a risk or to reduce its effect
• Establishing contingency plans to deal with risks if they should occur
• Initiating further investigation to reduce uncertainty though better information
• Consider risk transfer to insurers
• Considering risk allocation in contracts
• Setting contingencies in cost estimate, float in program and tolerance or ‘space’ in performance specifications.
• Monitor and Control Work involves managing the risk register as the project progresses through the project life cycle. Two important things to make note of as the project progresses are that the probability and impact of risks can change over time, and that additional risks can surface as the project progresses, either by defect identification or additions to the scope of the project.

Tools for Managing Project Risks

No construction project is risk free. Risks need to be carefully identified, defined, analysed and allocated to the parties involved on the project. The contracting arrangements should allocate risks. The steps need to be undertaken to mitigate the impact of the risk and its consequences upon the program and the out turn cost.

Following are the risk management tools:

• Early Warning Notices (EWN)
• Program
• Target Cost Arrangement + Pain / Gain mechanism
• Key Performance Indicators (KPIs)
• Monthly Reporting
• Supply Chain Management.

Dealing with Health & Safety Risks

An important category of risks is health and safety risks which are involved in the constructions, operation and maintenance of the projects.

A fundamental concept of managing these type of risks’ is that there is a degree of risk that is acceptable or tolerable. Above a certain threshold level, the estimated level of risk might be considered unacceptable or intolerable. Below another threshold level the estimated level of risk might be considered small enough to be acceptable or tolerable. Between these two thresholds the estimated level of risk should be reduced to a level of risk should be reduced to a level which is ‘as low as reasonably practicable’ (ALARP).

 In the UK, the ALARP principle forms the basis for the approach adopted by the Health and Safety Executive (HSE) for the regulation of major hazardous industries. In this context the level of risk is defined in terms of potential for fatalities. HSE has recommended that, in terms of individual risk the upper and lower boundaries of the ALARP region are 10-4 and 10-6 fatalities per year respectively for people living close to hazardous facilities.

Making sure a risk has been reduced ALARP is about weighing the risk against the sacrifice needed to further reduce it. The decision is weighted in favour of health and safety because the presumption is that the duty-holder should implement the risk reduction measure. To avoid having to make this sacrifice, the duty-holder must be able to show that it would be grossly disproportionate to the benefits of risk reduction that would be achieved.

Thus, the process is not one of balancing the costs and benefits of measures but, rather, of adopting measures except where they are ruled out because they involve grossly disproportionate sacrifice. Extreme example might be:

• To spend £1m to prevent five staff suffering bruised knees is obviously grossly disproportionate: but
• To spend £1m to prevent a major explosion capable of killing 150 people is obviously proportionate.

Following are the general principles adopted to combat risks likely to encountered during construction, operation and maintenance of a project.

• Avoiding risks
• Evaluating the risks which cannot be avoided
• Combating the risks at source
• Adapting the work to the individual, especially as regards the design of workplaces, the choice of work equipment and the choice of working and production methods, with a view, in particular, to alleviating monotonous work and work at a predetermined work rate and to reducing their effect on health
• Adapting to technical progress
• Replacing the dangerous by the non-dangerous or the less dangerous
• Developing a coherent overall prevention policy which covers technology, organisation of work, working conditions, social relationships and the influence of factors related to the working environment
• Giving collective protective measures priority over individual protective measures
• Giving appropriate instructions to the workers

Risk Management Plan

The Risk Management Plan becomes a subsidiary plan of the project management plan that will serve to describe how risk management work will be performed.

• It includes the methodology to be applied to the project: approaches, tools, and data source details.
• It outlines roles and responsibilities, identifying the lead and participants within the risk management team.
• It details the budget required to carry out risk management activities by estimating funds required for resources needed specifically for risk management.
• It provides for contingency and management reserves as they relate to known and unknown risks.
• The plan also promotes timing as it relates to risk management activities such as frequency of processes to be performed, the scheduling of contingency reserves and alignment of all risk related activities to the overall project schedule.

Creating the Risk Management Plan

Risk Management Plan defines the way risk management activities will be undertaken throughout the project. It helps provide visualization of risks throughout the project and aligns those risks to the level of tolerance and appetite that the sponsor and stakeholders have identified. All projects have some degree of risk, and that is not necessarily a bad thing. However, if the risks impact the project, it quickly becomes a bad thing, especially for a project manager.

First, the project manager will look to organizational process assets to get things going. He or she will take into consideration three project documents that will be used as inputs for the plan. They are the Project Management Plan, the Project Charter, and the Project Stakeholder Register.

In addition to the three said documents, enterprise environmental factors such as risk attitudes, thresholds and tolerance levels are considered to be inputs along with organizational process assets such as templates, terminologies, details pertaining to roles and responsibilities, levels of authority and project history – especially lessons learned.

These are used in conjunction with tools and techniques to generate the risk management plan. Analytical techniques help deliver the risk management context of the project, which is a combination of stakeholder attitudes and the degree of risk exposure. A stakeholder risk profile analysis can help determine the stakeholder’s appetite for and tolerance for risk -- and additional techniques such as risk matrix and scoring sheets can help determine acceptable levels of risk or areas that may require special attention.

Once analysis is complete, a risk response strategy is developed. This is the process of determining options that will provide for transparency, reduce overall negative risk, and promote positive risk activities. A risk response strategy should be cost effective; in other words, you don’t want to spend more money to mitigate the risk of a deliverable than the benefit that the deliverable will earn for the project.

The risk response will also be timely in regard to the development of project deliverables, and assume a degree of proactiveness, as compared to reacting to a risk once an impact is realized. The response strategy should be collaborative in nature, with specific action items along with action owners and time-bound expectations.

Within a risk response strategy, there are typically four actions that can take place, whereby a project team can manage to meet expectations.

1. Risk avoidance involves changing a project deliverable to eliminate a threat or high-probability, high-impact risk. De- scoping an item from a project or applying a buy vs. build decision are examples that contribute to risk avoidance.
2. Risk transference moves the risk to a third party that assumes ownership and responsibility for the risk.
3. Risk mitigation reduces the probability or impact of a risk through activities that drive the risk itself down to more acceptable levels.
4. Risk acceptance takes place when the project team decides to do nothing in regard to the risk. Typically, these are low-risk, low-impact risk situations. In this instance, passive acceptance provides for workarounds if the risk is realized, while active acceptance works to establish contingencies or tap reserves in the event the risk is realized.

Sections of Risk Management Plan

Key sections include:

• The Risk Management Approach, which describes and summarizes how risk management activities will be applied to project artifacts, the type of analyses intended to be used, the group expected to perform the work and the timeframes relevant to planned activities. Roles and responsibilities will detail the project team members aligned to risk activities and their respective jobs that relate to risk. A risk assessment section should be added that explains how risk will be analysed and the manner by which probability and impact will be defined for analytical purposes.
• The Risk Response Strategy will provide details relevant to options available and thresholds required for consideration.
• The final section will cover Risk Monitor and Control activities, whereby risk tracking will detail how risks will be tracked through the project risk log and how they can transform into issues if escalation is required. Risk reporting activities will provide details regarding methods that will be used for reporting, the detail required for reporting and the frequency of the reporting, as well as the respective stakeholder in scope to receive reports. Reporting activities would include the project risk log, status reports, walk-throughs, issues logs, etc.

The remaining sections at the end of the plan pertain to space where notes can be added so lessons learned can be recorded.

Project acronyms and definitions can be included, as well as an appendix for any relevant information in support of the plan can be found. It is important to remember that the Risk Management Plan is an important subsidiary plan of the overall project management plan and thereby subject to audit and review. It is an effective tool that should be looked at and updated on a regular basis.

Risk Probability and Impact

Taking project context into consideration, different levels of risk probability and impact need to be defined to maintain the integrity and credibility of the risk analysis performed. Risks can then be prioritised based on implications to the project. The combination of probability and impact determine risk ratings such as high, moderate, or low. Those ratings are typically determined by the organization.