Documente Academic
Documente Profesional
Documente Cultură
E-mail: idc@idc-online.com
AUSTRALIA
CANADA
IRELAND
NEW ZEALAND
SINGAPORE
SOUTH AFRICA
UNITED KINGDOM
UNITED STATES
4 Risk management
Learning objective
The objective of this chapter is to set out a basis for risk management that will provide sufficient understanding of the process for implementing effective risk management for a specific project. All projects have associated risks. The extent to which risks exists for a particular project component determines how sensitive successful project outcomes are to that component. Effective project management requires that, if project outcomes are risk sensitive, relevant risks are properly managed. The procedures described in this chapter conform to definitions and processes defined in document AS/NZS 4360:2004 Risk management. A detailed review of the analytical techniques necessary to undertake comprehensive quantitative analysis is outside the scope of this chapter.
4.1
Definition of risk
Risk is the exposure to a process or event that prejudices the successful achievement of the project outcome, by adversely impacting on cost, time, or functional objectives. The elements of risk are: The likelihood of the event arising; and The consequences if it does arise The inter-relationship of these elements is shown in Figure 4.1.
50
HIGH
R a re Ca ta strophe
CONS E QU E NCE
L OW
U nlikely a nd Insignifica nt
Frequent Irritation
L OW
HIGH
L IK E L IHOOD
4.2
4.2.1
Risk management
Definitions
The following definitions will be used throughout this chapter (see Table 4.1).
Table 4.1 Risk-related definitions
Risk reduction Risk removal Risk retention Risk transfer Risk treatment
Qualitative description of probability and frequency The level of risk remaining after risk treatment measures have been adopted An informed decision to accept the likelihood and the consequences of a particular risk A systematic evaluation of available data to determine how often specified risk events occur and the magnitude of their likely consequences The process to determine risk management priorities An informed decision to avoid a particular risk by not allowing the situation whereby the risk arises The use of policies, standards and procedures to avoid, eliminate, or minimize risks The systematic application of management policies procedures and practices to the tasks of identifying, analyzing, assessing, treating and monitoring risks The use of appropriate techniques to reduce either the likelihood or consequence of a risk, or both Elimination of the risk Retaining, either intentionally or unintentionally, the losses arising from the risk Transferring the losses arising from the risk to another party Selection and implementation of a preferred option for dealing with the risk
4.2.2
Elements
The main elements of the risk management process are: Establishing the context Risk identification Risk analysis Risk assessment
Risk Management
51
4.2.3
4.2.4
4.2.5
Documentation
In order to maintain a record to facilitate ongoing reviews as well as an adequate audit trail, all components of the risk management process must be adequately documented. Sample documentation, based on that recommended within AS/NZS 4360:2004, is appended.
52
4.3
4.3.1
4.3.2
4.3.3
4.3.4
4.4
4.4.1
Risk identification
General
The purpose of this step is to identify all the risks, including those not under the control of the organisation, which may impact on the framework defined above. A systematic process is essential because a risk not identified during this step is removed from further consideration.
4.4.2
Procedure
The first step is to identify all the events that could affect all elements of the framework. The second step is to consider possible causes and scenarios for each event. The process of risk identification can be complex, and a planned approach is necessary to ensure that all sources of risk are identified. This process may involve: Identifying the key personnel associated with the project, i.e. those whose understanding of the project environment and the project processes enables them to properly appreciate the sources of risk Undertaking structured interviews with these personnel. Checklists should be used to ensure comprehensive coverage of all project elements. The objective is to determine, from each person; concerns, constraints and perceived risks within their area of expertise Organizing brainstorming sessions Engaging the services of specialist risk analysts Reviewing past experiences in this regard
Risk Management
53
4.5
4.5.1
Risk analysis
General
The objectives of risk analysis are to: Assign a level of risk to each identified event Provide data to assist the assessment and treatment processes To separate minor, acceptable risks from other requiring further consideration Risk is analyzed by consideration of the likelihood and consequence of events occurring within the context of existing controls i.e. management procedures, technical systems and risk management procedures. The analysis can be carried out to various levels of refinement by way of qualitative and quantitative analysis, or a hybrid of the two. It is necessary to avoid subjective biases when analysing the likelihood and consequences of individual risks.
4.5.2
54
Once the project-related risks have been identified, their chance of occurring and the related severity of such an occurrence have to be ascertained, together with the method and costs of addressing the issue. This is done via a conventional possibility/consequence matrix as shown in Figure 4.3.
Risk Management
55
4.5.3
56
The most common form of this analysis uses sampling techniques, normally referred to as Monte Carlo Simulation. This can only be practically undertaken using an appropriate software application package. A mathematical model of the project is developed, incorporating all relevant variables. A probability distribution is then defined for each variable, and the project model is analyzed taking into account all risks in combination. This analysis is repeated a number of times, typically 100 to 1000 passes, and at each pass the value for each variable is randomly calculated within the assigned probability distribution. The results from each analysis provide a distribution frequency of the project outcome. This establishes a mean outcome, and the range of outcomes possible. Probabilistic analysis can be performed on cost as well as project schedules. One of the better-known software packages in this regard is @RISK, although there are various alternatives on the market, some stand-alone and others as add-ons for scheduling packages such MS Project and Primavera. An example of an inexpensive software package for Monte Carlo analysis on project costs is Project Risk Analysis. The following figures show the statistical behavior of project costs for a given project (see Figure 4.4).
Figure 4.4 Project Risk Analysis: Cost distribution (Courtesy Katmar Software)
If the above bell curve distribution is integrated from left to right, it yields a so-called S curve that indicates the possibility that the cost will be less than a given value (see Figure 4.5).
Risk Management
57
From the S-curve (specific values on the X-axis are available via the Statistics function) it can be seen that, despite a mean cost of $4978 being predicted, there is only a 50% chance of that happening. In order to guarantee the cost with 99% certainty, provision has to be made for a cost of up to $5395, i.e. a contingency of $417 or 8.79% is required. An alternative to Monte Carlo Simulation is the Controlled Interval and Memory Method. On less complex analyses this technique offers great precision for less computer effort. Decision trees This method has been in use for a considerable time and provides for decision making based on a relatively crude risk assessment. Decision trees display the set of alternative values for each decision, and chance variable as branches coming out of each node. Figure 4.6 shows the decision tree for the R&D and commercialization of a new product.
58
Influence diagrams This is a relatively new technique, used as an interface with computer based risk models to facilitate development of complex risk models (see Figure 4.7).
Decisions, shown as rectangles with sharp corners (i.e. Fund R&D and Launch Product), are variables that the decision maker has the power to control. Chance variables, shown as oval shapes (Success of R&D and Market success), are uncertain and cannot be controlled directly. Objective variables, shown as hexagons (Market value), are quantitative criteria that need to be maximized (or minimized). General variables (not shown here) appear as rectangles with rounded corners, and are deterministic functions of the quantities they depend on. Arrows denote influence. If Market success influences Market value it means that knowing the extent of the Market success would directly affect the beliefs or expectations about the Market value. An influence expresses knowledge about relevance and does not necessarily imply a causal relation, or a flow of material, data, or money. Influence diagrams show the dependencies among the variables more clearly than decision trees would. Although decision trees show more details of possible paths or scenarios as sequences of branches from left to right, all variables have to be shown as discrete alternatives, even if they are actually continuous. In addition, the number of nodes in a decision tree increases exponentially with the number of decision and chance variables and, as a result, Figure 4.6 would need in excess of a hundred nodes to display the decision tree for Figure 4.7, even if we assume only three branches for each of the two decisions and two chance variables.
4.6
4.6.1
Risk assessment
General
Risk assessment is the process of comparing the levels of risks determined from the analysis process against the acceptance criteria previously established. The output from the risk assessment is a prioritised list of risks requiring further action.
4.6.2
Categories of risk
The assessment process will determine whether risks may be categorised as low or acceptable, or other. Low or acceptable risks may be accepted as they are, or with minimal further treatment, subject only to ongoing monitoring. Risks that fall into the other category are subject to a specific treatment option.
Risk Management
59
4.7
4.7.1
Risk treatment
General
Risk treatment involves identifying the range of options available for treating risks identified as requiring action in the previous stage, evaluating those options in respect of each risk, and developing and implementing risk treatment plans. Note that some risk response activities may have been undertaken during the qualitative analysis step, if the urgency of developing a response to specific risks warranted it.
4.7.2
4.7.3
4.7.4
60
4.8
4.8.1
Risk management 61
RISK REGISTER
Compiled by ______________ Date____________ Reviewed by ______________ Date____________ LIKELI-HOOD RATING ADEQUACY OF EXISTING CONTROLS CONSEQUENCE RATING
___________________________________________
ON _________________________________________
Sheet ____ of
LEVEL OF RISK
THE RISK
CAUSE LIKELIHOOD CONSEQUENCES
RIPTION
Sheet ____ of _
Risk management 63
RESPONSIBILIT
REF
DATE
ACTION COMPLETE