Risk Management

E-mail: idc@idc-online.com

Web Site: www.idc-online.com

AUSTRALIA

CANADA

IRELAND

NEW ZEALAND

SINGAPORE

SOUTH AFRICA

UNITED KINGDOM

UNITED STATES

4 Risk management

Learning objective
The objective of this chapter is to set out a basis for risk management that will provide sufficient understanding of the process for implementing effective risk management for a specific project. All projects have associated risks. The extent to which risks exists for a particular project component determines how sensitive successful project outcomes are to that component. Effective project management requires that, if project outcomes are risk sensitive, relevant risks are properly managed. The procedures described in this chapter conform to definitions and processes defined in document AS/NZS 4360:2004 Risk management. A detailed review of the analytical techniques necessary to undertake comprehensive quantitative analysis is outside the scope of this chapter.

4.1

Definition of risk
Risk is the exposure to a process or event that prejudices the successful achievement of the project outcome, by adversely impacting on cost, time, or functional objectives. The elements of risk are: The likelihood of the event arising; and The consequences if it does arise The inter-relationship of these elements is shown in Figure 4.1.

50

Practical project management for engineers and technicians

HIGH

R a re Ca ta strophe

Common Disa ster

CONS E QU E NCE

L OW

U nlikely a nd Insignifica nt

Frequent Irritation

L OW

HIGH

L IK E L IHOOD

Figure 4.1 Probability-impact matrix

4.2
4.2.1

Risk management
Definitions
The following definitions will be used throughout this chapter (see Table 4.1).
Table 4.1 Risk-related definitions

Likelihood Residual risk Risk acceptance Risk analysis

Risk assessment Risk avoidance Risk control Risk management

Risk reduction Risk removal Risk retention Risk transfer Risk treatment

Qualitative description of probability and frequency The level of risk remaining after risk treatment measures have been adopted An informed decision to accept the likelihood and the consequences of a particular risk A systematic evaluation of available data to determine how often specified risk events occur and the magnitude of their likely consequences The process to determine risk management priorities An informed decision to avoid a particular risk by not allowing the situation whereby the risk arises The use of policies, standards and procedures to avoid, eliminate, or minimize risks The systematic application of management policies procedures and practices to the tasks of identifying, analyzing, assessing, treating and monitoring risks The use of appropriate techniques to reduce either the likelihood or consequence of a risk, or both Elimination of the risk Retaining, either intentionally or unintentionally, the losses arising from the risk Transferring the losses arising from the risk to another party Selection and implementation of a preferred option for dealing with the risk

4.2.2

Elements
The main elements of the risk management process are: Establishing the context Risk identification Risk analysis Risk assessment

Risk Management

51

Risk treatment Monitoring and reviewing

4.2.3

Benefits and costs

The benefits from applying risk management accrue to both the project team and to the project sponsor. These benefits include: Providing a more informed basis for committing to the project financially An increased understanding of the project, leading to better planning Development of more suitable project processes (e.g. contracting arrangements) Facilitation of more rational risk taking Improving the distinction between good luck and good management The cost of applying risk management to a project varies, as a function of the scope of the project and the depth to which the process is applied. Costs can be very low (say, a few hours) at one end of the scale, and ranging up to several percent of the total management costs if done in depth and as an ongoing process throughout all project phases.

4.2.4

Application of risk management

Risk management is applicable to all projects. While this may be obvious, it is the widespread experience of project managers that it is difficult to convince clients to adopt comprehensive risk management processes. While it is clearly of great relevance on large or complex projects, it will provide benefits on all projects except on recurring projects being undertaken in an unchanging environment - if such a situation ever arises. Risk management is a continuous process that can be initiated at any point in the project cycle, and continued until the costs of maintaining the process exceed the potential benefits. It has the greatest potential benefits if used early on in the project. The following points within a project should be specifically addressed within the risk management processes: During the feasibility study - to assist the selection of implementation strategies At the time of client commitment - to properly understand the real exposure to risk At time of tender - by contracting parties Post tender - by the project manager to assess the likely performance of the contractors During implementation - to monitor existing and emerging risks and amend and/or develop appropriate management strategies

4.2.5

Documentation
In order to maintain a record to facilitate ongoing reviews as well as an adequate audit trail, all components of the risk management process must be adequately documented. Sample documentation, based on that recommended within AS/NZS 4360:2004, is appended.

52

Practical project management for engineers and technicians

4.3
4.3.1

Establishing the context

General
The outputs from this step are: Definition of the elements within the project to define a structure for the identification and analysis of risks; and Definition of risk assessment criteria directly related to the policies, objectives and interests of stakeholders This process reviews the strategic, organizational and project contexts.

4.3.2

The strategic context

This analysis reviews the operating environment of the organisation. The purpose is to identify factors that enhance or impair the ability of the organisation to manage risks. This includes the financial, operational, competitive, political, legal, social, and cultural aspects of the operating environment.

4.3.3

The organizational context

This analysis is directed at defining the capabilities of the organisation, its goals, objectives and strategies.

4.3.4

The project context

This analysis is directed to the specific project objectives and its component technologies, activities, timing and physical environment.

4.4
4.4.1

Risk identification
General
The purpose of this step is to identify all the risks, including those not under the control of the organisation, which may impact on the framework defined above. A systematic process is essential because a risk not identified during this step is removed from further consideration.

4.4.2

Procedure
The first step is to identify all the events that could affect all elements of the framework. The second step is to consider possible causes and scenarios for each event. The process of risk identification can be complex, and a planned approach is necessary to ensure that all sources of risk are identified. This process may involve: Identifying the key personnel associated with the project, i.e. those whose understanding of the project environment and the project processes enables them to properly appreciate the sources of risk Undertaking structured interviews with these personnel. Checklists should be used to ensure comprehensive coverage of all project elements. The objective is to determine, from each person; concerns, constraints and perceived risks within their area of expertise Organizing brainstorming sessions Engaging the services of specialist risk analysts Reviewing past experiences in this regard

Risk Management

53

4.5
4.5.1

Risk analysis
General
The objectives of risk analysis are to: Assign a level of risk to each identified event Provide data to assist the assessment and treatment processes To separate minor, acceptable risks from other requiring further consideration Risk is analyzed by consideration of the likelihood and consequence of events occurring within the context of existing controls i.e. management procedures, technical systems and risk management procedures. The analysis can be carried out to various levels of refinement by way of qualitative and quantitative analysis, or a hybrid of the two. It is necessary to avoid subjective biases when analysing the likelihood and consequences of individual risks.

4.5.2

Qualitative risk analysis

Once the risks associated with every area of the project have been identified, the impacts of these risks are assessed qualitatively. Where the impact that the risks within specific areas have on the overall project may be different, the resulting impacts need to be evaluated independently. All identified risks are categorised into low/high probability, and low/high impact classifications. Initial responses for the significant risks should be developed at this stage. If risks requiring immediate response are identified, then the initial response should be implemented. A proposed response to an initial risk may result in consequential risks not initially present. These are known as secondary risks. Secondary risks need to be included in the risk assessment process as they may dictate that a proposed response to a primary risk is not acceptable. This analysis can be performed with software such as RiskTrak. The advantage of using software is that it ensures that few questions are left un-asked, and also provides a database with all risks, their assessment and methods of addressing them that can be accessed by the entire project team. Interviews are conducted in general or specific project. Figure 4.2 shows the interviewing in progress.

54

Practical project management for engineers and technicians

Figure 4.2 Risk interview in progress (Courtesy RiskTrak)

Once the project-related risks have been identified, their chance of occurring and the related severity of such an occurrence have to be ascertained, together with the method and costs of addressing the issue. This is done via a conventional possibility/consequence matrix as shown in Figure 4.3.

Risk Management

55

Figure 4.3 Risk appraisal (Courtesy RiskTrak)

4.5.3

Quantitative risk analysis

A quantitative risk analysis enables the impacts of the risks to be quantified with respect to the three fundamental project success criteria: time, cost and functionality. The techniques outlined below have been developed for analysing the effects of risks on the time and cost outcomes of projects, and are in common use. These techniques are well documented in the literature, and a detailed treatment is outside of the scope of this chapter. These techniques are often not applicable to analysing risk impacts on functionality objectives. Sensitivity analysis Generally considered to be the simplest analytical technique to apply, this analysis determines the effect on the desired dimension of the project - i.e. time, cost, functionality from changing each one of the risk variables independently. The resulting Sensitivity Diagrams - one for each project dimension modeled - identifies impact each variable has on project outcome, and what those impacts are. By inspection, the critical variables are apparent. This provides the opportunity to develop a risk management strategy that targets the most critical risks. Probabilistic analysis Probabilistic analysis is an analysis to identify the frequency distribution for a desired project outcome, e.g. total project cost, internal rate of return or total project duration.

56

Practical project management for engineers and technicians

The most common form of this analysis uses sampling techniques, normally referred to as Monte Carlo Simulation. This can only be practically undertaken using an appropriate software application package. A mathematical model of the project is developed, incorporating all relevant variables. A probability distribution is then defined for each variable, and the project model is analyzed taking into account all risks in combination. This analysis is repeated a number of times, typically 100 to 1000 passes, and at each pass the value for each variable is randomly calculated within the assigned probability distribution. The results from each analysis provide a distribution frequency of the project outcome. This establishes a mean outcome, and the range of outcomes possible. Probabilistic analysis can be performed on cost as well as project schedules. One of the better-known software packages in this regard is @RISK, although there are various alternatives on the market, some stand-alone and others as add-ons for scheduling packages such MS Project and Primavera. An example of an inexpensive software package for Monte Carlo analysis on project costs is Project Risk Analysis. The following figures show the statistical behavior of project costs for a given project (see Figure 4.4).

Figure 4.4 Project Risk Analysis: Cost distribution (Courtesy Katmar Software)

If the above bell curve distribution is integrated from left to right, it yields a so-called S curve that indicates the possibility that the cost will be less than a given value (see Figure 4.5).

Risk Management

57

Figure 4.5 S-curve (Courtesy Katmar software)

From the S-curve (specific values on the X-axis are available via the Statistics function) it can be seen that, despite a mean cost of $4978 being predicted, there is only a 50% chance of that happening. In order to guarantee the cost with 99% certainty, provision has to be made for a cost of up to $5395, i.e. a contingency of $417 or 8.79% is required. An alternative to Monte Carlo Simulation is the Controlled Interval and Memory Method. On less complex analyses this technique offers great precision for less computer effort. Decision trees This method has been in use for a considerable time and provides for decision making based on a relatively crude risk assessment. Decision trees display the set of alternative values for each decision, and chance variable as branches coming out of each node. Figure 4.6 shows the decision tree for the R&D and commercialization of a new product.

Figure 4.6 Decision tree (Courtesy Analytica)

58

Practical project management for engineers and technicians

Influence diagrams This is a relatively new technique, used as an interface with computer based risk models to facilitate development of complex risk models (see Figure 4.7).

Figure 4.7 Influence diagram (Courtesy Analytica)

Decisions, shown as rectangles with sharp corners (i.e. Fund R&D and Launch Product), are variables that the decision maker has the power to control. Chance variables, shown as oval shapes (Success of R&D and Market success), are uncertain and cannot be controlled directly. Objective variables, shown as hexagons (Market value), are quantitative criteria that need to be maximized (or minimized). General variables (not shown here) appear as rectangles with rounded corners, and are deterministic functions of the quantities they depend on. Arrows denote influence. If Market success influences Market value it means that knowing the extent of the Market success would directly affect the beliefs or expectations about the Market value. An influence expresses knowledge about relevance and does not necessarily imply a causal relation, or a flow of material, data, or money. Influence diagrams show the dependencies among the variables more clearly than decision trees would. Although decision trees show more details of possible paths or scenarios as sequences of branches from left to right, all variables have to be shown as discrete alternatives, even if they are actually continuous. In addition, the number of nodes in a decision tree increases exponentially with the number of decision and chance variables and, as a result, Figure 4.6 would need in excess of a hundred nodes to display the decision tree for Figure 4.7, even if we assume only three branches for each of the two decisions and two chance variables.

4.6
4.6.1

Risk assessment
General
Risk assessment is the process of comparing the levels of risks determined from the analysis process against the acceptance criteria previously established. The output from the risk assessment is a prioritised list of risks requiring further action.

4.6.2

Categories of risk
The assessment process will determine whether risks may be categorised as low or acceptable, or other. Low or acceptable risks may be accepted as they are, or with minimal further treatment, subject only to ongoing monitoring. Risks that fall into the other category are subject to a specific treatment option.

Risk Management

59

4.7
4.7.1

Risk treatment
General
Risk treatment involves identifying the range of options available for treating risks identified as requiring action in the previous stage, evaluating those options in respect of each risk, and developing and implementing risk treatment plans. Note that some risk response activities may have been undertaken during the qualitative analysis step, if the urgency of developing a response to specific risks warranted it.

4.7.2

Identifying treatment options

Risk treatment options include the following. These options may not necessarily be mutually exclusive, or appropriate in all circumstances. Risk avoidance means not proceeding with the activity or situation giving rise to the risk Risk removal eliminates either the likelihood or the consequences of the risk Risk reduction reduces either the likelihood (e.g. by training programmes, QA programmes, preventative maintenance, etc) or the consequences (e.g. by contingency planning, design features, isolation of activity, etc) Risk transfer transfers all or part of the risk to another party. Mechanisms include the use of contracts, insurance, and organisational structures (e.g. a joint venture) Risk acceptance, if necessary, can be adopted in conjunction with an appropriate risk financing plan There are two additional classifications for risk treatment responses, viz. immediate or contingency. An immediate response is one where the project plan is amended in order for the identified risk to be avoided, or its impact minimized A contingency response is one where provision is made within the project plan for a contingent course of action that will only be initiated if the risk occurs

4.7.3

Evaluating treatment options

Options generated for risk treatment should be evaluated on the basis of the extent of risk reduction versus the costs of doing so, taking into account the risk assessment criteria previously developed. Clearly large reductions in risk where achieved for relatively low cost should be implemented. Other opportunities may be less easily justified on economic grounds, including the need to consider rare but severe risks that cannot be economically justified, but which could be fatal if they arose. Some risks provide benefits (e.g. adoption of new technology) that need to be factored into the evaluation.

4.7.4

Developing risk treatment plans

Treatment plans document how the selected treatment options will be implemented. They define responsibilities, time frames, expected outcomes, budgets, performance measures and planned reviews. Effective implementation of the risk treatment plan, including undertaking the planned reviews, requires appropriate management input on an ongoing basis. This should be addressed within the project planning.

60

Practical project management for engineers and technicians

4.8
4.8.1

Monitoring and review

General
Monitoring and review of all elements of the risk management programme is essential. The specific risks themselves, as well as the effectiveness of the control measures, need to be monitored. Few risks remain static and factors impacting on the likelihood or consequences may change. Changing circumstances may alter earlier priorities, and factors impacting on the cost/benefit of management strategies may vary. If, following treatment for a specific risk, there is still a residual risk, then the management of that risk needs to be investigated.

Risk management 61

RISK REGISTER
Compiled by ______________ Date____________ Reviewed by ______________ Date____________ LIKELI-HOOD RATING ADEQUACY OF EXISTING CONTROLS CONSEQUENCE RATING

___________________________________________

ON _________________________________________

Sheet ____ of
LEVEL OF RISK

THE RISK
CAUSE LIKELIHOOD CONSEQUENCES

RIPTION

ASHCROFT & ASSOCIATES LTD

62 Practical project management for engineers and technicians

RISK TREATMENT SCHEDULE

PROJECT___________________________________________________ FUNCTION/ACTIVITY _________________________________________ THE RISK (BY PRIORITY) REF DESCRIPTION TREATMEN T OPTIONS RATING AFTER TREATMENT COST BENEFIT ANALYSIS Compiled by_________________ Date_______

Sheet ____ of _

Reviewed by_________________ Date_______

PREFERRED OPTIONS TIMETABLE FOR IMPLEMENTATON PERSON RESPONSIBLE REVIEW SCHEDULE

ASHCROFT & ASSOCIATES LTD

Risk management 63

RISK ACTION PLAN

PROJECT __________________________________________ FUNCTION/ACTIVITY________________________

PROPOSED ACTION

Compiled by __________________ Date ________

Reviewed by __________________ Date ________

RESOURCE REQUIREMENTS TIMING

REF DATE BY
REVIEW ACTION

RESPONSIBILIT

MONITOR & REVIEW PLAN

REF

DATE

REVIEW COMMENT/ACTION REQUIRED

ACTION COMPLETE

MONITOR & REVIEW RECORD

ASHCROFT & ASSOCIATES LTD

64 Practical project management for engineers and technicians