Risk management

Every day we take risks. If we cross the street we risk being run over. If we go down the stairs, we risk missing a step and tumbling down. Taking risks is such a common occurrence, that we tend to ignore it. Indeed, life would be unbearable if we constantly worried whether we should or should not carry out a certain task or take an action, because the risk is, or is not, acceptable.

With projects, however, this luxury of ignoring the risks cannot be permitted. By their very nature, because projects are inherently unique and often incorporate new techniques and procedures, they are risk prone and risk has to be considered right from the start. It then has to be subjected to a disciplined regular review and investigative procedure known as risk management.

Before applying risk management procedures, many organizations produce a risk management plan. This is a document produced at the start of the project which sets out the strategic requirements for risk assessment and the whole risk management procedure. In certain situations the risk management plan should be produced at the estimating or contract tender stage to ensure that adequate provisions are made in the cost build-up of the tender document.

The project management plan (PMP) should include a résumé of the risk management plan, which will first of all define the scope and areas to which risk management applies, particularly the risk types to be investigated. It will also specify which techniques will be used for risk identification and assessment, whether SWOT (strengths, weaknesses, opportunities and threats) analysis is required and which risks (if any) require a more rigorous quantitative analysis such as Monte Carlo simulation methods.

The risk management plan will set out the type, content and frequency of reports, the roles of risk owners and the definition of the impact and probability criteria in qualitative and/or quantitative terms covering cost, time and quality/performance. The main contents of a risk management plan are as follows:

• General introduction explaining the need for the risk management process;

• Project description. Only required if it is a stand-alone document and not part of the PMP;

• Types of risks. Political, technical, financial, environmental, security, safety, programme, etc.;

• Risk processes. Qualitative and/or quantitative methods, max. nos of risks to be listed;

• Tools and techniques. Risk identification methods, size of P-I matrix, computer analysis, etc.;

• Risk reports. Updating periods of risk register, exception reports, change reports, etc.;

• Attachments. Important project requirements, dangers, exceptional problems, etc.

The risk management plan of an organization should follow a standard pattern in order to increase its familiarity (rather like standard conditions of contract) but each project will require a bespoke version to cover its specific requirements and anticipated risks.

Risk management consists of the following five stages, which, if followed religiously, will enable one to obtain a better understanding of those project risks which could jeopardize the cost, time, quality and safety criteria of the project. The first three stages are often referred to as qualitative analysis and are by far the most important stages of the process.

Stage 1: Risk awareness

This is the stage at which the project team begins to appreciate that there are risks to be considered. The risks may be pointed out by an outsider, or the team may be able to draw on their own collective experience. The important point is that once this attitude of mind has been achieved, i.e. that the project, or certain facets of it, are at risk, it leads very quickly to...

Stage 2: Risk identification

This is essentially a team effort at which the scope of the project, as set out in the specification, contract and WBS (see Chapter 5) (if drawn) is examined and each aspect investigated for a possible risk.

To get the investigation going, the team may have a brainstorming session and use a prompt list (based on specific aspects such as legal or technical problems) or a checklist compiled from risk issues from similar previous projects. It may also be possible to obtain expert opinion or carry out interviews with outside parties. The end product is a long list of activities which may be affected by one or a number of adverse situations or unexpected occurrences. The risks which generally have to be considered may be:

• Environmental

• Operational

• Commercial

New technology or materials. Test failures;

Unforeseen weather conditions. Traffic restrictions;

New systems and procedures. Training needs;

Established customs and beliefs. Religious holidays;

Freeze on capital. Bankruptcy of stakeholder. Currency fluctuation;

Local laws. Lack of clarity of contract;

Change in market conditions or customers;

Shortage of staff, operatives or materials;

Slow-down in economy, change in commodity prices;

Change of government or government policy.

Safety. Theft. Vandalism.

The following list gives the advantages and disadvantages of the more usual risk identification methods:

Brainstorming Advantages:


Prompt list Advantages:





Wide range of possible risks suggested for consideration; Involves a number of stakeholders. Time consuming;

Requires firm control by facilitator.

Gives benefit of past problems;

Saves time by focusing on real possibilities;

Easy to discuss.

Restricts suggestions to past experience; Past problems may not be applicable.

Similar to prompt list; Company standards Similar to prompt list.

Work breakdown structure Advantages:

Disadvantages: Delphi technique Advantages:


Asking experts



Focused on specific project risks;

Quick and economical.

May limit scope of possible risks.

Offers wide experience of experts; Can be wide ranging. Time consuming if experts are far away; Expensive if experts have to be paid; Advice may not be specific enough.

As Delphi. As Delphi.

At this stage it may be possible to identify who is best to manage each risk. This person becomes the risk owner.

To reduce the number of risks being seriously considered from what could well be a very long list, some form of screening will be necessary. Only those risks which pass certain criteria need be examined more closely, which leads to the next stage .. .

Stage 3: Risk assessment

This is the qualitative stage at which the two main attributes of a risk, probability and impact, are examined.

The probability of a risk becoming a reality has to be assessed using experience and/or statistical data such as historical weather charts or close-out reports from previous projects. Each risk can then be given a probability rating of HIGH, MEDIUM or LOW.

In a similar way, by taking into account all the available statistical data, past project histories and expert opinion, the impact or effect on the project can be rated as SEVERE, MEDIUM or LOW.

A simple matrix can now be drawn up which identifies whether a risk should be taken any further. Such a matrix is shown in Figure 16.1.


Medium o a

Low Medium High Probability

Figure 16.1 Probability versus impact table. Such a table could be used for each risk worthy of further assessment, and to assess, for example, all major risks to a project or programme

Each risk can now be given a risk number, so that it is now possible to draw up a simple chart which lists all the risks so far considered. This chart will show the risk number, a short description, the risk category, the probability rating, the impact rating (in terms of high, medium or low) and the risk owner who is charged with monitoring and managing the risk during the life of the project. Figure 16.2 shows the layout of such a chart. A quantitative analysis can now follow. This is known as...

Stage 4: Risk evaluation

It is now possible to give comparative values, often on a scale 1 to 10, to the probability and impact of each risk and by drawing up a matrix of the risks, an order of importance or priority can be established. By multiplying the impact rating by the probability rating, the exposure rating is obtained. This is a convenient indicator which may be used to reduce the list to only the top dozen that require serious attention, but an eye should nevertheless be kept on even the minor ones, some of which may suddenly become serious if unforeseen circumstances arise.

An example of such a matrix is shown in Figure 16.3. Clearly the higher the value, the greater the risk and the more attention it must receive to manage it.




Risk No.


Probability rating

Impact rating

Risk owner

Figure 16.2 Risk Summary Chart

Exposure table



Very low




Very high


Very high














Very Low


Figure 16.3 Exposure table

Figure 16.3 Exposure table o ! 3


(A) 15

Risk A

Impact = 3

Probability = 5

Risk B

Impact = 3

Probability = 3

2 3 4 Probability

Figure 16.4 5x5 matrix

2 3 4 Probability


Risk A

Impact = 3

Probability = 5

Risk B

Impact = 3

Probability = 3

Figure 16.4 5x5 matrix

Another way to quantify both the impact and probability is to number the ratings as shown in Figure 16.4 from 1 for very low to 5 for very high. By multiplying the appropriate numbers in the boxes, a numerical (or quantitative) exposure rating is obtained, which gives a measure of seriousness and hence importance for further investigation.

For example, if the impact is rated 3 (i.e. medium) and the probability 5 (very high), the exposure rating is 3 x 5 = 15.

Further sophistication in evaluating risks is possible by using some of the computer software developed specifically to determine the probability of occurrence. These programs use sampling techniques like 'Monte Carlo simulations' which carry out hundreds of iterative sampling calculations to obtain a probability distribution of the outcome.

One application of the Monte Carlo simulation is determining the probability to meet a specific milestone (like the completion date) by giving three time estimates to every activity. The program will then carry out a great number of iterations resulting in a frequency/time histogram and a cumulative 'S' curve from which the probability of meeting the milestone can be read off (see Figure 16.5).

At the same time a Tornado diagram can be produced, which shows the sensitivity of each activity as far as it affects the project completion (see Figure 16.6).

Other techniques such as sensitivity diagrams, influence diagrams and decision trees have all been developed in an attempt to make risk analysis more accurate or more reliable. It must be remembered, however, that any answer is only as good as the initial assumptions and input

Figure 16.5 Frequency/time histogram












H 1


0 5 10 15 20 25 30 35 40 45 50 55 60 % sensitivity

Figure 16.6 Tornado diagram data, and the project manager must give serious consideration as to the cost effectiveness of theses methods for his/her particular project.

Stage 5: Risk management

Having listed and evaluated the risks and established a table of priorities, the next stage is to decide how to manage the risks; in other words, what to do about them and who should be responsible for managing them. For this purpose it is advisable to appoint a risk owner for every risk which has to be monitored and controlled. A risk owner may, of course, be responsible for a number or even all the risks. There are a number of options available to the project manager when faced with a set of risks. These are:

• mitigation

• contingency

These options are perhaps most easily explained by a simple example.

The owner of a semi-detached house decides to replace part of his roof with solar panels to save on his hot water heating bill. The risks in carrying out this work are as follows:

Risk 1 The installer may fall off the roof;

Risk 2 The roof may leak after completion;

Risk 3 The panels may break after installation;

Risk 4 Birds may befoul the panels;

Risk 5 The electronic controls may not work;

Risk 6 The heat recovered may not be sufficient to heat the water on a cold day;

Risk 7 It may not be possible to recover the cost if the house is sold within 2-3 years;

Risk 8 The cost of the work will probably never pay for itself; Risk 9 The cost may escalate due to unforeseen structural problems.

These risks can all be managed by applying one or several of the above options:































Employ a builder who is covered by insurance;

Insist on a two-year guarantee for the work (at least two season cycles);

Add the panel replacement to the house insurance policy;

Provide access for cleaning (this may increase the cost);

Ensure a control unit is used which has been proven for a number of years;

Provide for an electric immersion heater for cold spells; Wait 3 years before selling the house; This is a risk one must accept if the work goes ahead, or Don't go ahead with the work;

Persuade the neighbour in the adjoining house to install a similar system at the same time.

Project Management Made Easy

Project Management Made Easy

What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.

Get My Free Ebook

Post a comment