The

Management
of Risk
♦
An Information Paper
 The Management of Risk

Published by RICS Business Services Limited

a wholly owned subsidiary of
The Royal Institution of Chartered Surveyors
under the RICS Books imprint
Surveyor Court
Westwood Business Park
Coventry CV4 8JE
UK

No responsibility for loss occasioned to any person acting or

refraining from action as a result of the material included in
this publication can be accepted by the author or publisher.

Produced by the Construction Planning and Procurement

Panel of the Royal Institution of Chartered Surveyors.

ISBN 1 84219 011 3

© RICS 2000. Copyright in all or part of this publication

rests with the RICS, and save by prior consent of the RICS, no part or
parts shall be reproduced by any means electronic, mechanical,
photocopying, recording or otherwise, now known or to be devised.

2
 The Management of Risk

CONTENTS

Page

Information Papers 4

Introduction 5

Definitions 5

The Rationale for Risk Management in the Construction Process 6

The Risk Management Process 8

Summary 15

Further Reading 16

3
 The Management of Risk

INFORMATION PAPERS

This is an information paper. Information papers are intended to provide information

and explanations to members of the RICS on specific topics of relevance to the
profession. The function of this paper is not to recommend or advise on professional
procedures to be followed by surveyors.

It is, however, relevant to professional competence to the extent that a surveyor

should be up to date and should have informed him or herself of information papers
within a reasonable time of their promulgation.

Members should note that when an allegation of professional negligence is made

against a surveyor, the court is likely to take account of the contents of any relevant
information papers published by the RICS in deciding whether or not the surveyor
has acted with reasonable competence.

4
 The Management of Risk

INTRODUCTION

Risk is present in all projects and surveyors are routinely involved in making
decisions which have a major impact on risk. Risk management is concerned with
establishing a set of procedures by which risk is managed, rather than being dealt
with by default. Major clients, such as Railtrack and BAA, already have formal
procedures in place for managing risk. Other clients are likely to seek guidance from
their professional advisers, which includes surveyors, on how best to deal with risk.

The effective management of risk can only be achieved by the actions of the whole
project team, including the client. The role of a risk manager is to facilitate input into
the project management process such that risk is effectively dealt with. With further
training surveyors are well placed to undertake the role of risk manager. The role can
be either full- or part-time, combined with other responsibilities on the project.

The risk management process outlined in this information paper can be applied to
any procurement route and to new build or refurbishment-based projects, regardless
of cost or technical complexity.

Risk management formalises the intuitive approach to risk which project teams often
undertake. By utilising a formal approach, risk may be managed in a more proactive
manner. Essentially, there are three steps to perform:
• identification – collect the information available which might affect the
achievement of an objective;
• analysis – assess to what extent these aspects might affect the objective; and
• response – review what can be done to limit this effect.

In addition, there needs to be an overall management strategy such that this three-
step process is implemented in a co-ordinated fashion. This information paper
provides an overview of the principals of risk management. The procedures outlined
should produce a framework that can be utilised on the majority of construction
projects. Surveyors who want to specialise in the application of risk management are
advised to undertake further training in this area with a recognised training provider.

DEFINITIONS

In the context of this information paper, risk management is considered to be a

process for identifying, assessing and responding to risks associated with delivering
an objective, for example, a construction project, and the focus is on commercial type
risks. Health and safety related risks are likely to need separate consideration and
the Health and Safety Executive (HSE) provide specialist guidance in this area.
Definitions for key terms used in this section are:

Risk: An uncertain event which, should it occur, will have an effect on the
achievement of the project’s objectives. A risk can be measured in terms of likelihood
(probability) and consequence (impact).

Risk management: A structured and auditable process for the benefit of all
members of the project team which is dedicated to the sole purpose of controlling
and mitigating uncertainty in a project.

5
 The Management of Risk

Risk identification: The utilisation of methods assessed as effective and appropriate

(desk-top studies, interviews, brainstorming, etc.) to collate all the potential
uncertainties in delivering an objective.

Risk analysis: An adequate and effective assessment of the individual and

combined effect of identified risks on the successful delivery of the objective.

Risk response: An action to reduce either the probability of risk arising or the
significance of its detrimental impact if it should arise.

Risk management plan: An auditable document which describes the risk

management approach (identification, analysis and response) to be adopted for a
specific project or objective delivery and which states who should undertake it and
when.

Risk register: A document listing all the risks identified for the project, explaining the
nature of each risk and recording information relevant to its assessment and
management.

THE RATIONALE FOR RISK MANAGEMENT IN THE CONSTRUCTION

PROCESS

Surveyors will invariably be called upon to advise clients as to whether they should
undertake risk management on their project. While the benefits of risk management
may not be immediately apparent to clients, the direct costs of undertaking the
process will be.

In appreciating the benefits of risk management, certain principles should be adhered

to:
• risk management is an awareness of uncertainty;
• awareness of uncertainty can lead to positive attributes if recognised early
enough;
• risk management will add both direct and secondary benefits to the delivery of any
objective;
• the management of risk must not remove incentive;
• allocation of risk is to be gauged by the various parties’ abilities to bear and
control that risk;
• complete transfer of risk is rarely wholly effective;
• information about and perception of a risk are fundamental to its assessment and
acceptance; and
• all risks change with time and any action (or inaction) taken (or not taken) upon
them.

The demands of delivering a construction project are extremely onerous. The desire
to deliver projects cheaper and faster, while moving closer to the boundaries of
innovative design, all increase the risk profile of a project. In this respect risk is good,
without it there would be no opportunity. It is the very presence of risk that represents
the opportunity for a building project to go ahead in the first place.

6
 The Management of Risk

The Recognition of Uncertainty

By undertaking risk management, it is possible to ensure that clients appreciate just

how sensitive their projects are to changing circumstances. This leads to:
• increased confidence in achieving the project objectives and therefore improved
chances of success;
• ‘surprises’ being reduced, such as cost and/or time overruns and/or forced
compromises of performance objectives. These surprises usually result in ‘fire
fighting’ and the ineffective application of urgent remedial measures;
• identification of opportunities as risks are diminished, perhaps by relaxing
overcautious practices such as duplicating insurances or seeking performance
bonds unnecessarily;
• all ranges of parameters which might affect the project being incorporated, rather
than a single-point estimate (for example, the cost for bricks can be between
£200 and £300 per 1000 rather than £225); and
• allowing the team to recognise and understand the composition of contingencies,
thus avoiding duplicating any allowance already made.

Justifiable Decision Making

Risk management allows decision making to be based on an assessment of known

variables. Judgement can become far more objective and justification for action (or
inaction) demonstrable both at the time and at a later date, should it be questioned.
There are a wide range of techniques which can be utilised to facilitate effective
decision making. The use of risk management provides an audit trail which can be
used should problems occur during later stages of the project.

Team Development

During risk management workshops a ‘snapshot’ of what might happen to the

delivery of a project is taken. During the workshops the project team discusses its
concerns and agrees a common way forward. As with other types of facilitated
workshops, such as value management, this benefit alone can justify undertaking risk
management. The advantages are:
• it facilitates team development;
• it is a communication tool;
• it opens up discussion on what could go wrong without fear of penalty;
• it acknowledges but transcends contractual restrictions;
• it challenges preconceptions; and
• it affirms the project procedures.

Risk management is not a panacea and there are likely to be times when it may not
be effective to practice all its facets. However, the delivery of any objective can be
made more effective if the risks are fully appreciated. There is a need for
appreciation of risk not just its analysis. The extent of analysis necessary is related to
the extent to which the cumulative effects of risks can be appreciated.

Risk management, together with other services provided, should be flexible, adapting
to the circumstances of the client’s needs and the project. Some clients require a

7
 The Management of Risk

snapshot of the risks at the outset of the project, with an initial risk assessment, the
provision of a one-off risk register and a quick estimate of the combined effect. Other
projects may require a full risk management service with risk being continually
addressed throughout the project.

A concern often voiced by clients is how to quantify the benefits of risk management.
Since risk management has a major emphasis on reducing potentially detrimental
effects, it is not usually politic to demonstrate its effective application as having
minimised the impact of cost overrun to, say, 15 per cent.

Furthermore, the actual impact of risk is unique to a project even though its presence
may be commonplace. The risk management process may not be at fault just
because risks were realised. Indeed, if no risks were realised, the effectiveness of
risk assessment would be questioned because without risk there would be no
opportunity.

THE RISK MANAGEMENT PROCESS

There are three basic steps to the risk management process; identification, analysis
and response.

Risk Identification Risk Analysis Risk Response

A risk cannot be managed effectively unless it is identified. The earlier a risk is

identified, the more time is available for analysis and the development of a suitable
response. The process is a linear one and is designed to be proactive. Unfortunately,
most risk is still dealt with in a reactive manner where a response has to be devised
and implemented as soon as the risk arises. This reactive response does not allow
any time for identification and analysis and the right response may not always be
implemented.

The risk management process also needs to be integrated into the project
management process. Since any risk management workshop or assessment is a
snapshot in time, the process has to be undertaken on a repetitive basis. Essentially,
the risk management process should be commenced as early as possible in a project
life cycle and each of the three stages repeated as necessary to effectively manage
the risks associated with that project. At the commencement of the process a risk
management plan should be developed. The risk management plan is similar in
nature to the project execution plan and may form part of that document.

Risk Identification

The identification stage should commence as early as possible, preferably as part of

any feasibility study for the project. One of the key principals is that the identification
of risks should be undertaken at various stages of the project life cycle. Identification
is not just undertaken at the start of the project and then simply monitored during
construction. The construction phase itself will generate new risks and the project

8
 The Management of Risk

team is expanded by new members in the form of trade contractors who can bring
additional information to the risk identification process.

(a) Methodology

(i) Structured identification of all sources of risk to the project

The risk management process is based on the concept of providing a structured
approach to dealing with risk. It may seem obvious that ground conditions are one
source of risk, but how would this impact on other risks that might be identified on the
project? It is this inter-relationship between risks that can only be drawn out through
the use of a structured workshop and identification methods where the whole project
team have the ability to contribute.

(ii) Preliminary analysis to establish probable major risks for further investigation
The identification stage is designed to prompt team thinking and to bring out all
possible risks that might impact on the project. Several hundred risks could be
identified and the team may not have time to analyse and develop responses to them
all. It is normal during the identification stage to begin by sifting and removing those
risks which the team feel are not worth investigating further.

(b) Techniques

(i) Research
While exactly the same project will not have been executed before, something similar
will have been. Investigation into projects on neighbouring sites or projects previously
undertaken by the client should be instigated.

(ii) Structured interviews/questionnaires

Interviews with key members of the project team (including client and suppliers) will
elicit the greatest insight into risks to the project and how they are perceived by
individuals. Interviews allow a greater depth of understanding to be achieved than
group discussions but do take up a lot of time.

(iii) Checklists/prompt lists

A simple and effective way to stimulate the team into thinking about risk is to use a
checklist. An easy way to start a checklist is for each team member to write down all
the variation orders on their last project, with the reasons for their issue.

(iv) Brainstorming in a workshop environment

Bringing the team together in a focused workshop is a powerful environment in which
to discuss risk. The team can have a better understanding of how each member
perceives risk differently. One important aspect of such workshops is that lateral
thinking is encouraged. The workshop gives the team an opportunity to experiment
with different viewpoints which individuals might normally reject out of hand if working
alone.

(v) Risk register

A risk register is probably the most useful tool in the risk management process. It
enables risks to be logged and tracked through the life of a project. While a risk
register can be maintained by hand, it is much more useful to use a computer
spreadsheet package. This allows the information to be sorted into different
categories. Specialist risk management software is also available which integrates
the risk register with risk analysis tools.

An example of a risk register is shown in figure 1. The example is very generic in

nature and additional information may be shown, such as who is responsible for

9
 The Management of Risk

undertaking actions in response to the risk and by when.

Once a risk is identified it is placed into a suitable category, for example, ‘client
control’. In figure 1 six categories are shown, but these can be altered to suit the
circumstances of each project. The risk register allows risks to be logged but can
also display additional information.

The status of the risk can be shown as:

• done – the risk has arisen and been dealt with;
• active – the risk is currently being managed; and
• monitor – the risk has been identified but no analysis or response has yet been
developed for it.

The probability and impact of the risk can also be shown; the importance of these
factors is discussed below. Finally the response to the risk can be shown.

The risk register is a very useful format for showing a wide range of information in the
risk management process. If the register is placed on a computer spreadsheet it is
easy to sort the risks in a variety of ways, for instance by category magnitude of
probability.

(vi) Database of historic risks

Experience is a ‘great teacher’ and the provision of a risk register allows information
to be stored in a convenient format ready for use on the next project. The benefit of
historical risk registers is that you know if a risk actually occurred and whether the
appropriate response was set in place. The historic database should be used as a
starting point in the risk management process, but although it may save some time in
the identification stage, this stage cannot be completely omitted.

Risk Analysis

The analysis stage is concerned with trying to achieve a better understanding of the
nature of the risks identified during the previous stage.

(a) Methodology

(i) Analysis of risks to assess the severity of impact and the probability of occurrence
Risks have two dimensions:
• probability – this is the likelihood of the risk occurring and is generally expressed
as a percentage; and
• impact – if the risk did occur what impact would it have on meeting the project’s
objectives.

For each of the risks identified, its probability and impact need to be assessed,
normally in a workshop environment with key stakeholders present. Once assessed,
plotting risks on to a matrix, as shown in figure 2, indicates very quickly those risks
which require detailed consideration and those which only need a cursory glance. So,
a risk with a high probability of occurring, which does occur, would have a very high
impact on the project and would require detailed consideration. This allows the right
amount of resource to be used in managing risk.

10
 The Management of Risk

Figure 1: Typical Risk Register

ID Risk Description Ownershi Current Prob of Impact Risk Response

p Status Occurr if Does Ranking
-ing Occur
100: 3rd Party Influence; D= Very Very (Prob. x
200: Project Control; Done high: high: impact)
300: Client Control 0.9 0.8
400: Procurement; A=
500: Site Control; Active Very Very
600: External Influences low: low:
M= 0.1 0.05
Monitor
100 3rd Party Influence
110 Revised planning application Architect D 0.7 0.05 0.035 Discussions with planning
required authority
120 Environmental Health Services A 0.5 0.1 0.05 Discussions with building
requirements excessive eng control officer
130 Fire officer requirements not yet Design A 0.7 0.1 0.07 Discussions with fire officer
fixed team
200 Project Control
205 End date affected by protracted Project A 0.3 0.1 0.03
decision process manager
210 Outstanding consultant Project D 0.1 0.05 0.005
appointments/disagreement over team
fees
215 Unclear definition of Project D 0.1 0.05 0.005
responsibilities of project team manager
220 Structural unknowns: composition Design M Undertake opening up works
of existing building (walls, roof) team and survey
225 Service distribution problems Design M
(electrical etc.) team
240 Agreement over design of existing Design M
facilities protracted team
245 Different CAD systems being used Project A 0.5 0.05 0.025 Agree on CAD standard
by team team
300 Client Control
310 Ambiguous definition of true client Client D 0.3 0.4 0.12
requirements
320 Funding/cash flow problems Client D 0.1 0.2 0.02
330 Key client stakeholders not Client D 0.3 0.4 0.12
involved in design process
400 Procurement
410 Difficulty in matching existing Contractor M
materials (tiles, bricks)
420 Overheated market, difficulties Contractor A 0.5 0.2 0.10 Warm up market prior to
finding right trade contractors tendering
500 Site Control
510 Liaison with Contractor M
neighbours/traffic/parking
520 Injury to public outside the site Contractor M
boundary
530 Emergency temporary works Contractor M
required on structure
540 Maintenance of public access Contractor M
routes around periphery of site
550 Additional areas of asbestos Contractor M
found during opening up works
560 Unforeseen ground conditions Contractor M
600 External Influences
610 Unseasonable weather Project M
manager
620 Environmental activists invade site Project M
manager

11
 The Management of Risk

Figure 2: Matrix of Probability versus Impact

IMPACT
Very high High Medium Low Very low
P Very high
R
O High
B
A Medium
B
Low
I
T
Very low
Y

The Probability/Impact matrix (in figure 2) allows a risk profile for a project to be
developed. For instance, if most of the risks are plotted in the top left section of the
matrix it indicates a high-risk project. The risk management strategy is to manage
these risks proactively through the project life cycle. During later risk assessment
exercises, the profile should show risks plotted more in the bottom right section of the
matrix.

Before the risks can be plotted on to the matrix, a scale has to be set for the
probability and impact dimensions. Setting a common scale will ensure a consistent
approach to placing newly-identified risks on the matrix at a later stage in the project
life cycle. An indicative layout for defining scales is shown in figure 3.

Figure 3: Indicative Scoring of Probability versus Impact Scales

PROBABILITY IMPACT
Time Cost
Very high 70% – 95% > 4 months > 150k
High 50% – 70% 3 – 4 months 100 – 150k
Medium 30% – 50% 2 – 3 months 50 – 100k
Low 10% – 30% 1 – 2 months 10 – 50k
Very low 5% – 10% < 1 months < 10k

While the probability scale shown in figure 3 may be utilised for any project, the
impact scale needs to be set for each project. Although time and cost impacts have
been shown separately it is possible to combine them, or to use other criteria such as
performance. Again, the scale has to be set according to the needs to a project.
Once set the scales should not be changed during the life of a project. This allows
risks to be compared on a common scale throughout a project and for the risk profile
of a project to be accurately monitored.

A higher level of sophistication can be applied to the ranking of the risks on the
Probability/Impact matrix. By assigning generic units to a matrix, the relative
importance of each cell can be seen, as shown in figure 4.

12
 The Management of Risk

Figure 4: Completed Matrix of Probability versus Impact

IMPACT
Very high High Medium Low Very low
P 0.8 0.4 0.2 0.1 0.05
R Very high 0.72 0.36 0.18 0.09 0.045
O 0.9
High 0.56 0.28 0.14 0.07 0.035
B
0.7
A
Medium 0.40 0.20 0.10 0.05 0.025
B 0.5
I Low 0.24 0.12 0.06 0.03 0.015
T 0.3
Y Very low 0.08 0.04 0.02 0.01 0.005
0.1

High Risk > 0.20 Review risk in great detail. Amend project strategy to reduce
Medium Risk 0.08 – 0.20 Develop contingency plans. Monitor risk development
Low Risk < 0.08 Maintain record of risk. Consider contingency measures in outline

The method of having the probability scale linear and the impact scale non-linear
emphasises the significance of low probability/high impact risks. The matrix allows
each risk to be ranked and compared on an even basis. Where resources are scarce
it also allows attention to be focused on those risks which sit in the high-risk category
of the matrix.

(ii) Synthesis of all risks to predict the most likely project outcome
Risk tends to have a ‘knock-on’ effect and so it is important to consider not only the
effect of individual risks but their cumulative effect as well.

(iii) Investigation of alternative course of actions

Analysis allows for different scenarios to be developed to provide a high degree of
confidence that the appropriate course of action has been chosen. The alternative
courses of action may be plotted on the Probability/Impact matrix to obtain a clearer
understanding of their relative merits in relation to the risk profile.

(b) Tools and Techniques

The Probability/Impact matrix is the easiest technique to use and allows all project
team members to participate in the process via a risk workshop. More sophisticated
tools and techniques may be applied to provide a better understanding of the
identified risks. There are a wide range of such tools and techniques available, many
of which are supported by computer software packages:
• Monte Carlo simulation modelling of cost and time risks;
• cost movement forecast;
• decision trees;
• sensitivity analysis;
• hard/soft money analysis;
• ‘what if?’ analysis;
• influence diagrams;
• simulation packages;
• multiple estimate risk analysis (MERA);
• spider diagrams;
• multi decision criteria analysis;

13
 The Management of Risk

• linear regression;
• spreadsheets; and
• flowcharts.

It is not possible to provide an explanation here of all the tools and techniques
available. However, further information can be obtained from one of the texts in the
further reading section (Appendix A).

Risk Response

The analysis stage provides the team with a better understanding of the risks. The
next stage is to develop a response to those risks.

(a) Methodology

(i) Choose the appropriate course of action

The principle is to choose the right response based on available information. It might
be that the response changes with time as more information becomes available. The
response will generally fall into one of the following categories:
• avoid;
• transfer;
• mitigate; and
• control.

An important point to consider when developing responses concerns the generation

of secondary risk. When a response is proposed, its full implications have to be
assessed to ascertain if a secondary risk arises out of implementing the response. If
the sum of the secondary risk plus the reduced risk (the original risk with the
response in place) is greater than the original risk, then an appropriate response has
clearly not been identified and an alternative should be found.

(b) Tools and Techniques

The techniques available are primarily integrated with the project management
process, for example:
• contract acquisition plan;
• contingency management; and
• project controls.

The tools available are not usually related purely to risk management. For instance,
most surveyors would recommend to their clients that the contractor has third party
insurance for the project. This is a risk management response designed to reduce
clients’ exposure to claims for damages if a particular incident were to occur. This is
a risk management tool, although most surveyors would consider it to be common
project procedure. Typical tools available are:
• insurances/bonds/warranties;
• contingency plans;
• forms of contracts;
• contingency drawdown models;
• special cost schedule allowance;
• earned value analysis;
• resource levelling; and
• training.

14
 The Management of Risk

SUMMARY

In conclusion, the key components of a risk management strategy are:

• identify staff and resources assigned to the risk management process;
• define lines of reporting and responsibility for the risk management process;
• link the risk management plan to other project tools such as safety (including
CDM), quality and environmental management and planning and reporting
systems;
• consolidate all risks identified into an appropriate and digestible response strategy
in order that cumulative effects can be perceived;
• state risk audit intervals and key milestones;
• include risk milestones in project plan;
• identify possible response strategies and programmes for each risk category
including contingency plans and how to handle new or unresolved risks;
• assess cost involved; and
• monitor success of responses strategies and produce feedback for reporting into
future projects.

15
 The Management of Risk

FURTHER READING

Boothroyd, C., and Emmet, J. Risk Management: A Practical Guide for Construction
Professionals, Witherby & Co Ltd, London, 1996

BS 6079 – Guide to Project Management – Section 4.6.3 Risk Management, British

Standards Institute, London, 1996

Chapman, C., and Ward, S. Project Risk Management: Processes, Techniques and
Insights, John Wiley and Sons, Chichester, 1997

Edwards, L. Practical Risk Management in the Construction Industry, Thomas

Telford, London, 1995

Flanagan, R., and Norman, G. Risk Management and Construction, Blackwell

Scientific, Oxford, 1993

The Institution of Civil Engineers, Faculty of Acturies and The Institute of Acturies.
Risk Analysis and Management for Projects, Thomas Telford, London, 1998

16