ENG5200

Engineering Project Risk Management

Risk Management Processes (ISO 31000)

 Project Definition
An endeavor that is temporary in nature, that is undertaken to produce a unique deliverable

Operations Definition
Ongoing execution of activities to produce a repetitive service/product

2
Risk terminology

Uncertainty refers to situations involving imperfect or unknown information.

Risk (also risk scenario)

Event with undesirable consequences without specific regards to intent

Example: Uncertainty on project resource availability => Risk of delays

3
 Why is Risk Management so Important?
• Corporate Collapses
• Dynegy (Energy)
• Dick Smith (Retail)
• Wirecard (Banking)
• FTX (Cryptocurrency)

• Natural disasters:
• Bushfire
• Cyclone
• …

• COVID-19 pandemic

4
 Risk scenarios – two main elements

• Probability (likelihood) is associated with the of occurrence

of risk scenarios.
• Risk scenarios have measurable adverse (unfavourable)
consequence (impact).

Risk scenario example: “There is a 50% chance of heavy

showers resulting in floods.”

5
 RISK MANAGEMENT STANDARD
(ISO31000)

ISO 31000 is an international standard that provides guidelines and principles for
effective risk management. It was first published by the International
Organization for Standardization (ISO) in 2009 and has since been revised in
2018.

The ISO 31000 standard provides a framework for managing risk that is
applicable to any type of organization, regardless of its size, sector, or activities.
It provides a systematic and structured approach to identifying, assessing,
treating, and monitoring risks, and is designed to be flexible and adaptable to
the unique needs and circumstances of each organization.

6
 RISK MANAGEMENT STANDARD (ISO31000)

The standard is based on the principles of risk management, which include:

1. Creating value - Risk management should contribute to the achievement of

organizational objectives and enhance decision-making.
2. Integrating into processes - Risk management should be an integral part of
organizational processes and decision-making.
3. Structured and comprehensive - Risk management should be systematic and
based on reliable information.
4. Inclusive - Risk management should involve all relevant stakeholders and be
communicated to them in a timely and appropriate manner.
5. Dynamic - Risk management should be responsive to changes in the internal
and external environment.
7
 ISO31000- 1.
SYSTEMATIC APPROACH

2.

3.

4.

5.

8
 Step 1 - Establishing risk context

1.1. What is the acceptable level of risk taking to achieve a specific

project objective (risk tolerance)?

1.2. Define Roles and Responsibilities (To ensure that stakeholders are
aware of their expected roles in a risk assessment exercise, it is
important to state them clearly upfront).

9
 Step 1 - Establishing risk context 1.1. Risk tolerance

10
 Step 1 - Establish risk context

1.2. Defining Roles and Responsibilities (Example):

Chief Executive: Establish and maintain a culture of risk awareness and intelligence

Executives and Senior Management: Nominate influential and motivated team members to
undertake the role of Risk Assessment Facilitators (RAF)

Risk Assessment Facilitators (RAFs): Facilitate quarterly reporting within their area of
responsibility

Project team: Actively support and report to RAFs, demonstrating active contributions to the
risk management process

11
 1.
RISK
MANAGEMENT
PROCESSES 2.
(ISO31000)

3.

4.

5.

12
Step 2 - Risk identification

SAFETY
2.1. What are critical project objectives (on-time completion, zero accidents, zero
asset failures,…)?

2.2. Identify threats to the achievement of project objectives

2.3. Formulate Risk Scenarios:

30% chance of

Example: R1 => Increasing the cost of steel rebars may prevent the foundation stage
to be completed within budget. 25% of all project lifts

R2=> Blind lifting of panels by tower cranes may result in safety breaches in
façade installations.
R3=> Inferior quality of parts may prevent the job to be certified.
R4=> …
13
Step 3 - Risk Analysis

3.1. Determine Likelihood

Historical or expected occurrence of an event has traditionally been used as a
metric to measure the risk likelihood (e.g. Event is expected to occur once every
year or has occurred once in the past 3 years).

3.2. Determine Impact

To what extent manifestation of a risk scenario can compromise one or more
project objective(s)?

14
 Step 3 – Risk analysis
3.1. Likelihood rating
Likelihood rating Probability
Rare 1% to 20%
Unlikely 21% to 40%
Possible 41% to 60%
Likely 61% to 80%
Highly likely 81% to 100%

15
 Step 3 – Risk analysis

3.2. Impact/consequence rating

Consequence (impact) rating Hypothetical examples in engineering
projects
Very severe Injury or loss of lives
Severe Financial cost of more than $???
Moderate Disruption in project lasting more than a
week
Minor Irreversible environmental
damage
Negligible Reversible environmental
damage

16
 1.
RISK
MANAGEMENT
PROCESSES 2.
(ISO31000)

3.

4.

5.

17
Step 4 - Risk evaluation

4.1. Determine and Prioritise Risks

Risk is a function of the likelihood of a given threat event compromising one
or more project objective(s). This can be diagrammatically presented using a
risk matrix.
4.2. Document risks in a risk register for communication to project
stakeholders
A Risk Register is a record of all the risk scenarios identified, including their
determined risk level. The Risk Register is a living document to be regularly
reviewed and updated to ensure that the organisation’s management has an
up-to-date picture when making risk-informed decisions

18
Step 4- Risk evaluation 4.1. Risk matrix (5 by 5 example)

Priority levels & Colour coding differs across projects

Risks with
very high
priority level

Risks with
medium/low
priority level

19
20
 1.
RISK
MANAGEMENT
PROCESSES 2.
(ISO31000)

3.

4.

5.

21
Step 4 - Risk evaluation (continued)
4.2. Risk register for communication to project stakeholders
It should minimally contain the following:

• Unique risk ID
• Risk scenario – A scenario articulating how a threat event could compromise project objectives
• Identification date – The date when the risk scenario is identified.
• Treatment plan – The planned activities (e.g. deploying additional measures) and timeline to
treat the current risk to an acceptable level (i.e. within risk tolerance level).
• Progress Status – The status of implementing the treatment plan.
• Residual risk – The determined risk level (combination of likelihood and impact) of risk scenario
after treatment plan is implemented (i.e. current risk with additional measures applied).
• Risk owner – The individual or group responsible for ensuring that the residual risks remain
within the organisation’s tolerance level

22
Risk Register – Example

23
Risk Register – Example

24
Step 5 - Risk treatment (Response)

Select risk response strategy (Accept, Avoid, Mitigate or Transfer)

Whichever risk response option is taken, senior management (with the

appropriate level of authority and accountability) within the organisation must
formally approve the selected risk response and make a conscious decision to
accept the residual risks.

25
Step 5 - Risk treatment (response)

Acceptance = Retention
Risk acceptance means undertaking risk as it is without introducing further
actions to reduce it. Risk should only be accepted when it falls within the
organisation’s tolerance level.

26
Step 5 - Risk treatment (response)

Avoidance = Risk Elimination

Risk avoidance means discontinuing an action/activity that exposes the
organisation to the identified risk. This may appear extreme but may be the
best course of action if the risk outweighs the benefits.

Example: Not conducting online payment transactions is an example of avoiding

the risk of attackers hijacking the transaction to make fraudulent payments.

27
Step 5 - Risk treatment (response)

Mitigation = Risk Reduction

Risk mitigation means putting in place measures to reduce the risk level. This
can be achieved through the deployment of security controls.

Example: Implementing a firewall to restrict network traffic is an example to

mitigate the risk of system communicating with malicious external servers.

28
Step 5 - Risk treatment (response)

Risk Transfer
Risk transference means sharing a portion of risk with other parties or entities.
Such a treatment option typically reduces the “impact” component of risk.

Example: Purchasing insurance or outsourcing certain operations are examples

of sharing risks with third parties.

29
 Recap 1.
RISK
MANAGEMENT
STANDARD
(ISO31000)
2.

3.

4.

5.

30
Thank you