SEPHEU ADOLF MAPHUTHA

Project risk and

Procurement
Assignment 1

Page 0 of 10
Table of Contents
Introduction ............................................................................................................................................ 2
What is Risk? ........................................................................................................................................... 2
Definitions ........................................................................................................................................... 2
Risk Equation....................................................................................................................................... 3
Project Risk Management ....................................................................................................................... 3
Risk Management Process ...................................................................................................................... 4
Plan Risk Management ....................................................................................................................... 5
Identify Risks ....................................................................................................................................... 5
Subject matter experts ................................................................................................................... 5
External Risk .................................................................................................................................... 5
Internal Risk .................................................................................................................................... 6
Contractual Mitigation of Risk ........................................................................................................ 6
Correct wording of Risk ................................................................................................................... 6
Perform Qualitative Risk Analysis ....................................................................................................... 7
Perform Quantitative Risk Analysis..................................................................................................... 8
Plan Risk Responses ............................................................................................................................ 8
Monitor and control Risk .................................................................................................................... 9
Conclusion ............................................................................................................................................... 9
Reference List........................................................................................................................................ 10

Page 1 of 10
Introduction

Perhaps, the best way to understand project risk management is to first understand the broad field
of project Management and then the challenging field of risk management; then later narrow down
to project risk management.

There is always a need for coordination of risk management strategies. In many organisations there
is as least an office, if not a department, which deals with risk management issues. Projects on the
other hand, are by definition non-permanent and have a start date and an end-date. Managing risk
in such circumstances is likely to be more challenging due to the temporary nature of project
structures.

In this paper, we will analyse the concept of risk in general and project risk management in
particular. We will also endeavour to come up with a process through which project risk
management strategies can be developed. According to PMBOK® Guide 4th edition, to be effective in
dealing with risk we need some sort of identification of the relevant risks, quantification of such risk
through analysis and evaluation, development of risk responses and lastly, to put in place controls
for monitoring the effectiveness of the risk response strategies (Duncan, 1996).

What is Risk?

Definitions
Risk Ma age e t is a out thi gs goi g o g a d hat ope atio s a do to stop thi gs goi g
o g (Slack, Chambers, & Johnston, 2010:573). This definition seems to be a narrow view of risk
management and needs to be understood the context of Slack, et al. (2010) which is strictly
Operations Management.

Risk o e s the p o a ilit a d o se ue es of the failu e of a st ateg (Johnson, Scholes, &

Whittington, 2005). This definition places emphasis on two very important variables in risk analysis.
These variables are (a) probability and (b) consequence. As we go on to discuss Project Risk
Management, these two variables will be dominant.

Kerzner (2009:743) defi es isk as a easu e of the p o a ilit a d o se ue e of ot achieving a

defi ed p oje t goal. F o this defi itio , e gathe that isk efe s to so ethi g hi h is
p o a le a d has a o se ue e . We a o lude the that isk is ide tifia le, has a e tai
measure of probability and has a negative impact or consequence.

Maylor ( 2010:219) ie s isk as U e tai t i he e t i pla s a d the possi ilit of so ethi g

happe i g i.e. a o ti ge that a affe t the p ospe ts of a hie i g usi ess o p oje t goals .
Therefore, Maylor emphasises the notion of uncertainty and that the objective of risk management
is not to eliminate risk but to manage it. Risk is inherent in business and generally, there is no return
without risk. Therefore, there is some trade-off between the amount of risk we can take and the
expected returns. We shall see later that acceptable risk will differ from one personality to another.

Page 2 of 10
Risk Equation
In my view Kezner (2009) sums up the definition of risk quite succintly when he defines it as a
function of probability and consequence. Thus:

Risk = ƒ p o a ilit , o se ue e .

In general, risk will increase when either probabality of occurance or the consequences of such an
occurance increase, or decrease when the opposite happens. This part of the definition becomes
very valuable when risks have to be analysed, evaluated or ranked because the definition lends itself
to a mathematical calculation. One can simply extrapolate that the magnitude of risk can be
calculated by multiplying probability by consequence. This of course assumes we have found an
accepable qualitative or quatitative scale to measure the probability and consequence magnitudes.
Thus:

Risk = PC, where P=probability and C=consequence.

Kerzner (2009:744) introduces two new elements of risk. The first is the root casue of the risk and
most importantly the second, the safeguard or risk response. For example, if getting a tyre puncture
is a risk associated with driving on a particular road, the root causecan be the numerous potholes on
that road. To reduce level of risk while planning to fix the potholes we may put up signs warning
motorists about the potholes. The potholes in this case are the hazard and the warning signs are the
safeguard. Using the same analogy as before, we can see a clear relationship between the hazard
and the safeguard. Thus:

Risk = ƒ haza d, safegua d .

Unlike the relationship between probability and consequence, we have an inverse relationship
between a hazard and a safeguard. If we increase the safeguard the level of risk comes down and if
we reduce the hazard (fewer potholes), the risk will come down and vice versa. Thus:

Risk = H ÷ S, where H=hazard and S=Safeguard.

These two equations are very valuable in risk analysis.

In conclusion, we may safely say that regardless of type, risk has to do with an uncertain future
occurrence that may have a detrimental or positive effect on project outcomes. The positive part is
included here to indicate that surprises are not always negative and there may be pleasant surprises
that may enhance project outcomes.

Project Risk Management

The PMBOK® Guide 4th Edition defines Project Risk Management in the follo i g a e : P oje t
Risk Management includes the processes concerned with identifying, analysing and responding to
p oje t isk (Duncan, 1996). From this definition, we can deduce that to manage risk we have to
identify the risk, analyse it and respond to the identified risks. We will see later on that we have to
compliment these three elements with monitoring and controlling. The objective of risk

Page 3 of 10
management therefor can be construed as an effort to decrease of the probability and impact of
negative events or threats and to increase of the probability and impact of positive events or
opportunities.

Risk Management Process

Now that we have defined risk and project risk management, we can look at the actual process of
managing risk, and eventually narrow down to project risk management. The following model
depicts how Slack, et al. (2010:573) see the risk mamanagement process.

Figure 1. Risk Management (Slack, Chambers, & Johnston, 2010).

Figure 1 above proposes a process whereby potential causes of risks or failure are assessed. After
this,

a) prevention measures are put in place to try and prevent failure and,
b) to mitigate against the effects of failure and lastly
c) if failures do occur, to try and recover from these.

Slack (2010) lists supply failures, human failures, organisational failures, technology and product
failures as exmples.

A number of authors, including Kerzner (2009) and the PMBOK® Guide 4th Edition recommend the
following steps in Project Risk Management:

Figure 2. Project Risk Management (PMBOK® Guide, 4th Edition).

Page 4 of 10
Plan Risk Management
In the planning of Project Risk Management you will need the Project Scope Statement, Cost
Management Plan, Schedule Management Plan, Communications Management Plan and
Enterprise environmental factors.

In planning for Risk Management we need to face the challenges of how risk is going to be
quantified, qualitatively or quantitatively, or even both. It must be noted that at this stage
the actual risks have not yet been identified.

The output for this part of the Risk Management Process will be a clear plan which contains
mainly, a risk management strategy, methods to execute a program for risk management
and the resources required to execute the plan.

Identify Risks
The first input to be used in the identification of risks is the output from the previous step,
which is the Risk Management plan. Other inputs will include the Activity Cost Estimates
from the work breakdown structure (WBS), activity duration estimates, Stakeholder Register
and the Quality Management Plan.

Various tools can be used to yield information about risks. The starting point could be
documentation of risks from previous similar projects, checklists developed for this purpose,
SWOT analysis and some expert judgements. There are advantages and disadvantages for
using one or the other tool but suffice it to say that the final product must be a Risk Register.

Subject matter experts

Some methodologies are more common than others are. The most common is the use of the
so-called su je t atte e pe ts “ME’s). Most of the work done in an MRO(aviation
maintenance, repair and overhaul organisation), because of the extensive regulatory regime
by EASA, FAA and SACAA is project based. To ide tif isks a g oup of “ME’s is put togethe
consisting of internal and external experts. These will be experts in aviation regulation,
operations experts, employee relations experts and any other expert the project manager
may feel can add value. Their task is really to look at the past similar projects and see what
could have been done better, what were the risks identified at the time, whether the
environment changed since then and so on. This methodology has been used with great
success at SAA Technical (Pty) Ltd in South Africa. The methodology has however one major
drawback; it is mainly based on past events. Despite its apparent lack of innovative space
the use; experts will continue to be used at SAA (Pty) Ltd.

External Risk
External risk can be divided into unpredictable and predictable risk. Examples of
unpredictable external risk include natural disasters, government legislation and war.
Predictable external risk relates to matters such the cost of money, lending rates, availability
of raw materials and competition. Examples are legislation, weather, politics, and civil
unrest. Fortunately, most of external risk is insurable.

Page 5 of 10
 Internal Risk
Internal risk on the other hand is more directed at events and occurrences, which originates
from within the organisation. These can be fairly anticipated and their likelihood and impact
estimated with a certain accuracy. Examples here are wrong product specifications, staff
turnover, project budget overrun, etc. Both internal and external risks have to be identified

Contractual Mitigation of Risk

It is nearly standard practice that in every contract there will be a clause which exempts the
contracting parties from their obligations in the case of a natural disaster usually called the
force majeure clause.

Another important distinction to be made is between Business Risk and Insurable Risk. By its
very nature, business is risky. Actually, it is nearly impossible to have any return on
investment without accepting a certain level of risk. What will differ from person to person,
or from one project manager to another, is the level of risk they are willing to undertake.
People differ in their risk appetite or as Kerzner (2009: 746) puts it, we differ in the way we
perceive utility (or level of satisfaction) as against the stakes (or the monetary value of gains
or losses). To some of us, regardless of the rewards there is just no way we are willing to
take certain levels of risk; but to some if the rewards are big enough they will take
disproportionate levels of risk. He calls the former risk averters and the latter risk seekers.
Theoretically, there is also a group that is risk neutral and will always take a proportionate
level of risk for equally proportionate rewards.

Correct wording of Risk

In project risk management it is not only critical, but very crucial that risks are correctly
identified, defined and worded correctly. Kerzner (2009: 746) actually goes further to
prescribe that risk ide tifi atio should e app oa hed f o the pe spe ti e of IF the isk
o u s, THEN hat will be the i pa t BECAU“E of the u de l i g oot ause. Here is an
example:

IF THEN BECAUSE
Employees go on a strike The project will be delayed The tasks are labour
intensive and there is no
replacement labour
Risk Consequence Root Cause

The approach to risk identification can be process based or according to the work
breakdown structure. The former systematically looks at the processes involved where risk
may occur whilst the latter concentrates on the tasks and the sub-tasks to see which ones
are risky. There are no bad or good approaches or a one size fits all. The main thing is to
come up with a robust risk register.

In conclusion, it can be mentioned that risk identification is not a once off task in the life of
the project, but it is part of the project risk management cycle to be revisited cyclically.
Some hidden risks will only be identifiable late in the life of the project whilst others may
disappear on their own. As a result, the risk register is not a static document but a dynamic
one that needs to be updated periodically.

Page 6 of 10
Perform Qualitative Risk Analysis
Risk analysis is a systematic process to estimate the level of risk for identified and approved
risks (Kerzner, 2009:761). To perform this step you will need a risk register, a risk
management plan and the project scope statement. Analysing risk begins with a detailed
evaluation of the risks according to the risk register. The idea is to accumulate enough data
about the risk so that the probability of its occurrence and the severity of its impact can be
estimated. In most cases the root cause, the historical facts and the current prevailing
circumstances will yield enough data to be able to put some weight on both variables.

Qualitative risk analysis has its own challenges. The basic challenge is how we put a risk on a
scale to find its magnitude. Since we are using qualitative methods and not quantitative
ones, we have a problem of identification of absolutes. It is quite possible to be certain that
a particular event will happen or not happen (where probability is equal to 1). In this case,
can we still classify that event as a risk? The answer is No. This is a business environment
eventuality that must just be planned for. For instance, if you are building a house you know
that one day it will rain. Therefore, houses must have roofs. Building a house without a roof
and subsequently citing rain as a risk and weighing its probability and impact does not make
sense. However, it makes a lot of sense to list a tornado as a risk and measure its probability
and its impact. This will determine how strong should be your roof and how much are you
willing to spend on it as against the losses which may be suffered should there be a tornado
and the roof is blown off. However, can we have one risk being exactly half (50%) of the
other? This brings us to the question of different classes of risk scales.

There are generally about six types of accepted classes of scales (Kerzner, 2009). In summary
they are as follows:

a) Nominal Scale: Numbers allocated have no mathematical meaning and serve only as
labels. An example of this is motor vehicle registration numbers.
b) Interval scale: The numerical allocation does indicate magnitude but has no meaningful
zero point or, zero does not mean the total absence of anything. Thermometer scale is a
good example.
c) Ordinal Scale: This is the scale quite common in measuring risk. The rank order is
meaningful in that high risk may be allocated the number 3; medium risk the number 2
and low risk allocated the number 1. Zero will not be allocated as it would denote the
total absence of risk and therefore irrelevant. However, the interval between 1 and 2 is
not necessarily equal to the interval between 2 and 3. It must be kept in mind that these
scales are usually a result of subjective reasoning and therefore resultant mathematical
outcomes should be treated with caution.
d) Calibrated Ordinal Scale: Coefficients are estimated by evaluating additive utility
function. These type of scales are not common in measuring risk as they pose challenges
in estimating the coefficients.
e) Ratio Scale: Whereas the usual temperature scales, Celsius and Fahrenheit are regarded
as interval scales due to their lack of an absolute zero pint, Kelvin and Rankine scales are
ratio scales because they have an absolute zero.

Page 7 of 10
 f) Estimate of Probability scale: These are estimation of occurrence such as in weather
forecast. Estimate of Probability scales are widely used in project risk management.

The main reason why scales are so important in risk management is that they provide a
handle on managing risk. Since in any situation there are an infinite number of risks, it is not
possible to focus on all of them and there needs to be some sort a ranking order so that
management attention is drawn to the right places.

Perform Quantitative Risk Analysis

A number of methodologies may be applied in Quantitative Risk Analysis. These include
payoff matrices, decision trees and the Monte Carlo process (Kerzner, 2009). A payoff matrix
is useful in situations where firstly, one is sure of a particular outcome regardless of the
state of nature and secondly, that state of nature has a calculable probability. For example,
one may be sure that there will be a high demand for product A regardless of the state of
economy (economic growth might be low, medium or high). Next, the probability of the
state of economy is calculable.

Decision trees are also a valuable tool where probability has to be calculated for various
outcome combinations. In a situation where two trucks, T1 and T2, are available for parcel
deliveries at various addresses, and either route R1 or route R2 may be used, depending on
the address on the parcels, we may be interested in the probability that parcel P1 will be
delivered using truck T1 on route R2.

The type of distribution to be used can also be a challenge. Distributions may be continuous
or discreet (only whole numbers). The rule of thumb is that the data should dictate what
type of distribution is appropriate not vice versa.

Plan Risk Responses

To put together risk response strategies you will need the risk register and the risk
management plan. It is assumed that at this stage you have a list of all approved risks in
order of magnitude (in some cases only the top 10 risks are considered). It also means that
for each risk you have a probability and consequence as well as its root cause. The aim here
is:

a) what do we do to either totally avoid the risk,

b) mitigate against the risk by reducing either the probability or the consequence or both,
or
c) transfer the risk to someone else through contractual arrangements.

If this is a positive risk then we may ask ourselves what do we do to exploit the opportunity
to the advantage of the project and also how to enhance it.

Risk responses are in the main planned activities designed to proactively deal with a
probable situation in the future. These activities must be allocated to individuals who have
the responsibility to carry them out. Risk response strategies are not damage control
strategies. They do not wait for the event to occur and then kick into action. Theoretically, if
they are 100% effective, the risk event will never even occur. The strategies will however

Page 8 of 10
 also cover for the eventuality of the occurrence of that particular event. For example, if
there is a risk of fire at a refinery, the basic aim is to put measures in place such that there is
no fire at all. However, if this unfortunate event does happen, we will need evacuation plans
and safety exits for staff and emergency firefighting equipment.

Monitor and control Risk

Monitoring and evaluation is the last in the Project Risk Management Process. It simply
underlines the fact that we have alluded to earlier on that the risk management plan is not a
once off process but a dynamic ones which will continue to evolve throughout the life of the
project. Regardless how thorough and meticulous the risk management plan was executed
there will be glitches and unforeseen circumstances. Some parts of the response strategies
might even be rendered obsolete. Therefore a concerted effort is required to continuously
monitor the effectiveness of the response strategies to feedback into the process.

Conclusion

Risk is omnipresent, and it is actually necessary so as to gain returns on our investments.

However, it needs to be managed. It is the management thereof which requires an in depth
knowledge of its root cause, its magnitude and most importantly, how to respond in its
wake.

Page 9 of 10
Reference List

Duncan, W. (1996). A Guide to the Project Management body of knowledge. North Carolina, USA:
National Information Standards Organisation.

Jeynes, j. (2002). Risk Management 10 Principles. Oxford: Butterworth-Heinemann.

Johnson, G., Scholes, K., & Whittington, R. (2005). Exploring Corporate Strategy (Seventh ed.).
Edinburgh Gate: Prentice Hall.

Kerzner, H. (2009). Project Management: A systems approach to Planning, Scheduling and

Controlling. New Jersey: John Wiley & Sons.

Maylor, H. (2010). Project Management. Essex: Pearson Education Limited.

Slack, N., Chambers, S., & Johnston, R. (2010). Operations Manangement. Essex: Prentice Hall.

Page 10 of 10