Professional Documents
Culture Documents
RiskManagement(chapter16_RobertLester)
RiskManagement(chapter16_RobertLester)
Every day we take risks. If we cross the street we risk being run over. If we go down the stairs,
we risk missing a step and tumbling down. Taking risks is such a common occurrence, that we
tend to ignore it. Indeed, life would be unbearable if we constantly worried whether we should
or should not carry out a certain task or take an action, because the risk is, or is not, acceptable.
With projects, however, this luxury of ignoring the risks cannot be permitted. By their
very nature, because projects are inherently unique and often incorporate new techniques and
procedures, they are risk prone and risk has to be considered right from the start. It then
has to be subjected to a disciplined regular review and investigative procedure known as risk
management.
Before applying risk management procedures, many organizations produce a risk management
plan. This is a document produced at the start of the project which sets out the strategic
requirements for risk assessment and the whole risk management procedure. In certain situations
the risk management plan should be produced at the estimating or contract tender stage to
ensure that adequate provisions are made in the cost build-up of the tender document.
The project management plan (PMP) should include a rCsumC of the risk management plan,
which will first of all define the scope and areas to which risk management applies, particularly
the risk types to be investigated. It will also specify which techniques will be used for risk
identification and assessment, whether SWOT (strengths, weaknesses, opportunities and threats)
analysis is required and which risks (if any) require a more rigorous quantitative analysis such
as Monte Carlo simulation methods.
The risk management plan will set out the type, content and frequency of reports, the roles
of risk owners and the definition of the impact and probability criteria in qualitative and/or
quantitative terms covering cost, time and quality/performance.
The main contents of a risk management plan are as follows:
General introduction explaining the need for the risk management process;
Project description. Only required if it is a stand-alone document and not part of the PMP;
Types ofrisks. Political, technical, financial, environmental, security, safety, programme, etc.;
Risk processes. Qualitative andor quantitative methods, max. nos of risks to be listed;
Tools and techniques. Risk identification methods, size of P-I matrix, computer analysis, etc.;
Risk reports. Updating periods of risk register, exception reports, change reports, etc.;
Attachments. Important project requirements, dangers, exceptional problems, etc.
The risk management plan of an organization should follow a standard pattern in order to
increase its familiarity (rather like standard conditions of contract) but each project will require
a bespoke version to cover its specific requirements and anticipated risks.
Risk management consists of the following five stages, which, if followed religiously, will
enable one to obtain a better understanding of those project risks which could jeopardize the
66 Project Management, Planning and Control
cost, time, quality and safety criteria of the project. The first three stages are often referred to
as qualitative analysis and are by far the most important stages of the process.
The following list gives the advantages and disadvantages of the more usual risk identification
methods:
Brainstorming
Advantages: Wide range of possible risks suggested for consideration;
Involves a number of stakeholders.
Disadvantages: Time consuming;
Requires firm control by facilitator.
Prompt list
Advantages: Gives benefit of past problems;
Saves time by focusing on real possibilities;
Easy to discuss.
Disadvantages: Restricts suggestions to past experience;
Past problems may not be applicable.
Checklist
Advantages: Similar to prompt list; Company standards
Disadvantages: Similar to prompt list.
Risk management 67
At this stage it may, be possible to identify who is best to manage each risk. This person
becomes the risk owner.
To reduce the number of risks being seriously considered from what could well be a very
long list, some form of screening will be necessary. Only those risks which pass certain criteria
need be examined more closely, which leads to the next stage . . .
Severe
Medium
Nil
Each risk can now be given a risk number, so that it is now possible to draw up a simple
chart which lists all the risks so far considered. This chart will show the risk number, a short
description, the risk category, the probability rating, the impact rating (in terms of high, medium
or low) and the risk owner who is charged with monitoring and managing the risk during the
life of the project.
Figure 16.2 shows the layout of such a chart.
A quantitative analysis can now follow. This is known as. . .
r
Figure 16.2 Risk Summary Chart
1 1 1 1 1
Exposure table
Probability
High 0.5
Impact Medium
Low 0.1
Example:
5 Risk A
Impact = 3
Probability=5
4 Risk rating = 3 x 5 = 15
c
u Risk B
Impact = 3
-g 3 Probability = 3
Risk rating = 3 x 3 = 9
2
1 2 3 4 5
Probability
Figure 16.4 5 x 5 matrix
Another way to quantify both the impact and probability is to number the ratings as shown
in Figure 16.4 from 1 for very low to 5 for very high. By multiplying the appropriate numbers
in the boxes, a numerical (or quantitative) exposure rating is obtained, which gives a measure
of seriousness and hence importance for further investigation.
For example, if the impact is rated 3 (i.e. medium) and the probability 5 (very high), the
exposure rating is 3 x 5 = 15.
Further sophistication in evaluating risks is possible by using some of the computer software
developed specifically to determine the probability of occurrence. These programs use sampling
techniques like ‘Monte Carlo simulations’ which carry out hundreds of iterative sampling
calculations to obtain a probability distribution of the outcome.
One application of the Monte Carlo simulation is determining the probability to meet a
specific milestone (like the completion date) by giving three time estimates to every activity.
The program will then carry out a great number of iterations resulting in a frequencyhime
histogram and a cumulative ‘S’ curve from which the probability of meeting the milestone can
be read off (see Figure 16.5).
At the same time a Tornado diagram can be produced, which shows the sensitivity of each
activity as far as it affects the project completion (see Figure 16.6).
Other techniques such as sensitivity diagrams, influence diagrams and decision trees have
all been developed in an attempt to make risk analysis more accurate or more reliable. It must
be remembered, however, that any answer is only as good as the initial assumptions and input
100
0
Time
Figure 16.5 Frequency/time histogram
70 Project Management, Planning and Control
A
B
C
-q
.-
.-
,z F
2 G
H
I
J
I I I , , I I I I I
0 5 10 15 20 25 30 35 40 45 50 55 60
Yo sensitivity
Figure 16.6 Tornado diagram
data, and the project manager must give serious consideration as to the cost effectiveness of
theses methods for hisher particular project.
avoidance
reduction
sharing
transfer
deference
mitigation
contingency
insurance
acceptance.
Risk 8 The cost of the work will probably never pay for itself;
Risk 9 The cost may escalate due to unforeseen structural problems.
These risks can all be managed by applying one or several of the above options:
MONITORING
To keep control of the risks, a risk register should be produced which lists all the risks
and their method of management. Such a list is shown in Figure 16.7. Where risk owners
have been appointed, these will be identified on the register. The risks must be constantly
monitored and at preset periods, the register must be reassessed and if necessary amended
to reflect the latest position. Clearly as the project proceeds, the risks reduce in number,
so that the contingency sums allocated to cover the risk of the completed activities can be
allocated to other sections of the budget. However, sometimes new risks emerge which must
be taken into account. These must be recorded in the register under the heading of risk
closure.
The summary of the risk management procedure is then as follows:
1 Risk awareness;
2 Risk identification (checklists, prompt lists, brainstorming);
3 Risk owner identification;
4 Qualitative assessment;
5 Quantification of probability;
6 Quantification of impact (severity);
7 Exposure rating;
8 Mitigation;
9 Contingency provision;
10 Risk register;
11 Software usage (if any);
12 Monitoring and reporting.
72 Project Management, Planning and Control
To aid the process of risk management, a number of software tools have been developed.
The must commonly used ones are @Risk, Predict, Pandora and Plantrac Marshal, but no
doubt new ones will be developed in the future.