Risk Identification and Planning
Risks can have a classification system. This system classifies risks in relation to their locus of action. That is the organisational level at which the risk will have the most impact. Project Risks: are those risks within the project boundary that could affect the delivery of the business outcome that the project is set up to deliver. In other words, those that could affect the delivery of the project’s objectives. Business Risks: on the other hand are those risks that affect the operation of the business outcome once it has been delivered by the project.
Environmental Risks: are those risks that are external to the project environment but which nevertheless can affect the project objectives. For example, the Gulf War had a devastating effect upon gas field projects in Kuwait in 1990. External change risks: are those risks that are beyond the immediate project environment but which could have a major impact. Frequently in contractual terms these may include force majeure events. However, external change risks go beyond force majeure, for example because of a shift in Government policy or in its interpretation of a law. The main aims of risk management are to: ?Identify potential risks;
Assess the probability and impact of each risk; ?Identify alternative actions that prevent the risk from happening (avoidance), or if it does happen ameliorate the impact (reduction), or provide a strategy for dealing with the accepted consequences of such a risk occurring (acceptance); ? Implement and monitor those actions that are cost effective and necessary to the successful delivery of the project objectives (NB: project objectives not project); ? Provide feedback from experiential learning to improve the risk management of future projects and to inform the training and development of project managers.
Risk Management is therefore an integral part of project management – not an additional extra. It should be used to drive, inform and support planning. Effective risk management should: •Anticipate and influence events before they happen by taking a pro-active approach; •Provide knowledge and information about predicted events; •Inform and where possible improve the quality of decision making, recognising the preferred hierarchy of risk avoidance, risk reduction, risk control, and risk acceptance; •Avoid covert assumptions and false definition of risks;
Make the project management process overt and transparent; •Assist in the delivery of project objectives in terms of benchmarked quality, time and cost thresholds; •Allow the development of scenario planning in the event of the identification of a high impact risk; •Provide improved contingency planning; •Provide verifiable records of risk planning and risk control. To achieve effective and efficient risk management risk planning is required. The commonest form of risk planning is the Risk Management Plan.
Risk Management at various stages in the construction process No investment or even short-term production process can be planned without taking into account the associated risk. In reality every project contains a component of risk which results in the necessity to assess and reduce the associated threats. Of course investors have procedures based on many years of experience allowing for identification and reduction of emerging risk components. Risk Management is a continuous process which should be conducted at every stage of the project; from its emergence until completion and use.
It is important to eliminate risks as early as possible, for instance, at the stage of analysis of the project value and cost analysis during the project implementation. The basic task is to identify the problem as well as the significance and benefits associated with the risk management process. This identification can be captured in a Risk Plan. Figure 1: Correlation between the Construction process and Risk Management Figure 1 below presents a correlation between the various levels of risk management and the subsequent stages of the construction process.
There are no rigorous divisions between the subsequent stages of the risk management process. It is worth remembering, however, that along with the progress of work, the approach to the problem of risk should be changing which results in the necessity to consult various specialists depending on the specific characteristics of the issue. Risk Identification Risk identification involves determining which risks might affect the project and documenting their characteristics.
Participants in risk identification need to be selected on who is best placed to identify risks in a given technical or management area and generally includes the following: •Project team; •Risk management team; •Subject matter experts – for example ground conditions engineers; •Customer(s); •End users if different from customer; •Other project managers; •Stakeholders; •Outside experts for example public authority representatives. Risk identification is an iterative process; the first pass may be performed by a part of the project team or by the risk management team.
The entire project team and primary stakeholders then make a second iteration. To achieve unbiased analysis persons who are not involved in the project should perform a final iteration. Often the simple and effective risk responses can be developed and even implemented as soon as the risks are identified. Risk identification can be undertaken top-down and bottom-up. Top-down identification provides a rapid start to the assessment and commences with an overall view of the programme. It should be cause or ‘risk area’ oriented to give a good coverage.
Bottom-up identification involves a systematic comprehensive coverage of the project management and technical deliverables; it looks at the project requirements, plans, specifications, resourcing, contracts, sub-contractor, sub-contract characteristics and project interfaces and interactions. Risk identification requires an understanding of the project’s mission, scope and objectives of the owner, sponsor and/ or stakeholders. Output of other processes should be reviewed to identify possible risks across the project; these may include: •Product descriptions; •Schedule and cost estimates;
Resources plan; •Procurement plan; •Assumptions; •Constraints. In practise Project Managers have widely adopted the Work Breakdown Structure (WBS) as an essential tool for most or all of the applications already mentioned. The WBS is the keystone of any project and it has broad application to nearly every aspect of the project through its life-cycle. In general practice the WBS is used for: •Systems engineering; •Planning and budgeting; •Funding; •Cost estimating; •Scheduling; •Measuring performance; •Configuration management; •Baseline change control; •Project control tools development;
Testing and commissioning; •Integrated logics support. The WBS needs to represent the entire project: everything that is part of the project in terms of products, hardware, software, services, data, facilities management and other elements that completely define the entire scope of work. The WBS should also reflect the methods to be used to plan, control, manage and execute the work. Typical project risks that could be encountered are shown in Figure 2 below. Project Management RiskExamples Customer Customer focus, specification quality, changing requirements. Project management
Planning, resourcing, resource capabilities, dependencies, stakeholders, organization / interfaces, communication, constraints, process, transition and services ProcurementPlanning, vendor appraisals, critical lead-times, reliance on single source, component obsolescence, market volatility Commercial Subcontractor agreement, interpretation of Terms and conditions FinancialProfit margin, accurate cost forecasts, payment plan, penalty charges EngineeringFeasibility, technology transfer, complexity, dependencies, resourcing, special standards/ documentation requirements, prototypes, maturity, manufacture, process ManufacturingMake/ buy planning, design, production capacity, new tools/ equipment requirements, test requirements, new manufacturing or test processes, incorporating change during manufacture System design and integrationSystems complexity, interfaces, human factors, software, hardware TechnologyTechnology or technical approach chosen to achieve the project objective Subcontractor capabilitiesAbility of contractors or other vendors to perform project objectives, including Project management strategy and ability InterfacesWorking in a multi-project environment, interfacing with existing operational activities and other stakeholders.
EnvironmentalEnvironmental laws and compliances, licences and permits Regulatory involvementInvolvement by any regulatory agency such as EA, HSE or by national , state and local governments Political visibilityPolitical significance or visibility to national, state or local governments, specialinterests and the public Number of key project participantsInvolvement by other than a primary owner for the decision making and management ComplexityIssues with design criteria, functional requirements, complex design features, breakthrough technology or existing as-built condition documents Labour skills availability and productivityAdequate resources, speciality resources, rapid labour force build-up experience and commitment, and exposure to environmental extremes Number of locations/ site access/ site ownershipGeographic dispersion, time zone differences, site ownership and access issues Funding/ cost sharingProject duration, involvement / funding by other parties, and stability of monetary inputs Magnitude / type of contaminationPresence of hazardous or mixed waste Quality requirementsRequirements for precision work or other QA requirements; types of QA methods Site Ground conditions, flood plane, contaminated ground, archaeological finds Public involvementCitizen interest or involvement, rights of way Figure 2: Typical Project Management Risks In looking at the list in Figure 2 it would be fair to assume that projects are increasing in technical complexity. As such this complexity increases the risk of not meeting the success criteria, as established in the concept and planning phase of the project with the client and also related to the three key Project Management variables.
Historically, project decision making has been heavily biased toward meeting the cost and schedule goals without the same level of thought to the consequences of the project’s technical objective(s). This has been the legacy of the earned value performance measurement approach to Project Management, which measured success primarily by concentrating on the two elements where a preponderance of the known data could be measured. Tools and Techniques for Risk Identification Remember the acronym SLEEPT: Social; Legal; Economic; Environmental; Political; Technological. This can be used for the disaggregation of Exogenous or Endogenous Risks to assist in identification of risks. There are a number of tools and techniques available for use in risk identification, these are described below:
Documentation reviewPerforming a structured review of high level and detailed project plans and assumptions prior project files and other information is generally the initial step taken by project teams. Assumptions analysisEvery project is conceived and developed based on a set of hypotheses, scenarios or assumptions validity. Assumptions analysis is a technique that explores that assumption’s validity. It identifies risks to the project from inaccuracy, inconsistency or incompleteness of assumptions. Diagramming techniquesDiagramming techniques may include cause and effect diagramme (also known as Ishikawa or fishbone diagrams). These are useful for identifying causes of risks.
Systems or process flow charts – these show how various elements of a system interrelate and the mechanism of causation. ChecklistsChecklists for risk identification can be developed based on historical information and knowledge that has been accumulated from previous similar projects and from other sources of information. One advantage is that risk identification is quick and simple. One disadvantage is that it is impossible to build an exhaustive checklist of risks, and the user may be effectively limited to the categories in the list. Care should be taken to explore items that do not appear on a standard checklist to see if they seem relevant to the specific project. The checklist should itemise all types of possible risks to the project.
It is important to review the checklist as a formal step of every project-closing procedure to improve the list of potential risks and the description of risks for subsequent projects. Checklists are seldom exhaustive but can help to ensure that the most common key areas of project risk are considered. They are particularly useful as “prompts” to facilitate brainstorming. NB: A sample checklist provided at the end of this section. Information- gathering techniques Examples of information gathering techniques used in risk identification can include:
•Brainstorming – this is probably the most frequently used risk identification technique. The goal is to obtain a comprehensive lists of risks that can be addressed later in the qualitative and quantitative risk analysis processes. The project team usually brainstorms, although a multidisciplinary set of experts can also use this technique. Under the leadership of a facilitator, these people generate ideas about project risk. Sources of risk are identified in broad scope and posted for all to examine during the meeting. As with all brainstorming the key thing at this point is to capture everything. Consideration of which risks to accept or to manage, comes later. •The Delphi technique which is a way to reach a consensus of experts on a subject such as project risk. Project risk experts are identified but participate anonymously.
A facilitator uses a questionnaire to solicit ideas about the important project risks. The responses are submitted and are then circulated to the experts for further comment. Consensus on the main project risks may be reached in a few rounds of this process. The Delphi technique helps to reduce bias in the data and keeps any person from having undue influence on the outcome. •Interviewing. Risks can be identified by interviews of experienced Project Managers or subject-matter experts. The person responsible for risk identification identifies the appropriate individuals, briefs them on the project and provides information such as the WBS and list of assumptions.
The interviewees identify risks to the project based on the experience, project information and other sources that they find useful. •SWOT analysis covering Strengths, Weaknesses, Opportunities and Threats ensures examination of the project from each of the SWOT perspectives to increase the breath of the risks considered. Learning from experienceMake use of near neighbour comparisons of similar projects, locations, suppliers, customer etc Figure 3: Tools and Techniques for Risk Identification In identifying projects risk that may affect a project these can be organized into risk categories and should reflect common sources of risk for the industry or application area.
Categories include: •Technical, quality or performance risks – such as reliance on unproven or complex technology, unrealistic performance goals, changes to the technology used or the industry standards during the project; •Project management risks – such as poor allocation of time and resources, inadequate quality of the project plan, poor use of Project Management disciplines; •Organizational risks – such as costs, time and scope objectives that are internally inconsistent, lack of prioritization of projects, inadequacy or interruption of funding and resource conflicts with other projects in the organization; •External risks – such as changing legal or regulatory environment, labour issues, changing owner priorities, country risk and weather.
Force majeure risks such as earthquakes, floods, civil unrest generally require disaster recovery actions rather than risk management. Having used a number of tools and techniques to identify the risks for a project it is important that the risk statement is correctly phrased and it is recommended that this should follow the Condition- Cause- Consequence approach, for example: There is a risk that lack of support will cause the project to stall resulting in team being deployed on other work. There is a risk that our customer will be unable to specify the internal fit-out requirements in a timely fashion caused by their lack of experience in procuring this type of equipment resulting in delayed payment, project overrun, and delayed initiation of support contracts.
There is a risk that the client will wish to bring forward the completion date for the project and cause us to execute the work by additional shift working or more resources resulting in an overall cost increase from that contractually agreed. Risk Planning Risk planning is the process of deciding how to approach and plan for the risk management activities of a project. This is important to ensure that the level, type and visibility of risk management are commensurate with both the risk and importance of the project to the organization. Figure 4: Elements of Risk Management Planning The inputs to the Risk Management Planning phase of the project are shown in Figure 4 and are described below: •The Organization’s risk management policies.
Some organizations may have predefined approaches to risk analysis and responses that have to be tailored to a particular project; •Predefined roles and responsibilities and authority levels for decision-making will influence planning; •Stakeholder risk tolerances. Different organizations and different individuals have different risk tolerances. These may be expressed in policy statements or revealed in actions; •Template for the organization’s risk management plan. Some organizations have developed templates (or a pro-forma standard) for use by the project team. The organization will continuously improve the template, based on its application and usefulness in the project; •Work breakdown structure (WBS) for the project. The main tool for the Risk management Planning is the Planning meetings, at which the project team develop the risk management plan.
Attendees usually include the Project Manager, the project team leaders, anyone in the organization with responsibility to manage the risk planning and execution activities, key stakeholders, and others as and when needed. They can make use of the risk management templates and other inputs as appropriate. The primary output for the meeting is an agreed management approach to risks that the project will face and which is described in a formal risk management plan that details how risk identification, qualitative and quantitative analysis, response planning, monitoring and control will be undertaken during the project life-cycle. The risk management plan does not address responses to individual risks – this is accomplished in the risk response plan.
As such the risk management plan may: •Include a methodology to define the approaches, tools and data sources that may be used to perform risk management of the project. Different types of assessments may be appropriate depending upon the stage of the project, the amount of information available and the flexibility remaining in risk management; •Detail the roles and responsibilities and define the lead, support and risk management team membership for each type of action in the risk management plan. Risk management teams organized outside of the project may be able to perform more independent, unbiased risk analysis of the project than those from the direct project team; •Establish a budget for risk management for the project;
Define how often the risk management process will be performed throughout the project life-cycle. Results should be developed early enough to affect decisions, indeed these decisions should be periodically reviewed during the project execution. Typically a Project manager will review the risks on a monthly basis; sometimes this review is more frequent; •Detail the Scoring and Implementation methods appropriate for the type and timing of the qualitative and quantitative risk analysis being performed. It is good practise for the methods and scoring to be determined in advance to ensure consistency; •Describe the threshold criteria for risks that will be acted upon, by whom, and in what manner.
The project sponsor and customer may have different thresholds and the acceptable threshold forms the target against which the project team can measure the effectiveness of the risk response plan execution; •Describe the content and format of the risk response plan and how the results of the risk management processes will be documented, analyzed and communicated to the project team, internal and external stakeholders, sponsors and others. Many organizations employ a graded approach to risk management which may have a number of criteria for determining the application of the graded approach such as financial value, complexity, visibility, risk, strategic risk etc. This could lead to a clearer definition of the application of the graded approach – “the risk–based graded approach.
The risk analysis provides a formalised and documented method or technique to determine the graded approach. Without a more formalised risk analysis process all interested parties have the opportunity to identify and assess the impact of a wide variety of potentially adverse risks on the project’s technical objectives. Cost and schedule adjustments can then be incorporated to present a more realistically achievable estimate of the resources necessary to attain project success. The resultant baseline becomes a much more powerful tool in managing the project and its expectations. Indeed, without this analysis, the confidence in completing the project to its success criteria must be necessarily low.
It is important to document the risk management process so that all parties are aware of the implementation and review process and a typical Risk Management Plan is shown as Figure 5. TitleDetails IntroductionProject / Product Overview: •Summary of requirement. •Critical success factors. •Project Life-cycle. Control of PlanOverview: •Review and reissue frequency. Scope and ObjectivesScope of work: •Scope, complexity and scale of project. Initial assessment of difficulty, scale, precedence, impact of failure. Objectives: •Deliverables: eg risk register, report, mitigation plans, reporting requirements for project team, main contractor and sub-contractor(s). Identification StrategyIdentification: •Describe the identification process: how the risks are identified eg brainstorming, checklists etc.
The discipline of describing risks. •How ownership is established and recorded eg Risk Register. •How new risks are identifies and mitigated risks retired. •When risks are identified and at what level. Allocation: •Describe the process to assign and apportion risk to other stakeholders eg sub-contractors, Partners, other areas of the organization. Assessment StrategyAnalysis (qualitative): •Describe the method used to establish post mitigation criticality scores from probability and impact assessments. Evaluation(quantitative): •Describe the approach to be taken to evaluate collective cost, project and performance exposures. Response strategy:
Describe how performance, cost and effectiveness benefits will be calculated to determine courses of action (option selection). •Describe how pre-emptive risk action will be fully integrated into the overall project programme. •Describe how corrective fallback plans will be incorporated into the overall project programme. •Describe how risks are to be mitigated, transfer, sharing and acceptance. •Describe fallback measures to recover in the event of risk occurrence. •Identify how associated costs and effectiveness of action will be established and recorded. •Identify how contingency will be released to support effective mitigation action on the occurrence of risk Process ManagementRisk Management process: •Process objectives.
Outline process description, clearly identifying the supporting audits and reviews including contract risk reviews and technical risk reviews. Contingency Management: •Describe the principles and methods for determining the correct overall level of project contingency. •Allocating technical and managerial contingencies and movements between the two. •Authorising pre-emptive mitigation spend. •Authorising the release of contingency funds to support corrective risk mitigation. •Authorising risk retirements. Risk Management tools: •Identifying the tools and methods being used to support the risk assessment, support requirements and maintenance responsibilities. Risk Register control:
Describe the process for maintaining the register, indicate how items are to be entered, updated and deleted. •How associated mitigation / promotion actions/ plans / programmes and events will be recorded and reviewed. •Detail where the Register will be kept and how it will be accessed and by whom. Risk Reporting: •Describe the reports to be generated from the process including details of: what reports will be generated; what the reporting cycle will be; and at what level eg Top 20 risks •Describe the process for identification of new risks, deletion and retirement of old risks. OrganisationProject responsibilities: •Identify clearly the role, authority and responsibility with respect to risk and mitigation actions of the Project Manager/ Director, Risk Manager, Risk Owner, Risk Actionee, Project Team members. •Provide a list of people who will have responsibility for regular review of the risks, detailing their roles. •Provide a summary of internal and external parties involvement with the risk management process eg customer, sub-contractor, suppliers, user, government agencies. Functional responsibilities: •Define the main functional interfaces (customer/ supplier) between the various project groups or areas. •Identify how risk and associated contingency will be allocated to the functional areas and managed across the organizational interfaces. ProgrammeMobilisation programme.