UNIMAS 2012 FACULTY OF ENGINEERING

RISK MANAGEMENT
BASIC CONCEPT:
We have previously looked at what can be considered to constitute project success. This is interesting from a theoretical perspective, but from a practical point of view what we want to know is what are the events that could prevent us from achieving this success. Having said that, this is only a start point; what we really need to establish are those plans and activities that are required to ensure that nothing intervenes in the successful implementation of the project. What we are talking about is having a risk management process in place for a project, where the term risk management process is defined as: The systematic application of management policies, procedures and practices to the tasks of reviewing communicating, establishing the context, identifying, analysing, evaluating, treating, monitoring and communication risk. (Source: AS/NZS 2004a. p. 4) The PMI (2004) has a similar definition for risk management:

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

Project risk management includes the processes concerned with conducting risk management planning, identification, analysis, responses, and monitoring and control on a project. (Source: PMI 2004, p. 237) and ... to increase the probability and impact of positive events and decrease the probability and impact of events adverse to the project. (Source: PMI 2004, p. 237) The important aspects of these definitions relevant to our studies here are highlighted below:

systematic: whatever form the risk management process takes, it must be systematic, that is, it must have a logical start and finish, it must follow the same steps each time and it must be comprehensive (this will be explained further later).

management policies: a sensible project organisation will have policies that govern the use of a risk management process. These policies should include objectives for risk management and should emphasise managements commitment to

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

them. They should ensure that a risk management system is established, implemented and reviewed. They should dictate when risk management is to be conducted (and there should be very few, if any, projects exempt from a risk management approach); who is responsible for doing it; when it is to be done; how it is to be documented; etc.

procedures and practices: these refer to the actual steps taken in the risk management process. They should be systematic, logical and effective.

probability and impact: this is really the basis for any risk analysis. Before any sensible evaluation of a particular risk can be done, it is essential to assess as best you can its probability (the likelihood of it actually occurring) and impact. Time and effort is always in short supply when managing a project, so you do not want to waste them in detailed evaluation of risks which have little chance of happening and, should they happen, would have insignificant effect. On the other hand, you need to be confident that risks that are the reverse of these, high probability and large impact, are adequately addressed. The assessment process we discuss later is designed to focus your attention where it is needed, and where it should be value adding.

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

positive events and adverse events: we tend to think of risks as being bad, that is, they are likely to have a damaging effect on our chances of project success. We should be aware, however, that risk also implies opportunity the advantage to be gained if the risk is taken successfully. There is also a scale attached to this risk taking the greater the risk accepted, the greater the return if successful. If this is not the case, the risk assessment process has probably failed and you are taking dangerous risks. Allied with this, you need to understand that aiming for a risk free environment is usually very expensive. The terrorist incident in the USA in 2001 provides a depressing but appropriate analogy the more we attempt to be protected from terrorist attack, the more we have to be prepared to invest in expensive security measures.

monitoring is an essential aspect of successful risk management. There is little point taking the time and effort to establish a risk management plan in the definition phase of a project if the plan is just to become shelfware a document produced to satisfy a management requirement but then left gathering dust on a shelf once implementation starts. The risk management plan should be

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

addressed regularly throughout the actual execution of the project.

communicating fits into a similar category with monitoring the risks and their treatment must be communicated to all stakeholders. Initially, they should appreciate the level of risk in the project before it is too late to re-think the actual need for it. Subsequently, they need to be kept up to date so they can prepare react to events if necessary. (This is also a good opportunity for you to show how competent you are tracking risks and managing them before they get out of hand. This should be seen as a career enhancing move.)

Definition
Common Definition: The possibility of loss, injury, disadvantage or destruction Websters Third International Dictionary Expose to the chance of injury or loss The New Websters Dictionary The chance of loss & the degree or probability of such loss
PROJECT MANAGEMENT PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

Websters New Collegiate Dictionary Technical Definition: Risk can be viewed both qualitatively and quantitatively. Qualitative definition: The potential of loss or injury resulting from exposure to a hazard when a source of danger (or hazard) exists and if no reasonable safeguards are in place to minimize against exposure to the danger, then there is the possibility of loss or injury. This possibility is known as risk. Quantitative definition: R = < S, P, C >, Where R = risk; S = a scenario of events that lead to hazard exposure; P = the likelihood of scenario happening; and C = the consequence of scenario happening. The quantitative definition suggests that risk represents the probability of a hazardous event with dire consequences occurring. = 1,2 , ., n.

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

Benefits of risk management

It is fairly obvious that the benefit from including a risk management process in the overall management of a project should be a reduction in nasty surprises and a greater probability of achieving project success. However a research project (Simister 1994, p. 7) revealed that project managers also saw other, less obvious, benefits. The benefits they accepted and prioritised are listed in their order of importance and explained below: More realistic plans in terms of cost and schedule To carry out a worthwhile risk management process, the essential project planning functions must be carried out first. In other words, a WBS must be developed, the tasks must be scheduled and the most accurate cost estimate as possible must be calculated. The implication of this benefit is that, once this degree of planning has been carried out, not only will any subsequent risk identification and analysis be more valid, but the understanding of the overall project will be increased such that the schedule and budget should be more appropriate.

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

Increased understanding of the risks in the project This seems self evident, but it is only in relatively recent times that the importance of risk management to project success has been accepted (the index of the 1992 edition of a well known project management text contained one listing for the word risk the 2000 edition has expanded this to six listings, hardly a great improvement. Many, if not most current texts have at least a chapter on the topic). Just feeling that a project is risky is of little value. To be able to do anything worthwhile about project risk, you must know what the specific risks are, and this knowledge is gained by following the risk management process. Contingencies that actually reflect the risks You will encounter project management methodologies in organisations that dictate that, say, a 10% contingency be added to all project budgets, and you should ask yourself why. Why 10%? Why not more; why not less? This approach can tie up money needlessly if a contingency as high as 10% is added without a detailed risk management assessment. It is obviously far more sensible, and likely to be cheaper, if the contingency is applied to real specific risks, rather than to the overall project because of a vague feeling that the project is risky. Consider a project with a $100 000 budget. A standard contingency factor of 10% would tie up an extra

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

$10 000. Consider the more sensible scenario: a detailed analysis of the risks could find that most of the projects activities are very low risk (suppose they are activities frequently carried out by the organisation). On the other hand, let us assume that 20% of the budget comes from activities that the analysis reveals are genuinely high risk. Your reaction to this is to add 20% contingency but only to those high risk tasks. This means that you have applied a greater contingency (but only where the analysis showed it was needed) but only tied up $4000 in overall contingency for the total project (20% contingency X 20% of the $100 000 budget) releasing $6000 to other uses.

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

Facilitates greater but more rational risk taking. If you really understand what each risk implies, you can make an informed decision as to whether you can accept it or not. The reverse is also true ignorance because a thorough risk management process is not carried out could lead to risks being covered unnecessarily and opportunities being lost. Identifies the party best able to handle a risk. Once you know what specific risks there are, you can make an informed assessment as to who is best placed to manage each one. It is through the risk management process that you establish the risks and their causes, and it is only after you know the causes that you can allocate responsibility for control. Without the detailed knowledge that the risk management process develops, there is a likelihood that you will allocate responsibility for managing a specific risk to somebody who has no control over the possible cause of it.

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

Leads to the most suitable form of procurement/contract. This benefit tends to flow from the previous point. Having established what the risk are, you are in a position where you can decide what work should be done in-house and what should be contracted out. Further to this, you should be able to decide what form of contract should be used in each case. (This is a topic in its own right and will be covered in some detail in the Project Procurement section of this course.) Statistical information about historical risks. One of the fundamental concepts behind the National Competency Standards for Project Management (NCSPM) is that any compliant process should allow for and encourage continuous improvement. For example, the outcome from the recommendations of the mandated post-project review covering all nine units of competency should be better planned and implemented projects into the future. Similarly, following the risk planning and risk implementation processes required of the NCSPM and AS/NZS 4360:2004 through the project life cycle will produce risk statistics that can be referred to by future project managers what risks where identified, what likelihood and consequences were estimated, what mitigation strategies were developed and, of course, what really happened.
PROJECT MANAGEMENT PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

Assists in distinguishing between good luck/good management and bad luck/bad management. Think of this as a career enhancing aspect. If you ignore the requirement for risk management and the project fails, you will quite correctly have difficulty convincing your masters that there has been anything but bad management. On the other hand, if you can show them a detailed risk management plan, you may be able to convince them that the failure was just due to bad luck.

The Nature of Risk in Engineering Projects

Project Risk: the uncertainty implied by the level or project performance achievable In the case of project management, risk is any factor that can affect the project performance (time, cost and quality performance) is a source of risk. These basic questions needed to be answer in risk management.

What can go wrong? How and why can it happen? What is the likelihood of it happening?
PREPARED BY SNTING

PROJECT MANAGEMENT

UNIMAS 2012 FACULTY OF ENGINEERING

What is the consequence if it happens? What can we do about it?

Risk arises when the effect and occurence of this factor is both uncertain but will impacts significantly on project outcome. As such, the definition of project objectives and performance criteria has a fundamental influence on the level of project risk. Setting tight time and cost targets makes a project more time and cost risky by definition. Inappropriate time and cost targets are themselves a source of risk. Failure to acknowledge the need to attain an acceptable level of performance against a clients expectation, for instance, automatically creates risk on those dimensions. Strategies for managing project risk, therefore, cannot be separated from strategies for managing project objectives. Some of project related risks: Submission of pricing Giving the possession of site Physical conditions Latent conditions Defective materials/works Late instructions

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

Contractor efficiency Sub-contractor efficiency Inclement weather Labour disputes Contractor negligence Consultant negligence Owner negligence Force majeure Legislative change after contract Shortages in labour, material, finance, plant Late payment Cost fluctuations Insolvency by client, contractor Omissions/variations by consultants Economics risks Design risks Environmental risks Site safety

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

Management of Risk
Project Risk Management comprises of 5 key components such as the following: 1. Risk Identification: The process of determining the potential key variables that impacts and contributes to risk in the problem or decision or situation (in our case the problem/situation/decision is our project and its various elements) under consideration. There is quite a number of risk sources listed and, as with the methods above, some will be more applicable than others in the project environment. Particular sources in projects are: Technical risk: The possibility that the technical requirements on which the original estimate was based may be not be achieved within the cost and schedule estimates. Financial risk: The possibility that the cost may rise because of factors not allowed for, or not adequately allowed for, in the original estimate.

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

Management risk: The possibility that planning or management arrangements may have adverse effects upon schedule or budget. Contractual risk: The possibility that inadequacies in the contract agreement will result in additional costs being manipulated by the contractor, or accepted as part of the contract. Schedule risk: The possibility that the completion schedule will not conform to the contractual or management plan. Operational Performance risk: The possibility that the equipment or system will not meet all the operational needs of the user It is also important to note the following in Risk Identification Interactions between the key variables in a decision situation necessitate that strategic decisions are complex, involving structural uncertainty. Uncertainty prevails in all aspects of problem situations, including the manner in which the key variables are assumed to interact.

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

The systems approach, in which the relationships among the interacting variables are analysed in a holistic and integrated fashion, provides one of the most comprehensive means of identifying risk. 2. Risk Allocation: Categorising risk according to whom it will affect, whether it is the person or the organization or the project overall and who shall response to it 3. Risk Classification and Measurement: Risk classification involves categorizing the risk according to its effect or impact. Risk measurement involves coming up with measurement criteria according to the chances or probability of it occurring. As risk implies uncertainty, the measurement of risk itself cannot be precise. Conventional estimates are based on best or optimistic, most likely or expected, and worst or pessimistic outcomes.

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

More realistic measures are based on Probability of Occurrence. 4. Risk Assessment and Re-assessment: The process of estimating the degree of severity of the risk involved, both for intermediate and final outcomes. There are basically qualititative risk analysis or quantititive risk analysis. Qualitative Analysis Standards Australia 2004, HB 436:2004 Risk management guidelines has suggested a number of qualitative risk analysis techniques including brainstorming; structured interviews/questionnaires; evaluation using multidisciplinary groups; and specialist and expert judgement, the Delphi technique. They are the ones you use when you cannot get data that allows some form of quantitative analysis. They are used more often than quantitative techniques because on many occasions appropriate data is not available. This is particularly so in the early stages of a project. Another reason for favouring qualitative techniques, as you will note in the next section, is that quantitative techniques can be very complex and can

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

require considerable effort to master. This leads to the techniques largely only being used where it is considered a sensible investment to hire the necessary expertise that is, for large expensive and complex projects. Risk measured via the conventional approach of best, most likely and worst outcomes could only be assessed by the Best Case/Worst Case and What-If Methods. Quatitative Analysis Risk measured by its probability of occurrence is assessed by a stochastic approach using simulations. Techniques such as statistical analysis, Decision Tree, Monte Carlo simulation and 3 point estimates are example of calculation or probability

5. Risk Attitudes and Response: The attitude of the person(s) making the decision concerning the risky situation determines how a risky situation should be dealt with.

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

Risk treatment options Standards Australia (2004a, p. 70) describes generic options for treating risks avoiding, changing the likelihood, changing the consequences, sharing the risk, and retaining the risk. Avoidance means not doing whatever it is that causes the level of risk. At one end of a spectrum, this can mean selecting a different way of doing the task; at the other end it can mean not doing the project because the task with the unacceptable level of risk is an essential component. We have seen how the estimates of likelihood and consequence of a risk can be combined to produce an indication of the level of risk. Obviously if either or both of these are reduced, a lower level of risk may be achieved (but the structure of the level of risk matrix means that often this is not the case unless the reduction is reasonably large). Note that the text flags the implications of cost you may need to consider a tradeoff between the cost of the reduction and the level of risk. Risk transfer involves transferring the risk, hopefully to somebody better placed to manage it. As a simple example, if you have a project or a part thereof that requires levels of expertise unavailable in your
PROJECT MANAGEMENT PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

organisation, ignoring this potential problem and trying to do the tasks anyway would probably be high risk. On the other hand, if you contract the tasks to an organisation with staff who are expert in the relevant fields, the level of risk should be less. On the other hand, be wary of anybody who claims that they have no risk in their project because they have transferred it to a contractor. There will always be the risk that for one reason or another the contractor cannot do the work and the project or part of it fails. Risk sharing involves transferring part of the risk. Retaining a risk does not mean ignoring it. All risks should be registered and the acceptance process could include providing some form of contingency so that, rather than having to manage the risk from scratch should it occur, there is already a reaction planned. Risk retention refers to what happens after the risks are treated; those risks that remain after reduction or transfer are retained by the organisation. You will often hear these risks referred to as residual risks. These are the ones that the organisation needs to be confident it can manage after the treatment process has been put in place. To move from the generic risk treatment options in the text and the readings to something more specific,

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

The exercising of judgment and the conduct of programs and actions to handle (avoid versus accept) risk, including the possible need to re-evaluate alternative courses of action. Such actions include a detailed investigation of how a particular risk arises.

Risk

Acceptance Risk

Intolerable Risk

Risk Avoidance

Acceptance

Risk Management It is the attempts taken to draw the line between minimizing accidents by anticipation and promoting resilience to cope with whatever failures may arise, and between actions to influence the causes of hazards as against measures to change effects.

Risk Mitigation is part of risk management about transferring the risks. Insurances available are a good form of risk mitigation.

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

Project Insurance, which comprises of the following types of insurance: Contractors All Risk ~ cover accidents, faulty workmanship, malicious damage, theft, burglary, and against all risks of direct physical loss or damage to the project Public liability insurance which covers any liabilities for injuries to personnel not related to the project and the property of others and legal liabilities to the public Workers Compensation insurance which covers all the benefits that have to be provided by the law, to all employees killed or injured in the course of their employment The process of risk management can also be understood in terms of the three basic elements of organizational control theory: the setting of goals, whether explicitly or implicitly, to accept or avoid risk how much risk should or can be taken; the gathering and interpretation of information; and
PROJECT MANAGEMENT PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

actions to influence human behaviour and physical infrastructure or both to reduce the chances of occurrence of risky events Concept of Risk Efficiency The aim of project risk management is to continuously institute changes to base or contingency plans to improve risk efficiency.

A risk efficient plan is one in which the expected cost can only be reduced by increasing the risk or the intensity of threat can only be lessen by enlarging the expected cost. Assume that project performance can be measured solely in terms of cost out-turn (expected cost) and that project risk can be defined in terms of the likelihood of possible cost-overruns of certain magnitudes (threat intensity). The set of feasible project plans offering the minimum level of risk for given level of expected cost or vice-versa is the risk-efficient boundary

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING RISK IDENTIFICATION, ANALYSIS AND MANAGEMENT: A SYSTEMS VIEW
ACTION OUTCOME

Risk Identification Risk Analysis

Factors or events contributing to the occurrence of a risky situation (RS) (ie, hazard or accident) as well as the interrelationships between the factors Identified

Risk Evaluation/Assessement

Risk Likelihood of RS occurring as a function Measurement of the individual and/or joint effects of the contributing factors of events established

Risk Classification Consequence (in terms of the severity of the occurrence of risky situations assessed

Measures put in place to: ~ Minimize losses by reducing the likelihood of hazards or accidents occurring. ~ Reduce the impact of uncontrollable hazards or accidents. ~ Transfer (or divest) the risk resulting from the occurrence of hazards or accidents through insurance

Risk Management

PROJECT MANAGEMENT

PREPARED BY SNTING

UNIMAS 2012 FACULTY OF ENGINEERING

What is an appropriated approach to Risk Analysis? An approach, which can provide a holistic view of the events leading to the occurrence of a risky situation or the factors contributing to its occurrence is appropriate to risk analysis. Such an approach should have the capability to: allow the inter-relationships among the factors (or events) contributing to the occurrence of the risky situation to be clearly discerned; facilitate the analysis of the individual as well as the joint effects of the contributing factors (events); permit the possible occurrence (including its likelihood) of the risky situation to be diagnosed and evaluated; and allow the relative merits of different risk management measures to be compared, synthesized and appraised.

PROJECT MANAGEMENT

PREPARED BY SNTING