Risk management

Risk-management
infrastructures
T M Williams

that by Marshall and Meckling’, to later studies such as

All major projects are subject to risk. Current research
that by Baum and Tolbert’. Morris and Hough3 have
has concentrated on eliciting individuals’ risk attitudes,
prepared a fascinating study of major projects, under
and analysing projects to estimate overall project risk.
the auspices of the UK Major Projects Association, and
The paper explains the need for a risk-management
they give a very full bibliography. They concentrate on
infrastructure. Criteria for choosing methods are
eight recent projects, whose success or failure can be
described. Various techniques in current use are
classified under the three headings above. One project,
discussed. Issues involved in multicompany projects are
the (early) Channel Tunnel, was cancelled, and one,
noted.
the Heysham 2 project, was in a state of flux at the time
at which the study was carried out. The other six can be
Keywords: risk management, multicompany projects,
characterized as shown in Table 1 (in which a tick
management structures
denotes success).
Uncertainty from a huge number of sources combine
The risks involved in major projects have been the in many complex ways to produce risk to these overall
focus of much attention in recent years. The techniques objectives. Technical, temporal and financial un-
for monitoring and managing such risk have not been as certainties are usually involved, but political or
fully studied. This paper addresses these techniques contractual uncertainties also produce risks, as do
from the viewpoint of a practising risk manager. The uncertainties outside the project, either within the
author has some risk management role, in one way or parent organization or even outside the organization
another, in many of the current major UK naval altogether (where, say, the project is one of a number
projects, above and below water. The paper begins by of parallel developments). The major source in many
describing project risks and looking at current research development projects is the technical uncertainty in-
and the need for a risk-management infrastructure. herent in novel developments; however, this may
Criteria for choosing methods are discussed, and then manifest itself in activity overruns and overspends as
some methods are described. Finally, issues involved in well as in specification underachievement. It is there-
multicompany projects are noted. fore necessary to establish the risks to all the project’s
objectives simultaneously. Indeed, management inter-
vention often determines the balance between under-
RISKS achievements of the three objectives, perhaps via
Major development programmes are subject to risk in
all their phases. ‘Risk’ means, in this sense, the Table 1. Success of projects
combination of individual uncertainties which have an
impact on the overall objectives of the project. Project Success
It is essential to establish these project objectives. Time cost Specification
Projects can have few or many objectives; they may be
detailed or broad; they may be well specified or Concorde X X v

subliminal. However, virtually all projects have three Thames Barrier >
main objectives: meeting a particular specification,
UK Advanced Passenger Train X v X
within an overall timescale, and within an overall cost.
Projects can fail on one, two or three of these main Fulmar North Sea Oil Field X d v
objectives. There is a very large set of literature
relating to project outturns, from early studies such as Computerization of UK Pay as
You Earn tax system V d V
Project Giotto >
BAeSEMA, 1 Atlantic Quay, Broomielaw, Glasgow G2 8JE, UK

VOI 11 NO 1 February 1993 0263-7863/93/01000546 0 1993 Butterworth-Heinemann Ltd 5

RISKMANAGEMENT

‘throwing money’ at a project to achieve the specifica- paper begins to recognize the combination of time, cost
tion and timescale while exceeding budget, or finishing and technical risks. which is discussed further below.
on time and budget with an inferior output.
These risks are of particular concern to government
departments, who effect many of the big development NEED FOR RISK-MANAGEMENT
projects in the UK. Humphries4 describes the develop- INFRASTRUCTURE
ments within the UK Ministry of Defence making risk
Much of the research has thus concentrated on indi-
analysis and management mandatory on large defence vidual project managers (e.g. Reference 5 deals with an
projects, particularly following initiatives by the then
individual manager’s attitudes and actions), or analysed
UK Chief Scientific Advisor, Professor Sir Richard
projects for a homogenous client. In actual projects, a
Norman, and the so-called Jordan-Lee-Cawsey number of people are involved, and, in major problems,
Report.
a number of corporate entities are involved. (Haill
describes this oversimplification as ‘the myth of the
decision maker’). Therefore, a risk-management infra-
CURRENT RISK RESEARCH: SINGLE structure is essential, to ensure that the following actions
PERSON take place.
Current research has concentrated on two areas:
Risks are continuously monitored.
l individuals’ attitudes to risk, and the elicitation of Top-level studies have a rational basis.
these attitudes by analysts, Risks are controlled, risk-reduction actions are
l the analysis of projects to indicate the degree of implemented, and optimum use is made of risk-
overall risk. reduction resources.
Reporting on risks and risk sources flows correctly up
This is not the place to provide a full literature survey the management structure.
of these areas, and so only a few major texts are Direction on action plans for risk reduction and
quoted. contingencies flow correctly down the management
A full study of managers’ attitudes to taking risks is structure.
described in the book by MacCrimmon and Wehrung’. Problems and potential failure in a project are flagged
This defines standardized risk situations, and describes as early as possible (cancellation possibly being
how managers choose options and risk action/outcome allowed to avoid large nugatory costs4).
benefits. It also compares various risk measures in
these standardized situations (such as prospect theorye, This is particularly the case because decisions are not
an important alternative to classical von Neuman- usually one-off ‘go-no-go’ decisions. They are made
Morganstern utility theory). This discussion is put over a period of time, with assessments and subdecisions
within the context of a manager making a commercial occurring sequentially (see, for example, Reference 13),
decision. Over 300 references give a good view of the requiring a dynamic, reactive management infra-
literature. One further step taken by this text is structure.
consideration of managers’ adjustment of risk, by An effective risk-management infrastructure also
hedging, keeping options open, or delaying until more provides the correct place for risk analysis within the
information is available, rather than by simply overall project management. Simply analysing risk and
immediately choosing one of the available risky then managing it (see, for example, Reference 14) is not
options, as suggested by simple models. sufficient. Embedding risk analysis within an effective
The uncertainty involved in real risk situations is, of infrastructure ensures that its results are accepted and
course, usually unknown, being epistemic rather than acted upon. This may then answer the critics of risk
aleotoric’. To put decisions on a rational basis, analysts analysis, who say that either risk analysis is not useful
need to elicit probabilities and probability distributions and that management should just live with the riski3, or
from experts. Formal methods need to be used to that good project management implicitly includes
ensure consistency and uniformity in this exercise’. The generic strategies for minimizing risk so that separate
now classic paper on this subject, which describes in risk analysis is unnecessary (see Reference 14), or that
particular the SRI method for probability encoding, is risk analysis is useful but frequently not accepted.
by Merkhover’. This again gives a good review of the An effective risk-management infrastructure
available literature, and covers important aspects of becomes even more important when a project is being
bias and motivation, problem structuring, and the use carried out not by one corporate entity, but a consortium
of extra information such as distributional data and or community of companies. This is becoming more
regression towards the mean. common, particularly in the defence industry, and the
Concerning the second point listed above, on project author has been a project risk manager or analyst on a
analysis, considerable research has been undertaken on number of such projects.
the accumulation of uncertainties to produce temporal
risks to a project. Chapman et al. lo provide a discussion
of some methods for time and cost planning, and the CRITERIA
choice between them. Cooper and Chapman” expand What criteria should be applied when planning such a
this, concentrating on the CIM method. Williams’2 structure, choosing whether a more or less formal
discusses the practical problems involved in an analytic system is appropriate, and choosing whether a simpler
method, and describes the RiskNet approach; this or more complex system is more appropriate?

6 International Journal of Project Management

 RISKMANAGEMENT

Risk-management structures provide two benefits:
clearly, a mechanism for ensuring that risks are
analysed and managed,
a means of communication across a complex project
structure, providing a ‘common currency’15 for such
communication, and ensuring monitoring and control
of risk (see Coo er and Chapman’s ‘framework of
communication” P).
The type of structure developed depends on the
differing requirements for these two components:
A project that is low-risk, highly serial, or short in
duration, or whose risk is owned by another party,
tends to have a low requirement for the first benefit
above. Conversely, a risky project (e.g. a new
development) with a highly uncertain environment,
highly parallel or very long, or whose risk is wholly
owned by one’s own organization, tends to have a high
requirement for the first benefit above.
A project that involves many parties in consortia or
contractor/subcontractor relationships, or even a
single company spread over many divisions and/or
sites (each party possibly only having a view of part of
the project), has a high requirement for the second
benefit above. Conversely, a small tightly knit project
team, the members of which generally know the
project status, has a low requirement for the second
benefit above.
This relationship is shown in Figure 1, which also shows
the frequency with which such projects have been
found by the author to occur in practice.
The key word in approaching the first benefit above
is ~ex~bifity. The achievement of effective analysis
requires an approach that is able to encompass the
complex interacting uncertainties that are inherent in
the real world, which may not fit a standardized
structured package-based method”.
The key word in approaching the second benefit
above is formality. The achievement of effective risk
communication where there is a high requirement
needs a structure of pro formas for enquiring,
reporting and instructing, and a formal system for
review and decision taking. Typical methods are
described later in this Da6er. WAsmall integrated
team, implying a low req;irement for this, would
view the imposition of a complex formal system as
unnecessary and intrusive.
SINGLE-COMPANY CASE
A risk infrastructure within a single homogeneous
company serves as an integrating factor in drawing
together analysis of the specification, temporal and cost
uncertainties. ‘Risk’ acts as a ‘common currency’15,
enabling these three aspects to be considered in a single
integrated analysis.
The most common administrative device for keeping
track of these risks is the use of a ‘risk register’: a
simple collection of risk statements, each pro forma,
containing, for example,
the ‘owner’ of the risk,
the estimated likelihood of its occurrence,
the project objectives on which it impacts (e.g.
scheduling, cost, some specific specification or
performance measure), and the estimated severity of
its impact,
work-breakdown items and/or PERT activities influ-
enced,
possible contingency plans, to prepare for the event
of the risk occurring,
secondary risks or knock-on effects.
An easy extension of this idea is the generation of the
most important risks into a ‘key-risk list’ or a ‘key-risk
agenda’, as described below.
The central role that the risk register plays in the
risk-assessment process is shown in Figure 2. The risks
in the register that impact on each of the three main
objectives can be combined to show the risk to that
objective. In particular, the following are true.
l The combination of uncertainty and costs to give an
overall cost risk assessment is well known and not
unusual’6. Stochastic spreadsheets assessed numeric-
ally by simulation and distribution-convolution
methods are commonly used.
o Methods of combining uncertainties to give an
overall assessment of risk to specification or perform-
ance measures can use similar additive methods
where the measure (such as the weight of a final
product) is easily quantified. Otherwise, more
qualitative analysis will display information graphic-
ally, for example on probability-impact grids (see

Hiah risk
Uncertain
Low risk environment
Serial Parollei
Short Long
Outside risk
ownershlp
I .I
High
Requirement for Specification Progmmme
second benefit : doto
communication

High I

Requirement for first benefit : Spec~fxxtlon - risk

analysis, man~ment assessment assessment

Figure f. Re~~tio~s~ip between ~~~pone~ts Figure 2. Role of risk register

Vol 11 No 1 February 1993 7

RISK MANAGEMENT

Figure 3), and summarize the existence or non- Table 2. Some methods
existence of risk reduction or contingency actions.
l Combining time risks is not an additive process, Time cost Specification Facilitating
but the effect of uncertainty on PERT diagrams is well
Top-down RiskNet Stochastic Functional + Influence
known’7,‘2. BAeSEMA use their RiskNet software Networks spreadsheets development diagrams
to provide flexibility in modelling’* rather than a (stochastic
package which restricts the analyst to simple un- spreadsheets)
certainties in activity durations.
t T T

This assessment capability needs to be embedded Bottom-up Activity WBS Functional

within a management structure. The key to integrating assessment progress assessment
the management is the risk-management committee reporting
(RMC). This is a committee that consists of perhaps the
risk manager, the project manager, and one each of the
line-management functions representing the three risk In order for the core team to monitor the ongoing
objectives (e.g. the programmes manager, the cost- development of the functional capability of the
control manager and the chief engineer). This enables system, the senior technical team is charged with
assessments to be coordinated and decisions to be carrying out functional-development assessments at
made. Regular meetings of this committee provide the result intervals. This is based on broad functional
basis for the cycle of risk-analysis activity. areas of the system. The method cannot stand alone,
Risks can be detected as being ‘top-down’ (i.e. as many dependency and temporal issues are not
looking at the project as a whole), or as being ‘bottom- addressed, but it
up’ (i.e. looking at individual items). The former
ensures an overview and the inclusion of super-item o addresses the broader issues that apply across a
risks, while the latter ensures coverage. Methods need whole functional area, but which might be difficult
to be established to track each of the top-down and to attach to any one of the component activities in
bottom-up risks for each of time, specification and the project network.
costs. Typical methods used by BAeSEMA are shown o helps to establish risk-minimization effort.
in Table 2.
The functional-attribute review system is run by the
l Networking is the core technique used by the senior technical team. Technical performance para-
project-management team. When extended to meters are listed on an attribute register. These are
include probabilistic effects, networking also typically drawn from the cardinal point specification,
provides the basis for probabilistic risk assessment, although they also include secondary attributes
such as RiskNet analysis. The discipline of network representing inhouse subgoals of interest. Specific
construction requires management to consider: technical performance measures are defined for each
parameter so that its progress can be monitored by
o the activities required for the project, the development engineers on a formal pro-forma
o a range of possible outcomes for the project, and basis. The reporting is to the senior technical team.
not just the most likely outcomes, The risk team, as decision analysts, also have
o where dependencies can be dispensed with, to specialized techniques to assist in structuring the
increase parallelism. problem. One example is the use of influence
diagrams, which can show the various influences that
bear upon the risks. The systematic study of such
The activity-review system is run by the project-
diagrams can show important chains of effects or
management team, and it monitors individual positive feedback loops. It can also promote useful
activities on a regular basis. Activities are defined in brainstorming relating to the project network
an activity register, by a hierarchical level of work-
structure. Work with influence diagrams is generally
breakdown structure. Risk in these individual informal, but it probably uses a decision analyst (a
activities is then investigated, identified and con- ‘facilitator’). If the structure of the influences
trolled by the development-team managers. Report- becomes significant, there are tools to assist in the
ing takes place regularly, on a structured pro forma analysis of these decisions: for a structural analysis,
basis. to the project-management team. COPE assists in building influence diagrams and
demonstrating causal chains; where a more numerical
analysis is required, STELLA or stochastic spread-
High sheets can be used by risk analysts to give an
integrated overview.
Impact
The risk-reduction process is driven by two main
outputs from the RMC:

Law High
l Key-risk agenda: This is a list of strategic issues
Likelihood
highlighted as key risks. Its purpose is to focus
management effort. Items are added or removed
Figure 3. Probability-impact grid from the list at regular RMC meetings.

8 International Journal of Project Management

 RISKMANAGEMENT

l Action-effectiveness monitoring: To keep a formal The principal/agent or prime/subcontractor relation-

record of the actions instigated by the RMC, and to ship adds an extra dimension. Considerable research
monitor whether they have been implemented and has gone into the nature of this relationship, for
whether they have been effective in reducing risk, a example Eisenhardt’s ‘agency theory”’ (although she
risk action register is maintained, and a suitable pro points out that risk is an issue that ‘researchers should
forma is used for the reporting of implementation focus on’ as a ‘next step’). This relationship has become
and outcome. Progress on an action is considered as a particularly important topic in the defence world, as
that action occurs on the key-risk agenda at the RMC defence ministries seek to transfer risk to industry.
meeting. Thus, some naval programmes in Australia, for
instance, are understood to have been contracted on a
Risk management also provides an essential input to time and performance specification, with liquidated
tradeoff analyses (see, for example, an early paper by damages on shortfalls, so that the risk falls on the prime
Starr and WhippIe”). The benefits of an action or contractor. Similarly, Ministry of Defence policy in the
design option need to be balanced with costs in terms of UK is moving towards contracts in which risk is
financial cost, time and specification disbenefits. transferred to the prime contractor. It needs to be
Indeed, the risk-management process described above pointed out, however, that two areas of risk are
generates possible actions in the form of risk reduction considerably increased by this route:
and contingency plans, and these need to go through
the tradeoff analysis process. While the risks of not meeting the written specifica-
tion are transferred to the prime contractor, the
contracting party needs to specify exactly what is
MULTICOMPANY CASE required, and the risk of unforeseen performance
behaviour, or outcomes that are not what was
The infrastructures described above obviously need originally intended, fall on the writer of the specifica-
some modification when more than one company or tion.
party is involved in the project. Critical to this The project is likely to fail if the prime contractor
modification is the relationship between the companies, ceases to exist. Prime contractorship requires a
and in particular whether they are essentially considerable financial base, but prime contractorship
can also exacerbate problems that otherwise could
l equal, i.e. in a consortium, largely sharing the risk, have been contained to such an extent that a
or company crashes.
0 unequal, i.e. in a principal/agent or prime contractor/
subcontractor relationship, with one largely bearing In such a situation, the prime contractor can be
the risk. expected to charge a ‘risk premium’, to cover cost
overruns, delays to payment points or damages on
These two cases are dealt with in turn in this section, delivery performance. However, this means the follow-
the former more briefly than the latter. ing:
The consortium case is intrinsically no different from
the single-company case. The higher dispersion of the l The prime contractor must be able to quantify the
project and the increased need for an audit trail for any risks, and be confident in the answer, including risks
decision made, strengthen the requirement for a formal inherent in the subcontractors.
risk-management system (and not simply a risk-analysis l The procuring party must be able to assess the
system (see, for example, Reference 14)). Indeed, the reasonableness of this premium, and to justify the
criteria described above suggest that a more formal premium internally.
system should be used in this case. Within this system,
the risk analysis should be an integrated holistic This increases the need for a formal, normalized,
analysis, to provide a common basis for the assessment. calibrated risk-management infrastructure. In
Although there is not necessarily any intrinsic pressure particular, it increases the need for visibility and
towards secrecy or confidentiality, it is still necessary availability. Quantification of the time, cost and
for the risk analyst to try to normalize the opinions that specification risks become important, and written key-
he/she elicits. There are well-documented psychological risk agendas and risk-action registers become a means
and decision-theoretic techniques for debiasing experts of communication between the parties.
(in particular, see the famous paper by Merkhover’).
Other standardizing methods can also be drawn on,
such as CONCLUSIONS
This paper has highlighted a gap in current research:
the use of independent experts, who can be seen to the mechanisms and management infrastructure for
have no interest in the contracting parties, managing risk within projects. A start has been made
the use of historic data to calibrate the results (a by defining some criteria for choosing an infrastructure
Meridian document” is a good US source document, and describing some techniques that have been found
Pugh et aI.” make some comments on UK aero- to be useful in practice. Some of the issues present
nautical projects, and Morris and Hough3 provide a when more than one company is involved have been
useful bibliography), discussed. It is hoped that this paper will be a spur to
the single risk analyst, him/herself acting as a further research and discussion, to help those involved
normalizing factor. in risk management to be more effective.

Vol 11 No 1 February 1993 9

RISK MANAGEMENT

REFERENCES of risk analysis in project management’ Znt. J. Proj.

Manage. Vol 9 No 2 (1991) pp 117-123
1 Marshall, A W and Meckling, W H ‘Predictability 15 Charette, R Software Engineering Risk Analysis and
of the costs, time and success of development’ Management McGraw-Hill (1989)
Report P-1821 Rand Corporation, CA, USA (1959) 16 Treasury ‘Green Book’ Guide HMSO, UK
2 Baum, W C and Tolbert, S M Investing in Develop- 17 Ritchie, E ‘Network based planning techniques: a
ment Oxford University Press, UK (1985) critical review of published developments’ in Rand,
3 Morris, P G and Hough, G H The Anatomy of G K and Eglise, R W (Eds.) Further Developments
Major Projects: A Study of the Reality of Project in Operational Research Pergamon Press, UK
Management John Wiley, UK (1987) (1985)
4 Humphries, D E ‘Project risk analysis in the aero- 18 Starr, C and Whipple, C ‘Risks of risk decisions’
space industry’ in Project Risk Analysis in the Science Vol 208 (1980) pp 1114-1119
Aerospace Industry Royal Aeronautical Society, 19 ‘Preliminary analysis of technical risk and cost
UK (1989) (Proc. Roy. Aeronaut. Sot. Conf. uncertainty in selected DARPA programs’ DARPA
(1989)) Reoort 4287 Meridian Corporation, Falls Church,
5 MacCrimmon, K R and Wehrung, D A Taking VA, USA (1981)
Risks: The Management of Uncertainty Free Press, 20 Pugh. P. Acorn. A G and Ball, D ‘Who can tell what
0, I 7

USA (1986) might happen? A review of methods for risk

6 Kahneman, D and Tversky, A ‘Prospect theory: an assessment’ in Project Risk Analysis in the Aero-
analysis of decision under risk’ Econometrica Vol47 space Industry Royal Aeronautical Society, UK
(1979) pp 263-291 (1989) (Proc. Roy. Aeronaut. Sot. Conf (1989))
7 Oakes, M Statistical Inference - A Commentary for 21 Eisenhardt, K M ‘Agency theory: an assessment
the Social and Behavioural Sciences John Wiley, UK and review’ Acad. Manage. Rev. Vol 14 No 1 (1989)
(1986) pp 57-74
8 Kahneman, D, Slavic, P and Tversky, A (Eds.)
Judgement Under Uncertainty: Heuristics and Biases
Cambridge University Press, UK (1986) Terry Williams is a principal
consultant for BAeSema (Marine
9 Merkhover, M W ‘Quantifying judgemental un-
Division), UK, in operational re-
certainty: methodology, experiences and insights’ search. He specializes in problems
IEEE Trans. Syst. Man. & Cyber. Vol SMC-17 No involving uncertainty, using
5 (1987) pp 741-752 statisticslprobability, simulation
10 Chapman, C B, Phillips, E D, Cooper, D F and and, particularly, project risk
management (PRM). He began
Lightfoot, L ‘Selecting an approach to project time PRM business in 1985, carrying
and cost planning’ Int. J. Project Manage. Vol 3 out seminal work in assessing risk
(1985) within major projects and their
11 Cooper, D F and Chapman, C B Risk Analysis for management and control. He
developed the prototype project
Large Projects John Wiley, UK (1987)
risk-analysis tool RiskNet. In a
12 Williams, T M ‘Risk analysis using an embedded wide range of major development
CPA package’ Int. J. Proj. Manage. Vol8 (1990) pp projects, mainly in defence, he nas carried out and led risk
84-88 assessments and advised on risk-management infrastructures. He
13 Hall, W K ‘Why risk analysis isn’t working’ Long acts as risk manager on major multicompany defence contracts,
with roles in many of the current major naval programmes. He
Range PZanning (Dee 1975) pp 25-29 studied at Oxford and Birmingham, UK, and has published widely.
14 Ward, S C and Chapman, C B ‘Extending the use

10 International Journal of Project Management