Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Risk-management
infrastructures
T M Williams
subliminal. However, virtually all projects have three Thames Barrier >
main objectives: meeting a particular specification,
UK Advanced Passenger Train X v X
within an overall timescale, and within an overall cost.
Projects can fail on one, two or three of these main Fulmar North Sea Oil Field X d v
objectives. There is a very large set of literature
relating to project outturns, from early studies such as Computerization of UK Pay as
You Earn tax system V d V
Project Giotto >
BAeSEMA, 1 Atlantic Quay, Broomielaw, Glasgow G2 8JE, UK
‘throwing money’ at a project to achieve the specifica- paper begins to recognize the combination of time, cost
tion and timescale while exceeding budget, or finishing and technical risks. which is discussed further below.
on time and budget with an inferior output.
These risks are of particular concern to government
departments, who effect many of the big development NEED FOR RISK-MANAGEMENT
projects in the UK. Humphries4 describes the develop- INFRASTRUCTURE
ments within the UK Ministry of Defence making risk
Much of the research has thus concentrated on indi-
analysis and management mandatory on large defence vidual project managers (e.g. Reference 5 deals with an
projects, particularly following initiatives by the then
individual manager’s attitudes and actions), or analysed
UK Chief Scientific Advisor, Professor Sir Richard
projects for a homogenous client. In actual projects, a
Norman, and the so-called Jordan-Lee-Cawsey number of people are involved, and, in major problems,
Report.
a number of corporate entities are involved. (Haill
describes this oversimplification as ‘the myth of the
decision maker’). Therefore, a risk-management infra-
CURRENT RISK RESEARCH: SINGLE structure is essential, to ensure that the following actions
PERSON take place.
Current research has concentrated on two areas:
Risks are continuously monitored.
l individuals’ attitudes to risk, and the elicitation of Top-level studies have a rational basis.
these attitudes by analysts, Risks are controlled, risk-reduction actions are
l the analysis of projects to indicate the degree of implemented, and optimum use is made of risk-
overall risk. reduction resources.
Reporting on risks and risk sources flows correctly up
This is not the place to provide a full literature survey the management structure.
of these areas, and so only a few major texts are Direction on action plans for risk reduction and
quoted. contingencies flow correctly down the management
A full study of managers’ attitudes to taking risks is structure.
described in the book by MacCrimmon and Wehrung’. Problems and potential failure in a project are flagged
This defines standardized risk situations, and describes as early as possible (cancellation possibly being
how managers choose options and risk action/outcome allowed to avoid large nugatory costs4).
benefits. It also compares various risk measures in
these standardized situations (such as prospect theorye, This is particularly the case because decisions are not
an important alternative to classical von Neuman- usually one-off ‘go-no-go’ decisions. They are made
Morganstern utility theory). This discussion is put over a period of time, with assessments and subdecisions
within the context of a manager making a commercial occurring sequentially (see, for example, Reference 13),
decision. Over 300 references give a good view of the requiring a dynamic, reactive management infra-
literature. One further step taken by this text is structure.
consideration of managers’ adjustment of risk, by An effective risk-management infrastructure also
hedging, keeping options open, or delaying until more provides the correct place for risk analysis within the
information is available, rather than by simply overall project management. Simply analysing risk and
immediately choosing one of the available risky then managing it (see, for example, Reference 14) is not
options, as suggested by simple models. sufficient. Embedding risk analysis within an effective
The uncertainty involved in real risk situations is, of infrastructure ensures that its results are accepted and
course, usually unknown, being epistemic rather than acted upon. This may then answer the critics of risk
aleotoric’. To put decisions on a rational basis, analysts analysis, who say that either risk analysis is not useful
need to elicit probabilities and probability distributions and that management should just live with the riski3, or
from experts. Formal methods need to be used to that good project management implicitly includes
ensure consistency and uniformity in this exercise’. The generic strategies for minimizing risk so that separate
now classic paper on this subject, which describes in risk analysis is unnecessary (see Reference 14), or that
particular the SRI method for probability encoding, is risk analysis is useful but frequently not accepted.
by Merkhover’. This again gives a good review of the An effective risk-management infrastructure
available literature, and covers important aspects of becomes even more important when a project is being
bias and motivation, problem structuring, and the use carried out not by one corporate entity, but a consortium
of extra information such as distributional data and or community of companies. This is becoming more
regression towards the mean. common, particularly in the defence industry, and the
Concerning the second point listed above, on project author has been a project risk manager or analyst on a
analysis, considerable research has been undertaken on number of such projects.
the accumulation of uncertainties to produce temporal
risks to a project. Chapman et al. lo provide a discussion
of some methods for time and cost planning, and the CRITERIA
choice between them. Cooper and Chapman” expand What criteria should be applied when planning such a
this, concentrating on the CIM method. Williams’2 structure, choosing whether a more or less formal
discusses the practical problems involved in an analytic system is appropriate, and choosing whether a simpler
method, and describes the RiskNet approach; this or more complex system is more appropriate?
Risk-management structures provide two benefits: view the imposition of a complex formal system as
unnecessary and intrusive.
clearly, a mechanism for ensuring that risks are
analysed and managed,
SINGLE-COMPANY CASE
a means of communication across a complex project
structure, providing a ‘common currency’15 for such A risk infrastructure within a single homogeneous
communication, and ensuring monitoring and control company serves as an integrating factor in drawing
of risk (see Coo er and Chapman’s ‘framework of together analysis of the specification, temporal and cost
communication” P). uncertainties. ‘Risk’ acts as a ‘common currency’15,
enabling these three aspects to be considered in a single
The type of structure developed depends on the integrated analysis.
differing requirements for these two components: The most common administrative device for keeping
track of these risks is the use of a ‘risk register’: a
A project that is low-risk, highly serial, or short in simple collection of risk statements, each pro forma,
duration, or whose risk is owned by another party, containing, for example,
tends to have a low requirement for the first benefit
above. Conversely, a risky project (e.g. a new the ‘owner’ of the risk,
development) with a highly uncertain environment, the estimated likelihood of its occurrence,
highly parallel or very long, or whose risk is wholly the project objectives on which it impacts (e.g.
owned by one’s own organization, tends to have a high scheduling, cost, some specific specification or
requirement for the first benefit above. performance measure), and the estimated severity of
A project that involves many parties in consortia or its impact,
contractor/subcontractor relationships, or even a work-breakdown items and/or PERT activities influ-
single company spread over many divisions and/or enced,
sites (each party possibly only having a view of part of possible contingency plans, to prepare for the event
the project), has a high requirement for the second of the risk occurring,
benefit above. Conversely, a small tightly knit project secondary risks or knock-on effects.
team, the members of which generally know the
project status, has a low requirement for the second An easy extension of this idea is the generation of the
benefit above. most important risks into a ‘key-risk list’ or a ‘key-risk
agenda’, as described below.
This relationship is shown in Figure 1, which also shows The central role that the risk register plays in the
the frequency with which such projects have been risk-assessment process is shown in Figure 2. The risks
found by the author to occur in practice. in the register that impact on each of the three main
objectives can be combined to show the risk to that
The key word in approaching the first benefit above objective. In particular, the following are true.
is ~ex~bifity. The achievement of effective analysis
requires an approach that is able to encompass the l The combination of uncertainty and costs to give an
complex interacting uncertainties that are inherent in overall cost risk assessment is well known and not
the real world, which may not fit a standardized unusual’6. Stochastic spreadsheets assessed numeric-
structured package-based method”. ally by simulation and distribution-convolution
The key word in approaching the second benefit methods are commonly used.
above is formality. The achievement of effective risk o Methods of combining uncertainties to give an
communication where there is a high requirement overall assessment of risk to specification or perform-
needs a structure of pro formas for enquiring, ance measures can use similar additive methods
reporting and instructing, and a formal system for where the measure (such as the weight of a final
review and decision taking. Typical methods are product) is easily quantified. Otherwise, more
described later in this Da6er. WAsmall integrated qualitative analysis will display information graphic-
team, implying a low req;irement for this, would ally, for example on probability-impact grids (see
Hiah risk
Uncertain
Low risk environment
Serial Parollei
Short Long
Outside risk
ownershlp
I .I
High
Requirement for Specification Progmmme
second benefit : doto
communication
High I
Figure 3), and summarize the existence or non- Table 2. Some methods
existence of risk reduction or contingency actions.
l Combining time risks is not an additive process, Time cost Specification Facilitating
but the effect of uncertainty on PERT diagrams is well
Top-down RiskNet Stochastic Functional + Influence
known’7,‘2. BAeSEMA use their RiskNet software Networks spreadsheets development diagrams
to provide flexibility in modelling’* rather than a (stochastic
package which restricts the analyst to simple un- spreadsheets)
certainties in activity durations.
t T T
Law High
l Key-risk agenda: This is a list of strategic issues
Likelihood
highlighted as key risks. Its purpose is to focus
management effort. Items are added or removed
Figure 3. Probability-impact grid from the list at regular RMC meetings.