This preview shows page 1. Sign up to view the full content.
Unformatted text preview: CAIRO DEMOGRAPHIC CENTER
RISK ASSESSMENT AND RISK
By Prof. Atef 1: Risk Definition Characteristics and Types
A risk is a potential problem, a situation that, if it materializes, will adversely
affect the project. Risks that materialize are no longer risks, they are problems.
All projects have risks, and all risks are ultimately handled. Some disappear,
some develop into problems that demand attention, and a few escalate into crises
that destroy projects. The goal of risk management is to ensure that risks never fall
into the third category.
There are four steps to managing risks : identify them, categorize them,
mitigate them, and manage them. Identifying Risks
If there is one risk that is universally the most dangerous for all projects, it is the
Corporate management views the project manager’s risk analysis as alarmist and
will not take the risks seriously until they materialize.
The only way to mitigate this risk is to document all other risks, identify the actions
you take, and keep a management informed, especially as the risk becomes more
probable. It is only by stressing your risk analysis, by making explicit
recommendations, and by insisting that management understand the risks that you
can avoid having to say, “See, I told you so.” Common Risks
Table (1) lists common risks that most projects will encounter, They form a starting
point for developing a catalog of risks. However, the list is not exhaustive; most
project managers will find several more risks that they can add, and project
experience will tend to increase this number. When you are assessing the risks for
your projects, always refer to a list such as this. Otherwise, you run the project
management risk that not all project risks are identified. Table (1) Sample List of Risks
Staff Risks Key staff will not be available when needed.
Key skill sets will not be available when needed.
Staff will be lost during the project.
Equipment Risks Required equipment will not be delivered on time,
Access to hardware will be restricted.
Equipment will fail. Table (1) Sample List of Risks (Cont.)
Client resources will not be made available as required.
Client staff will not reach decisions in a timely manner.
Deliverables will not be reviewed according to the schedule.
Knowledgeable client staff will be replaced by those less qualified.
Requirements for additional effort will surface.
Changes of scope will be deemed to be included in the project.
Scope changes will be introduced without the knowledge of project management.
The technology will have technical or performance limitations that endanger the
Technology components will not be easily integrated.
The technology is new and poorly understood.
System response time will not be adequate.
System capacity requirements will exceed available capacity.
The system will fail to meet functional requirements
The office will be damaged by fire, flood, or other catastrophe.
A computer virus will infect the development system.
A team member will steal confidential material and make it available to competitors
of the client. Categorizing Risks
There are numerous statistical methods for defining degree of risks,
but the simplest categorization, and therefore the most effective, is to describe
risks as extreme, high, medium, low, or minimal.
The degree of risk depends upon two characteristics : the
probability that the risk will occur, and the impact in the project if it does.
Probability and impact are both categorized as high, medium, or
low, and their relationship, as illustrated in Table (2) indicates the degree of
Consider two risks : that a team member will resign during the
project and that a fire will consume the office, destroying the installation and
all the work that has been done. Both risks are of medium degree. In the first
case, although the probability is high, the impact is low : You assume that the
team member will give adequate notice and can be easily replaced. The
second risk has a high – in fact, potentially devastating – impact, but the
probability is low and the risk is easily mitigated by ensuring proper off-site
You categorize risks so that you can identify those that are the most
dangerous and therefore require the most attention. It is the extreme and
high risks that need your attention first. Mitigating Risks
You mitigate a risk by reducing its probability, its impact, or both. Since every project
is unique, so are the mitigating actions. However, some principles apply across
projects and risks.
When the project depends on someone (such as a supplier, client, or line manager)
to provide something (such as staff, equipment, or material) in accordance with a
schedule, ensure that the provider knows the schedule, knows what is expected, and
understands the consequences of a slippage. For major providers, such as the client,
make up a schedule giving the exact dates when the project will require resources. If
you are exact dates when the project will require client resources. If you are not able
to give an exact date now, give a date by which you will be able to.
Table (2) Categorization of Degree of Risk Probability Impact
Low Medium Low Extreme
Minimal You remove excuses by providing visibility into the project, an active
process in which provides are forced to understand what is expected of them.
For example, if you have ordered a piece of equipment with a two-month
lead time to be delivered by a specified date, just putting a required date on
the purchase order is not enough. Four weeks before delivery, call the sales
representative to verify the schedule. Three weeks prior, call to clarify, for
example, the power requirements. At two weeks, call to clear up a technical
question. One week ahead of time, call to establish shipping procedures.
With each call, of course, you will ask if there are any problems that could
delay delivery, and you will emphasize how critical timely delivery is. After
this series of calls, the supplier has no excuses to fall back on. There is no
guarantee, of course, that the equipment will actually be delivered on time,
but by actively reminding the supplier of the schedule, you have reduced the
probability of a late delivery. Demand visibility : when the project depends in someone delivering
something and there is a process that the provider must follow before
delivery, you must understand at least the milestones of the process. For
example, if a piece of equipment must be manufactured, identify the
checkpoints in the manufacturing process, have the sales representative
attach dates to each checkpoint, and call on those dates to ensure that the
milestones have been met and there are no delays.
If the process is repetitive, such as client review and approval of
project documents, understand the process. What happens to a document
when it is received? Who reviews it? How are individual reviews
reconciled? Is there a final authority for approval? Who? What is the priority
of the project for the reviewers? With this understanding you will be bale to
suggest changes in the process that will speed things up if there are delays.
Help people communicate :When there is a surprise, the project manger is frequently
the last to know, even though the informal communications network (or "rumor mill")
among team members and users contains various tidbits and snippets of information
that provide inklings of problems to come. Helping people to communicate increases
the probability that useful information will find its way to you.
The communications network can provide advance warning that an employee is
dissatisfied and looking elsewhere, that the performance of a system may be slower
than required, that software components may not integrate smoothly, or that covert
scope changes are being smuggled into the system. In other words, the rumor mill is a
prime course of information about emerging risks.. The key rule to using the rumor mill is, "Don't shoot the
messenger." No matter how painful the information, thank the deliverer;
otherwise, like the jilted spouse, you will be the last to know.
Plan fallbacks : If the technology does not perform adequately, what can be
done to improve it? If a critical team member is lost to the project, how will
those skills be replaced? If the building burns down, how does the project
recover? Fallbacks are your plans for when the worst happens.
Fallbacks must be capable of being put into action, either now or
when they are needed, and they must be capable of being handled within the
budget, schedule, and functionality of the project. If this is not the case, they
are not fallbacks, they are wishes with nothing to anchor them but the
fervent hope they will never have to be exercised.
2-1 : Risk Management
Risk management is both a planning and a managing activity. It is
not enough to set down some risks at the start of the project and then ignore
them. You must manage them.
Managing risks means continually re-evaluating the risks that have been
defined and identifying new ones. There are three main mechanisms for
managing risks : project; since they are only potential problems, they are
lower in priority than real ones. Therefore to manage risks, you must ensure
that they are an overt part of the project team's, and your, consciousness . All team members must be aware of the risks that have been identified and
awake to situations that affect them. To keep risks visible, devote part of each tem
meeting to a "risk review" in which the risks are addressed one by one, and team
members are instructed to comment on any thing that affects each risk. The purpose
of the risk review is not to take action, it is to identify what risks, if any, have
changed. The risk review also uncovers new risks as team members become attuned
to dangerous situations.
Your project status report should include a section entitled "Risk Review"
in which you report on risks that have become more, or less, probable or serious. By
regularly reporting risks, you are also able to prepare management for unpleasant
news so that it does not come as a surprise.
Project manager reflection is thinking time apart from the daily activities of
the project. Devote part of that thinking time to reviewing existing risks and
identifying new ones.
Prepare a risk management work sheet, similar to the one in Table (3). The
sample work sheet contains a short name of the risk to be used in status reports or risk
reviews, a longer description, and a table to track how the risk has changed. When a
risk has been eliminated, enter "Resolved" under "Comments." The risk management
work sheet keeps the risks visible.
OTHERS CLAIM THAT YOU HAVE OVERSTATED THE RISKS
You may be faced with complacency on the part of the client or an
unwillingness to plan for problems. This becomes serious when the client refuses to
expend resources to mitigate a risk that you see as high or extreme. Actions
Seek other, less expensive mitigation procedures that you can use to reduce
the risk to some extent.
Document your reasons for categorizing the risks as you did. State the
probability and describe the impact in graphic terms. Present your analysis
to the steering committee and request the resources you need to mitigate the
Risks Management Worksheet
Risk Management Worksheet
Project : ___________________ Date : ___________
Short name of the risk :
Description of the risk :
Date Comments Probability Impact Degree If you are not given the resources you requested, alert your
management to the danger and ask if they can apply leverage to the
Plan the actions you will take if the risk materializes.
You could be faced with a large number of high or ectreme
risks, all of which require effort and action. You could also be led
into mitigation procedures that are excessive, expensive, and timeconsuming.
If the risk assessments of others leads to a large number of
high or extreme risks, ask the complainants whether they really
believe the project is this risky and, if so whether it should be
undertaken. Most people will back down and acknowledge that
things are not as risky as they have made out. Honor the risk assessment from others who are knowledgeable, but
do not be intimidated into abandoning your own view of the risk. You will
encounter people who will claim, usually loudly, that a risk is
"unacceptable" and cannot be mitigated expect by the most extreme
safeguards. If your experience and that of others on your team tells you that
this opinion is alarmist, respect the risk, but prepare your plans based on a
more reasonable assessment.
2-2 : Identifying Risk And Risk Classification
Risk can be defined as : hazard chance of bad consequence or loss
exposure to mischance. This definition captures the essence of project risk,
expect that it implies that things are only expected to go wrong. On projects
some risks carry an inherent chance of profit ot loss, and some carry a
chance of loss only. The former are called business risks and the latter
insurable risks. Business Risks
The majority of risks are business risks. That is true for any part of
the operation, but especially for projects. On a project, business risk may
include : response of the market to a product; inflation weather or the
performance of technology and resources. The manager's role is to increase
the chance of profit and reduce the chance of loss. However, the expectation
is that on average the risks will turn out worse than better because although
the likelihood of profit and loss may be the same the maximum, possible
loss is very much greater then the maximum profit. The weather may be
kind as often as it is unkind. However, bad weather can stop work
completely or even destroy previous work, but good weather seldom allows
work to proceed at double the normal pace.
Insurable risks lead to loss only, and are usually caused by external,
unpredictable factors. These are called insurable. But it is not always
possible to find a company to provide cover. For example, war and civil
disturbance are insurable risks, but are excluded from most policies.
Insurable risks fall within four areas :
- Direct property damage
- Consequential loss
- Legal liability
- Personal loss. Direct damage can be to the facility, or to plant and equipment being used
in its delivery, and may be caused by fire, bad weather, or damage during
transportation. Consequential loss is lost production arising from the facility's being
unavailable due to direct property damage. It may be lost revenue or the cost of
providing temporary cover. Legal liability may arise for damage to property or injury
to a third party, or may be due to the negligence of others. It will also cover liability
under a contract for the failure of the facility to perform either because it is late or
because it fails to meet its specification. Finally, there is the risk that members of the
team may suffer injury arising directly from their work on the project.
Risk management is the process by which the likelihood of risk occurring or
its impact on the project id reduced. It has five steps :
1- Identify the potential sources of risk on the project.
2- Determine their individual impact, and select those with a significant
impact for further analysis.
3- Assess the overall impact of the significant risks.
4- Determine how the likelihood or impact of the risk can be reduced.
5- Develop and implement a plan for controlling the risks and achieving the
reductions. Identifying Risk
One way of classifying risk is by where control of the risk lies. However, project
managers must have the right mental attitude to risk, and expect risks where they are
least expected. In that way they will be better able to respond to risks as they occur. They
must also be aware that exposure to risk can vary throughout the project management life
There are five classifications of risk according to where control lies :
1 - External Unpredictable
These are risks beyond the control of managers or their organizations, and are totally
unpredictable. They can be listed, but we cannot say which will be encountered on a
given project. They arise from the action of government, third parties or acts of God or
from failure to complete the project due to external influences. Government or regulatory
intervention can relate to supply of raw materials or finished goods, environmental
requirements design or production standards or pricing. Many projects have been killed
by the unexpected requirement to hold a public enquiry into environmental impact.
Whether a change of government at an election falls in this or the following category is a
moot point. Action of third parties can include sabotage or war, and acts of God are
natural hazards such as an earthquake. Flood, or the sinking of a ship. Failure to
complete can arise from the failure of third parities to deliver supporting infrastructure of
finance, or finance, or their failure through bankruptcy, or a totally inappropriate project
design. By their nature these risks are almost all "insurable risks." 2 - External Predictable Uncertain
These risks beyond the control of managers or their organizations. We
expect to encounter them, but we do not know to what extent. There is usually data
that allow us to determine a norm or average, but the actual impact can be above or
below this norm. Thereare two major types of risk in this category : the first is the
activity of markets for raw materials or finished goods, which determines prices.
Availability and demand: the second is fiscal policies affecting currency, inflation
and taxation. However they also include operational requirements such as
maintenance, environmental factors such as the weather, and social impacts – which
are all business risks.
3 - Internal Technical
These risks arising directly from the technology of the project work of the
design construction or operation of the facility or the design of the ultimate product.
They can arise from changes or from a failure to achieve desired levels of
performance. They can be 'business" or "insurable risks" although in the latte case
the risk is borne by the parent organization, not by an outside insurance company.
(The premium paid is the investment in other products which far exceed
expectations). 4 - Internal Non-Technical
These are risks within the control of project managers, or their organizations, and
are non-technical in nature. They usually arise from a failure of the project organization or
resources (human material or financial0 to achieve their expected performance. They may
result in schedule delays cost over-runs or interruption to cash flow. These are usually
5 - Legal
Legal risks fall under civil and criminal law. Risks under civil law arise from contractual
arrangements with clients, contractors or third parties from licences, patent rights contractual
failure or force majeure (a unilateral claim by one party to a contract) Risks under the
criminal law are duties imposed on both the owner and contractor. Under the Health and
Safety at Work Act 1974. All employers not just in the engineering industry have a duty of
care for their employees and for the public. Therefore, project managers their employers (the
contractors) and design teams can be held responsible if their negligence causes injury to any
of the parties involved with the project including the project team while working on the
project users while operating the facility and consumers using the product produced by the
facility. There have been successful prosecutions in the engineering industry. I am unaware
of a software error leading to injury of a user or consumer but with some of the modern uses
of computer systems programmers must be aware of this risk. I worked with programmers on . an an air traffic control system who are concerned about their liability Techniques for Identifying Risk
There are five techniques for identifying risk. They are listed separately but are in practice
used interactively :
Expert Judgment uses personal intuition and awareness. This is the simplest technique, but
is sufficient only on the simplest projects. The use of checklists against the categories
identified above can help.
Plan Decomposition shows risks inherent in the interdependency of work. Any event that
lies at the start or completion of many activities is a potential risk. These occur at
bottlenecks in the network. When analyzing the plan you should also look at all
external interfaces such as external supply, for potential failure of third parties.
Assumption analysis is win/lose analysis and focuses on events that might be detrimental
considering both events we want to occur but may not and events we do not want to
occur but may. Expert judgment is needed to foresee these events and check for
completeness. Table (4) contains an assumption analysis on the purchase of a computer
Decision drivers are influences that might determine whether or not certain events may occur
(inside and outside the project) Win/lose analysis can be used to derive the list of
decision drivers. It can be particularly damaging if decisions are made for the wrong
reason : political versus technical marketing versus technical, solution versus problem,
short term versus long term, new technology versus experience. . Brainstorming uses social interaction to enhance the above techniques Expecting the Unexpected
he secret of clear risk identification is to be able to predict possible causes of divergence
from plan. It is the experience of many people that failure occurs on a project where they least
expect it. This is known as Sad's Law or Murphy's Law. It is sometimes stated as : if something
can go wrong it will; if something can't go wrong it will!
Win / Lose Analysis for the Purchase of a Computer System
System offered vs system specified
Quick cheap product
Lots of nice to haves
Driving too hard a bargain
The value of this attitude is that if you expect things to go wrong you will be on your
guard for problems, and will be able to respond quickly to them. The failures may be ones you had
predicted or ones you least expect. If you anticipate problems, and plan appropriate contingency,
you will not be disrupted when those problems occur. If the unexpected then also occurs, you will
be able to focus your management effort into the areas that might now cause greatest disruption.
This attitude of expecting risks and being ready to respond is sometimes known as risk thinking.
To some people it comes naturally; others require structured, logical processes of risk
identification and analysis to support their response. The Top-Down Approach
The top-down approach can provide managers with checklist of potential risk
factors based on previous experience and can help them to determine each risk's
relative importance. Furthermore, by identifying the controlling relationships at a high
level it enables project managers to find ways of eliminating the most severe risks from
Project To Erect A Warehouse
Name Of Work Package
Design building and foundations
Prepare site and foundations
Figure 1 is the top-level network for a simple project to build a warehouse.
There are four packages of work (Table 5). Assuming end-to-start dependencies only,
the duration of the project is seven months. It might be possible to fast track the project
by overlapping work packages. However let us assume that, that is impossible on the
path A-C-D: it is not possible to buy the steel untill the design is finished and because
all the steel will arrive at once erection cannot begin until the steel has arrived. It might
be possible to start work on the site before the design is finished, but there is no need
because the duration will be determined by the delivery of the steel. Variation Of Risk With The Project Management Life Cycle
Like quality the impact of risk varies throughout the project management life
cycle. The later in the cycle risks occur, the more expensive are their consequences, but
to counteract that, the less likely they are to occur. Risk can be reduced at the design
stage by choosing a proven design rather than an untested one, or during the
implementation stage by choosing proved methodologies. Whenever novelty is
introduced the risk of failure grows throughout the life of the project.
Isolating Risk In The Work Breakdown Structure
Similarly, it is usually possible to isolate risk in the work breakdown structure
by identifying it as being associated with a certain part of the project.
3 – RISK ASSESSEMENT
Having identified possible sources of risk to the project, we need to calculate
their impact on the project. First we calculate the impact of individual risks, and then
determine their combined impact.
The Impact Of Risk
The Impact of a risk factor depends on Its likelihood of occurring and the
consequence if it does occur :
Impact of risk = (Likelihood of risk) * (Consequence of risk)
To illustrate this concept, consider the question of whether buildings in Aswan
have earthquake protection. The answer is very few or none have. The consequence of an earthquake of force 8 on the Richter Scale would be
severe loss of life, however the probability (likelihood) of such an earthquake is so
small, virtually zero, that it is considered unnecessary to take any precautions in
But Aswan Resivor and Aswan Dam do have earthquake protections.
The likelihood of an earthquake is the same but the consequences of that risk
occurrence are unacceptably high income of the resivor and the dam.
3-1 : Risk Assessment of Several Risks Combined.
A Case Study
It is a rare project that has only a single source of risk, so to determine the total
impact of risk on a project the elements must be combined. If we include all possible
sources of risk into the model, it will become impossibly complicated, and so we limit
our attention to the significant few, the 20 per cent that have 80 per cent of the impact.
The work breakdown structure is a key tool in this integration of the risk. In practice
there are two approaches:
- a top-down approach in which key risk factors are identified and assessed at a
high level of work breakdown, and managed out of the project
- a bottom-up approach. in which risks are identified at a low level of work
breakdown, and an appropriate contingency made to allow for the risk Now let us consider the risks. Let us assume that the project will start at the
beginning of September, after the summer vacation. The risks are as follows:
1- The design of the building may take more or less than three months. From previous
experience we may be able to say it will take two, three or four months with the
-2 months: 25 per cent
-3 months: 50 per cent
-4 months: 25 per cent
Hence it may be finished as early as the end of October, or may stretch to the
end of December.
2- The site cannot he prepared if there is snow on the ground. Snow occurs in four
months of the year with the following probabilities :
-December: 25 per cent
-January: 25 per cent
- February: 50 per cent
-March: 25 per cent
The duration of this work package is dependent on when it starts if it starts in
October, it will take only two months; if it starts in November, it will have the following
range of durations (see Figure 2)
-2 months: 75 per cent
-3 months: 19 per cent
-4 months: 3 per cent
-5 months: 2 per cent
-6 months: 1 per cent There will be similar tables if the work were to start in December or January,
but with the probabilities weighted towards the longer durations. In some circumstances
the preparation of the sire will become critical. Now it may be worth while trying to fast
track the design of the foundations. If the design could be completed by the end of
September, we could eliminate this risk entirely. If it is finished by the end of October,
there is a 75 per cent chance of the work being finished on time. If the start of this work
is delayed to December, there is only a 50 per cent chance. The choice will depend on
the cost of fast tracking the design of the foundations. There will be additional financial
charges if this work is completed early, it is unlikely that the cost of the design will be
greater per se, but there is a risk of re-work as described in identifying risk above. In the
event you may actually make the decision on the day depending on how the design of the
steelwork is progressing. and other factors below. 3 - There may be two possible suppliers of steelwork : the more expensive one can
deliver in one month or two months with equal probability; and the cheaper in two
months or three months also with equal probability. The delivery time therefore has the
-I month: 25 per cent
-2 months: 50 per cent
-3 months: 25 per cent
On the face of it this appears the same as the design. However, the power of
this top-down approach is you can decide what to do on the day when you know how
long the design has taken and how you are progressing with the foundations. To
understand this we need to address the fourth risk.
4. This is that the steelwork cannot be erected if there are strong winds, and these occur
with the following probability:
- February: 25 per cent
-March: 50 per cent
The duration of this work will also depend on when it starts as with preparing
the site. However, what we can see is that if the design work finishes at the end of
October then it will be better to use the more expensive supplier. There will then be a 50
percent chance that erection can begin in December and finish in January without any
delay, or a 50 per cent chance that it will begin in January, in which case it will finish in
February with a 75 per cent chance. This is of course dependent on the foundations being
ready, and so if it looks as though the steelwork design will be completed early then it
will be worth while fast tracking the foundations. On the other hand, if the design takes
four months, it would he better to use the cheaper supplier and just plan to start erecting
the steelwork in April saving on extra cost of of the foundations and on having erection
fitters standing idle. This simple case shows that the top-down approach allows you to analyse the
interrelationships between elements of risk, and management decisions based on that
analysis and the actual out-turn. Following a top-down approach, you are able to develop
additional detail in some areas. In the case above, for instance you could introduce a
lower level of work breakdown to find out how to fast track the design of the
foundations to reduce the risk. That requires the design to be broken into smaller
packages of work subject to strict design parameters at the top level.
Influence diagrams are tools - derived from a systems dynamics approach -that
can assist a top-down analysis. They show how risks influence one another: some risks
reinforce others (+), and some reduce others (-). Figure 3 is an example of an influence
diagram. The power of the technique is to identify loops of influence. “Vicious cycles”
have an even (or zero) number of negative influences, and “stable cycles” an odd
number. In Figure 3 loop ADEKLIBA is vicious, and loop ADEGHJIBA is stable. In
“vicious cycle” an externally imposed influence can be amplified indefinitely.
The Bottom-Up Approach
The bottom-up approach analyses risk at a low level. It can identify several
critical paths, and calculate a range of outcomes for cost and duration to enable the
project manager to allow appropriate contingency. However, it is essentially a negative
approach to risk, as it assumes that risk elements are beyond the control of managers. It
does nothing to help the manager to quantify or convey information for developing an
appropriate management response to reducing or eliminating risk. The approach develops a detailed project model at a low level of breakdown.
Variable durations and / or costs are assigned to work element, as in the above example.
However, at a low level it is not possible to calculate the various outcomes manually, as
they were above. Instead, we perform a Monte Carlo analysis. The project model is
analysed many times: 100 to 10 000 is typical depending on the size of the model. Each
time a random number is drawn for each parameter for which there is a range of values,
and a value selected accordingly. (This makes the simplifying assumption that the risk
elements are unrelated which may not be the case -see Figure 3). The cost and duration
are then calculated using those values and a range of possible outcomes calculated for
the project. Effectively, the project is sampled however many times the analysis is
performed. The results of the Monte Carlo analysis are presented as a probability
distribution for time cost or both. This may be a simple or cumulative distribution.
Figure 4 shows both distributions for the duration of the warehouse project. assuming the
logic given in Table 5. For this simple case, the critical path may go through either A-BD or A-C-D, and the duration can be anything from 6 to II months. The likelihood that
either or both of the routes will be the critical path is:
Critical path: A-B-D Both A-C-D Likelihood: 52% 24% 24% Figure (3)
Influence Diagram With a project this small it is just possible to calculate these numbers by hand.
With anything larger the figures have to be determined using a Monte Carlo analysis.
From this we see that the median outcome is eight months (half the time the duration
will be this or less) and that 90 percent of the time the duration will be less than nine
months. The most likely duration (the mode) is nine months. If a nine month duration is
acceptable, we may accept these figures. If not, we would need to shorten the project.
The critical path figures show that the most useful effort may be put into shortening AB-D, and that may suggest fast tracking the design of the foundations. However, from
this we do not see the effect of the two suppliers. That can only be analysed by the topdown approach. Accounting for Increased Costs or Reduced Revenues
Monte Carlo analysts can also be applied to the costs and revenues of a
project, to produce a range of likely returns. However, with the costs and revenues, the
risk can be accounted for directly by allowing a contingency.
Communicating the Risk Analysis
The ultimate purpose of the risk model is to communicate the analysis to all
the parties involved with the project:
- to the owners for them to assess its value
- to the champions, so they can give their support and commitment to the
- to the project managers so that they can develop their project strategies and
perform what-if analyses
- to the integrators, to enable them to manage the risks during implementation
- to people joining the project at a later time so they know what assumptions
have been made
- to the users so that they know the commitments they are making.
To be an effective communication tool, the model must be simple, robust,
adaptable and complete. Achieving this requires considerable effort. Structuring the
model in order to achieve these requirements can take 60 per cent of the total effort of
risk analysis. 4 - REDUCING RISK
Having identified and assessed the risk you are in a position to consider ways
of reducing it. There are three basic approaches:
- avoidonce: having identified the risk, you replan to eliminate it
- deflection : you try to pass the risk on to someone else
- contingency: you take no action in advance of the deviations occurring other
than to draw up contingency plans should they occur.
Pym and Wideman use an analogy of a man being shot at. He can take cover to
avoid the bullets: he can deflect them using a shield or divert the bullets by placing
someone else in the firing line: or he can allow them to hit him and plan to repair the
The warehouse project above showed how to avoid the risk of snow holding
up the preparation of the foundations by starting the work early enough so that it is
finished before the snow comes. Under avoidance you change the plan for anyone of
the five system objectives or any combination of them to reduce the risk or eliminate it
There are three ways of deflecting risk:
- through insurance: by which it is passed on to a third party
- through bonding: by which a security is held against the risk
- through the contract: by which it is passed between owner. contractor and
subcontractors. Insurance : A third party accepts an insurable risk for the payment of a premium. which
reflects the impact of the risk the likelihood combined with the consequence.
Bonding : One or both parties to a contract deposit money into a secure account so that
if they or either party defaults the aggrieved party can take the bond in compensation.
This is a way of transferring the risk of one party defaulting to that organization.
Contract : Through contracts the risk is shared between owner contractor and
suhcontractors. There are two common principles of contracts:
(a) Risk is assigned to that pony most able and best motivated to control it. There is no
point passing risk onto a contractor or subcontractor if neither has the power or the
motivation to control it. The Institution of Civil Engineers is currently revising its
standard forms of contract around this principle. There are four styles of contract for
different approaches to sharing risk:
- fixed price
- cost reimbursable
- target cost. Under fixed price contracts. Figure 5(a) the contractor accepts all the risk by
taking a fixed fee for the work regardless of how much I it costs. It is assumed that the
owner has completely specified the requirements and as long as they do not change the
contractor can meet a given price. This approach is adopted for turnkey contracts,
where the contractor takes full responsibility and delivers to the owner an operating
facility. The owner has no role in its construction. Often in fixed price contracts the
owner and contractor haggle over every change arguing over which one of them caused,
it and whether it is Within the original specification.
When the owner cannot specify the requirements, the contractor should not
accept the risk, but it should be borne by the owner. The simplest way is through costplus contracts, Figure 5(b). The owner refunds all the contractor’s costs and pays a
percentage as profit. The disadvantage is that the contractor is still responsible for
controlling costs, and yet the higher the costs the higher the profit. This is a recipe for
disaster as the party responsible for control is not motivated to do it; in fact the exact
opposite. It is possible to adopt strict change control and that passes responsibility for
controlling costs back to the owner, but can lead to strife. Typically cost-plus contracts
are used on research contracts. Figure (5)
Four types of contract Another way of overcoming the problem is to pay the contractor a fixed fee as a
percentage of the estimate, instead of a percentage of the out-turn. This is a cost reimbursable
contract. Figure 5 (c). The contractor can be motivated to control costs if paid a bonus for
finishing under budget, or charged a penalty if over budget. However, the parameters for the bonus
or penalty must be carefully set to ensure that the accepted risk is not beyond the contractor’s
control. Even without a bonus the contractor may be motivated to -control costs, as that increases
the percentage return. A related approach is target cost, Figure 5(d). The contractor is paid a fixed
price If the out-turn is within a certain range typically ± 10 per cent of the budget. If the
cost goes outside this range, then the owner and contractor share the risk at say 50p in
the pound. If the costs exceed the upper limit, the owner pays the contractor an extra
50p per pound of overspend and if the price is below the range the contractor reduces
the price. This is often used on development projects where there is some-idea of the
likely out-turn but it is not completely determined. The contractor may also share in the
benefits from the product produced.
(b) Risk is shared with subcontractors if it is within their sphere of control To
achieve this, back-to-back contracts are used: the clauses in the contract between owner
and contractor are included in that between contractor and subcontractors. I have come
across instances where the contractor feels squashed between two giants and accepts
quite severe clauses from the owner to win the work but believes that the subcontractors
will not accept them because they do not need the work. This often happens to
contractors on defence or public sector projects. The way to avoid this is to try to get
the subcontractors to make their contracts directly with the owner and use the owner's
power to pull the supplier into line. The supplier may not need the business from the
contractor but may have a better respect for the owner.
The third response to risk is to make an allowance for it by adding a
contingency. You can add an allowance to anyone of the five system objectives, but
typically there are two main approaches:
- make an allowance by increasing the time and/or cost budgets
-plan to change the scope by drawing up contingency plans should the identified risks
occur. Time And / Or Cost
You can either add the allowance as a blanket figure calculated through a
bottom-up approach as above or you can add it work element by work element. Either
way the project manager should maintain at least two estimates, a raw estimate without
contingency and an estimate with contingency. The former called the baseline is
communicated to the project team as their working “budget” and the latter to the owner
for the provision of money and resources. The project manager may also maintain two
further estimates the most likely out-turn the figure to which they are working and the
current estimate, which is the baseline with some contingency already consumed. The
reason for giving the project team the baseline or current estimate as their working
figure is that their costs will seldom be less than the estimate and will consume
contingency if it is given to them. The reason for communicating the estimate with
contingency to the owner is they want to budget for the maximum likely time and cost.
These are alternative methods of achieving the milestones. to be used in
different circumstances. The alternative plans mayor may not cost more money to
implement though presumably if they cost less it would be better to follow them in the
first place. On the extension to the steam system on the ammonia plant above. It was
shown how alternative plans were available should the valve shut tight shut partially
and not shut at all. The latter plans each would have cost more than the first which is
the one we followed although the second would have only been marginally more
However it is better to plan to eliminate the risk than to plan how to overcome it and it is better to plan how to overcome it than to increase the cost and extend
the duration to pay for it. Controlling Risk
Having identified ways of reducing risk you can implement a plan to control
the reduction. There are four basic steps in control:
- draw up a plan
- monitor progress against the plan
- calculate variances
- take action to overcome variances.
The Risk Management Plan
The risk management plan identifies the risk associated with a project the
means by which they have been assessed and the strategy for their reduction. A risk
item tracking form (Figure 6) provides a framework for r recording the relevant
information for each risk. The form which may be held in a spreadsheet or computer
- why the risk is significant
- what is to be done to reduce it
- when the risk will have its impact on the project
- who is responsible for resolving the risk
- how the reduction will be achieved
- how much it mil cost to resolve the risk. Monitoring Risk
The risks are then monitored on a regular basis (weekly fortnightly monthly or
at other predetermined intervals) to determine how far each risk has actually been
reduced. At each review the risk tracking forms arc sorted into their order of current
importance. A list of the most significant risks usually the "top-ten" is produced giving
rank this period rank last period and periods on the list.
Reassessment should be carried out whenever new risks are identified in the
course of risk monitoring. In addition, there should be explicit reassessment at key
milestones in the project and at transition between stages. The launch meetings for
subsequent stages are ideal media for this reassessment. All the above techniques are
used for reassessment. It is always easier to improve on an existing plan but there is the
disadvantage that new risks may be ignored. Figure (6)
Risk Item Tracking Form
TRIMAGI COMMUNICATIONS BV
RISK ITEM TRACKING FORM PAGE 1 OF 2 PROJECT
RISK NUMBER RISK IDENTIFIER NATURE OF RISK
CONTRACTUAL/MANAGEME NT/TECHNICAL / PER
IMPACT DATE: LIKELIHOOD SUBSIDIARY RISKS
ACTIVITY RISK IDENTIFIER
RISK IDENTIFIER RISK IMPACT
UKEUHOOD SCORE VL/L/M/H/VH
…/3 IMPACT AREA
RISK MONITORING MONTH RANK CODE
CODE LOW/MEDIUM/HIGH SEVERITY SCORE
…/15 Figure (6) Continued
Risk Item Tracking Form
TRIMAGI COMMUNICATIONS BV
RISK ITEM TRACKING FORM PAGE 2 OF 2 CORRECTIVE ACTION
DESCRIPTION PROPOSED/APPROVED RISK REDUCTION COST
REVISED DATE UKEUHOOD START DATE: CLOSURE
DATE: REVISED IMPACT
UKEUHOOD SCORE /3 LOW/MEDIUM/
HIGH SEVERITY SCORE
RISK SCORE SS *LS = …/5
…/15 IMPACT AREA :
MONTH ACTION TAKEN NEXT ACTION BY WHOM ISSUE : DATE : AUTHOR : APPROVED : ...
View Full Document
This note was uploaded on 01/13/2012 for the course BUS 611 611 taught by Professor None during the Spring '11 term at Ashford University.
- Spring '11