Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: CAIRO DEMOGRAPHIC CENTER RISK ASSESSMENT AND RISK RISK MANAGEMENT By Prof. Atef 1: Risk Definition Characteristics and Types 1: A risk is a potential problem, a situation that, if it materializes, will adversely affect the project. Risks that materialize are no longer risks, they are problems. All projects have risks, and all risks are ultimately handled. Some disappear, some develop into problems that demand attention, and a few escalate into crises that destroy projects. The goal of risk management is to ensure that risks never fall into the third category. There are four steps to managing risks : identify them, categorize them, mitigate them, and manage them. Identifying Risks If there is one risk that is universally the most dangerous for all projects, it is the following : Corporate management views the project manager’s risk analysis as alarmist and will not take the risks seriously until they materialize. The only way to mitigate this risk is to document all other risks, identify the actions you take, and keep a management informed, especially as the risk becomes more probable. It is only by stressing your risk analysis, by making explicit recommendations, and by insisting that management understand the risks that you can avoid having to say, “See, I told you so.” Common Risks Table (1) lists common risks that most projects will encounter, They form a starting point for developing a catalog of risks. However, the list is not exhaustive; most project managers will find several more risks that they can add, and project experience will tend to increase this number. When you are assessing the risks for your projects, always refer to a list such as this. Otherwise, you run the project management risk that not all project risks are identified. Table (1) Sample List of Risks Staff Risks Key staff will not be available when needed. Key skill sets will not be available when needed. Staff will be lost during the project. Equipment Risks Required equipment will not be delivered on time, Access to hardware will be restricted. Equipment will fail. Table (1) Sample List of Risks (Cont.) Client Risks Client resources will not be made available as required. Client staff will not reach decisions in a timely manner. Deliverables will not be reviewed according to the schedule. Knowledgeable client staff will be replaced by those less qualified. Scope Risks Requirements for additional effort will surface. Changes of scope will be deemed to be included in the project. Scope changes will be introduced without the knowledge of project management. Technology Risks The technology will have technical or performance limitations that endanger the project. Technology components will not be easily integrated. The technology is new and poorly understood. Delivery Risks System response time will not be adequate. System capacity requirements will exceed available capacity. The system will fail to meet functional requirements Physical Risks The office will be damaged by fire, flood, or other catastrophe. A computer virus will infect the development system. A team member will steal confidential material and make it available to competitors of the client. Categorizing Risks Categorizing There are numerous statistical methods for defining degree of risks, but the simplest categorization, and therefore the most effective, is to describe risks as extreme, high, medium, low, or minimal. The degree of risk depends upon two characteristics : the probability that the risk will occur, and the impact in the project if it does. Probability and impact are both categorized as high, medium, or low, and their relationship, as illustrated in Table (2) indicates the degree of risk. Consider two risks : that a team member will resign during the project and that a fire will consume the office, destroying the installation and all the work that has been done. Both risks are of medium degree. In the first case, although the probability is high, the impact is low : You assume that the team member will give adequate notice and can be easily replaced. The second risk has a high – in fact, potentially devastating – impact, but the probability is low and the risk is easily mitigated by ensuring proper off-site backup. You categorize risks so that you can identify those that are the most dangerous and therefore require the most attention. It is the extreme and high risks that need your attention first. Mitigating Risks Mitigating You mitigate a risk by reducing its probability, its impact, or both. Since every project is unique, so are the mitigating actions. However, some principles apply across projects and risks. Remove excuses: When the project depends on someone (such as a supplier, client, or line manager) to provide something (such as staff, equipment, or material) in accordance with a schedule, ensure that the provider knows the schedule, knows what is expected, and understands the consequences of a slippage. For major providers, such as the client, make up a schedule giving the exact dates when the project will require resources. If you are exact dates when the project will require client resources. If you are not able to give an exact date now, give a date by which you will be able to. Table (2) Categorization of Degree of Risk Probability Impact High High Medium Low Medium Low Extreme High Medium High Medium Low Medium Low Minimal You remove excuses by providing visibility into the project, an active process in which provides are forced to understand what is expected of them. For example, if you have ordered a piece of equipment with a two-month lead time to be delivered by a specified date, just putting a required date on the purchase order is not enough. Four weeks before delivery, call the sales representative to verify the schedule. Three weeks prior, call to clarify, for example, the power requirements. At two weeks, call to clear up a technical question. One week ahead of time, call to establish shipping procedures. With each call, of course, you will ask if there are any problems that could delay delivery, and you will emphasize how critical timely delivery is. After this series of calls, the supplier has no excuses to fall back on. There is no guarantee, of course, that the equipment will actually be delivered on time, but by actively reminding the supplier of the schedule, you have reduced the probability of a late delivery. Demand visibility : when the project depends in someone delivering something and there is a process that the provider must follow before delivery, you must understand at least the milestones of the process. For example, if a piece of equipment must be manufactured, identify the checkpoints in the manufacturing process, have the sales representative attach dates to each checkpoint, and call on those dates to ensure that the milestones have been met and there are no delays. If the process is repetitive, such as client review and approval of project documents, understand the process. What happens to a document when it is received? Who reviews it? How are individual reviews reconciled? Is there a final authority for approval? Who? What is the priority of the project for the reviewers? With this understanding you will be bale to suggest changes in the process that will speed things up if there are delays. Help people communicate :When there is a surprise, the project manger is frequently the last to know, even though the informal communications network (or "rumor mill") among team members and users contains various tidbits and snippets of information that provide inklings of problems to come. Helping people to communicate increases the probability that useful information will find its way to you. The communications network can provide advance warning that an employee is dissatisfied and looking elsewhere, that the performance of a system may be slower than required, that software components may not integrate smoothly, or that covert scope changes are being smuggled into the system. In other words, the rumor mill is a prime course of information about emerging risks.. The key rule to using the rumor mill is, "Don't shoot the messenger." No matter how painful the information, thank the deliverer; otherwise, like the jilted spouse, you will be the last to know. Plan fallbacks : If the technology does not perform adequately, what can be done to improve it? If a critical team member is lost to the project, how will those skills be replaced? If the building burns down, how does the project recover? Fallbacks are your plans for when the worst happens. Fallbacks must be capable of being put into action, either now or when they are needed, and they must be capable of being handled within the budget, schedule, and functionality of the project. If this is not the case, they are not fallbacks, they are wishes with nothing to anchor them but the fervent hope they will never have to be exercised. 2-1 : Risk Management Risk management is both a planning and a managing activity. It is not enough to set down some risks at the start of the project and then ignore them. You must manage them. Managing risks means continually re-evaluating the risks that have been defined and identifying new ones. There are three main mechanisms for managing risks : project; since they are only potential problems, they are lower in priority than real ones. Therefore to manage risks, you must ensure that they are an overt part of the project team's, and your, consciousness . All team members must be aware of the risks that have been identified and awake to situations that affect them. To keep risks visible, devote part of each tem meeting to a "risk review" in which the risks are addressed one by one, and team members are instructed to comment on any thing that affects each risk. The purpose of the risk review is not to take action, it is to identify what risks, if any, have changed. The risk review also uncovers new risks as team members become attuned to dangerous situations. Your project status report should include a section entitled "Risk Review" in which you report on risks that have become more, or less, probable or serious. By regularly reporting risks, you are also able to prepare management for unpleasant news so that it does not come as a surprise. Project manager reflection is thinking time apart from the daily activities of the project. Devote part of that thinking time to reviewing existing risks and identifying new ones. Prepare a risk management work sheet, similar to the one in Table (3). The sample work sheet contains a short name of the risk to be used in status reports or risk reviews, a longer description, and a table to track how the risk has changed. When a risk has been eliminated, enter "Resolved" under "Comments." The risk management work sheet keeps the risks visible. What If? OTHERS CLAIM THAT YOU HAVE OVERSTATED THE RISKS You may be faced with complacency on the part of the client or an unwillingness to plan for problems. This becomes serious when the client refuses to expend resources to mitigate a risk that you see as high or extreme. Actions Seek other, less expensive mitigation procedures that you can use to reduce the risk to some extent. Document your reasons for categorizing the risks as you did. State the probability and describe the impact in graphic terms. Present your analysis to the steering committee and request the resources you need to mitigate the risk. Table (3) Risks Management Worksheet Risk Management Worksheet Project : ___________________ Date : ___________ Short name of the risk : Description of the risk : Date Comments Probability Impact Degree If you are not given the resources you requested, alert your management to the danger and ask if they can apply leverage to the client. Plan the actions you will take if the risk materializes. You could be faced with a large number of high or ectreme risks, all of which require effort and action. You could also be led into mitigation procedures that are excessive, expensive, and timeconsuming. Actions If the risk assessments of others leads to a large number of high or extreme risks, ask the complainants whether they really believe the project is this risky and, if so whether it should be undertaken. Most people will back down and acknowledge that things are not as risky as they have made out. Honor the risk assessment from others who are knowledgeable, but do not be intimidated into abandoning your own view of the risk. You will encounter people who will claim, usually loudly, that a risk is "unacceptable" and cannot be mitigated expect by the most extreme safeguards. If your experience and that of others on your team tells you that this opinion is alarmist, respect the risk, but prepare your plans based on a more reasonable assessment. 2-2 : Identifying Risk And Risk Classification Risk can be defined as : hazard chance of bad consequence or loss exposure to mischance. This definition captures the essence of project risk, expect that it implies that things are only expected to go wrong. On projects some risks carry an inherent chance of profit ot loss, and some carry a chance of loss only. The former are called business risks and the latter insurable risks. Business Risks The majority of risks are business risks. That is true for any part of the operation, but especially for projects. On a project, business risk may include : response of the market to a product; inflation weather or the performance of technology and resources. The manager's role is to increase the chance of profit and reduce the chance of loss. However, the expectation is that on average the risks will turn out worse than better because although the likelihood of profit and loss may be the same the maximum, possible loss is very much greater then the maximum profit. The weather may be kind as often as it is unkind. However, bad weather can stop work completely or even destroy previous work, but good weather seldom allows work to proceed at double the normal pace. Insurable Risks Insurable risks lead to loss only, and are usually caused by external, unpredictable factors. These are called insurable. But it is not always possible to find a company to provide cover. For example, war and civil disturbance are insurable risks, but are excluded from most policies. Insurable risks fall within four areas : - Direct property damage - Consequential loss - Legal liability - Personal loss. Direct damage can be to the facility, or to plant and equipment being used in its delivery, and may be caused by fire, bad weather, or damage during transportation. Consequential loss is lost production arising from the facility's being unavailable due to direct property damage. It may be lost revenue or the cost of providing temporary cover. Legal liability may arise for damage to property or injury to a third party, or may be due to the negligence of others. It will also cover liability under a contract for the failure of the facility to perform either because it is late or because it fails to meet its specification. Finally, there is the risk that members of the team may suffer injury arising directly from their work on the project. Risk Management Risk management is the process by which the likelihood of risk occurring or its impact on the project id reduced. It has five steps : 1- Identify the potential sources of risk on the project. 2- Determine their individual impact, and select those with a significant impact for further analysis. 3- Assess the overall impact of the significant risks. 4- Determine how the likelihood or impact of the risk can be reduced. 5- Develop and implement a plan for controlling the risks and achieving the reductions. Identifying Risk One way of classifying risk is by where control of the risk lies. However, project managers must have the right mental attitude to risk, and expect risks where they are least expected. In that way they will be better able to respond to risks as they occur. They must also be aware that exposure to risk can vary throughout the project management life cycle. Classifying Risks There are five classifications of risk according to where control lies : 1 - External Unpredictable These are risks beyond the control of managers or their organizations, and are totally unpredictable. They can be listed, but we cannot say which will be encountered on a given project. They arise from the action of government, third parties or acts of God or from failure to complete the project due to external influences. Government or regulatory intervention can relate to supply of raw materials or finished goods, environmental requirements design or production standards or pricing. Many projects have been killed by the unexpected requirement to hold a public enquiry into environmental impact. Whether a change of government at an election falls in this or the following category is a moot point. Action of third parties can include sabotage or war, and acts of God are natural hazards such as an earthquake. Flood, or the sinking of a ship. Failure to complete can arise from the failure of third parities to deliver supporting infrastructure of finance, or finance, or their failure through bankruptcy, or a totally inappropriate project design. By their nature these risks are almost all "insurable risks." 2 - External Predictable Uncertain These risks beyond the control of managers or their organizations. We expect to encounter them, but we do not know to what extent. There is usually data that allow us to determine a norm or average, but the actual impact can be above or below this norm. Thereare two major types of risk in this category : the first is the activity of markets for raw materials or finished goods, which determines prices. Availability and demand: the second is fiscal policies affecting currency, inflation and taxation. However they also include operational requirements such as maintenance, environmental factors such as the weather, and social impacts – which are all business risks. 3 - Internal Technical These risks arising directly from the technology of the project work of the design construction or operation of the facility or the design of the ultimate product. They can arise from changes or from a failure to achieve desired levels of performance. They can be 'business" or "insurable risks" although in the latte case the risk is borne by the parent organization, not by an outside insurance company. (The premium paid is the investment in other products which far exceed expectations). 4 - Internal Non-Technical These are risks within the control of project managers, or their organizations, and are non-technical in nature. They usually arise from a failure of the project organization or resources (human material or financial0 to achieve their expected performance. They may result in schedule delays cost over-runs or interruption to cash flow. These are usually "business" risks. 5 - Legal Legal risks fall under civil and criminal law. Risks under civil law arise from contractual arrangements with clients, contractors or third parties from licences, patent rights contractual failure or force majeure (a unilateral claim by one party to a contract) Risks under the criminal law are duties imposed on both the owner and contractor. Under the Health and Safety at Work Act 1974. All employers not just in the engineering industry have a duty of care for their employees and for the public. Therefore, project managers their employers (the contractors) and design teams can be held responsible if their negligence causes injury to any of the parties involved with the project including the project team while working on the project users while operating the facility and consumers using the product produced by the facility. There have been successful prosecutions in the engineering industry. I am unaware of a software error leading to injury of a user or consumer but with some of the modern uses of computer systems programmers must be aware of this risk. I worked with programmers on . an an air traffic control system who are concerned about their liability Techniques for Identifying Risk There are five techniques for identifying risk. They are listed separately but are in practice used interactively : Expert Judgment uses personal intuition and awareness. This is the simplest technique, but is sufficient only on the simplest projects. The use of checklists against the categories identified above can help. Plan Decomposition shows risks inherent in the interdependency of work. Any event that lies at the start or completion of many activities is a potential risk. These occur at bottlenecks in the network. When analyzing the plan you should also look at all external interfaces such as external supply, for potential failure of third parties. Assumption analysis is win/lose analysis and focuses on events that might be detrimental considering both events we want to occur but may not and events we do not want to occur but may. Expert judgment is needed to foresee these events and check for completeness. Table (4) contains an assumption analysis on the purchase of a computer system. Decision drivers are influences that might determine whether or not certain events may occur (inside and outside the project) Win/lose analysis can be used to derive the list of decision drivers. It can be particularly damaging if decisions are made for the wrong reason : political versus technical marketing versus technical, solution versus problem, short term versus long term, new technology versus experience. . Brainstorming uses social interaction to enhance the above techniques Expecting the Unexpected he secret of clear risk identification is to be able to predict possible causes of divergence from plan. It is the experience of many people that failure occurs on a project where they least expect it. This is known as Sad's Law or Murphy's Law. It is sometimes stated as : if something can go wrong it will; if something can't go wrong it will! Table (4) Win / Lose Analysis for the Purchase of a Computer System System offered vs system specified Winners Losers Quick cheap product Developer User Sponsor Lots of nice to haves Developer Sponsor User Driving too hard a bargain Sponsor Developer User The value of this attitude is that if you expect things to go wrong you will be on your guard for problems, and will be able to respond quickly to them. The failures may be ones you had predicted or ones you least expect. If you anticipate problems, and plan appropriate contingency, you will not be disrupted when those problems occur. If the unexpected then also occurs, you will be able to focus your management effort into the areas that might now cause greatest disruption. This attitude of expecting risks and being ready to respond is sometimes known as risk thinking. To some people it comes naturally; others require structured, logical processes of risk identification and analysis to support their response. The Top-Down Approach The top-down approach can provide managers with checklist of potential risk factors based on previous experience and can help them to determine each risk's relative importance. Furthermore, by identifying the controlling relationships at a high level it enables project managers to find ways of eliminating the most severe risks from their projects Table (5) Project To Erect A Warehouse No Name Of Work Package Preceding Duration Package (Months) A Design building and foundations 3 B Prepare site and foundations A 2 C Procures steelwork A 2 D Erect steelwork B.C 2 Figure 1 is the top-level network for a simple project to build a warehouse. There are four packages of work (Table 5). Assuming end-to-start dependencies only, the duration of the project is seven months. It might be possible to fast track the project by overlapping work packages. However let us assume that, that is impossible on the path A-C-D: it is not possible to buy the steel untill the design is finished and because all the steel will arrive at once erection cannot begin until the steel has arrived. It might be possible to start work on the site before the design is finished, but there is no need because the duration will be determined by the delivery of the steel. Variation Of Risk With The Project Management Life Cycle Like quality the impact of risk varies throughout the project management life cycle. The later in the cycle risks occur, the more expensive are their consequences, but to counteract that, the less likely they are to occur. Risk can be reduced at the design stage by choosing a proven design rather than an untested one, or during the implementation stage by choosing proved methodologies. Whenever novelty is introduced the risk of failure grows throughout the life of the project. Isolating Risk In The Work Breakdown Structure Similarly, it is usually possible to isolate risk in the work breakdown structure by identifying it as being associated with a certain part of the project. 3 – RISK ASSESSEMENT Having identified possible sources of risk to the project, we need to calculate their impact on the project. First we calculate the impact of individual risks, and then determine their combined impact. The Impact Of Risk The Impact of a risk factor depends on Its likelihood of occurring and the consequence if it does occur : Impact of risk = (Likelihood of risk) * (Consequence of risk) To illustrate this concept, consider the question of whether buildings in Aswan have earthquake protection. The answer is very few or none have. The consequence of an earthquake of force 8 on the Richter Scale would be severe loss of life, however the probability (likelihood) of such an earthquake is so small, virtually zero, that it is considered unnecessary to take any precautions in ordinary buildings. But Aswan Resivor and Aswan Dam do have earthquake protections. The likelihood of an earthquake is the same but the consequences of that risk occurrence are unacceptably high income of the resivor and the dam. 3-1 : Risk Assessment of Several Risks Combined. A Case Study It is a rare project that has only a single source of risk, so to determine the total impact of risk on a project the elements must be combined. If we include all possible sources of risk into the model, it will become impossibly complicated, and so we limit our attention to the significant few, the 20 per cent that have 80 per cent of the impact. The work breakdown structure is a key tool in this integration of the risk. In practice there are two approaches: - a top-down approach in which key risk factors are identified and assessed at a high level of work breakdown, and managed out of the project - a bottom-up approach. in which risks are identified at a low level of work breakdown, and an appropriate contingency made to allow for the risk Now let us consider the risks. Let us assume that the project will start at the beginning of September, after the summer vacation. The risks are as follows: 1- The design of the building may take more or less than three months. From previous experience we may be able to say it will take two, three or four months with the following probabilities: -2 months: 25 per cent -3 months: 50 per cent -4 months: 25 per cent Hence it may be finished as early as the end of October, or may stretch to the end of December. 2- The site cannot he prepared if there is snow on the ground. Snow occurs in four months of the year with the following probabilities : -December: 25 per cent -January: 25 per cent - February: 50 per cent -March: 25 per cent The duration of this work package is dependent on when it starts if it starts in October, it will take only two months; if it starts in November, it will have the following range of durations (see Figure 2) -2 months: 75 per cent -3 months: 19 per cent -4 months: 3 per cent -5 months: 2 per cent -6 months: 1 per cent There will be similar tables if the work were to start in December or January, but with the probabilities weighted towards the longer durations. In some circumstances the preparation of the sire will become critical. Now it may be worth while trying to fast track the design of the foundations. If the design could be completed by the end of September, we could eliminate this risk entirely. If it is finished by the end of October, there is a 75 per cent chance of the work being finished on time. If the start of this work is delayed to December, there is only a 50 per cent chance. The choice will depend on the cost of fast tracking the design of the foundations. There will be additional financial charges if this work is completed early, it is unlikely that the cost of the design will be greater per se, but there is a risk of re-work as described in identifying risk above. In the event you may actually make the decision on the day depending on how the design of the steelwork is progressing. and other factors below. 3 - There may be two possible suppliers of steelwork : the more expensive one can deliver in one month or two months with equal probability; and the cheaper in two months or three months also with equal probability. The delivery time therefore has the following distribution: -I month: 25 per cent -2 months: 50 per cent -3 months: 25 per cent On the face of it this appears the same as the design. However, the power of this top-down approach is you can decide what to do on the day when you know how long the design has taken and how you are progressing with the foundations. To understand this we need to address the fourth risk. 4. This is that the steelwork cannot be erected if there are strong winds, and these occur with the following probability: - February: 25 per cent -March: 50 per cent The duration of this work will also depend on when it starts as with preparing the site. However, what we can see is that if the design work finishes at the end of October then it will be better to use the more expensive supplier. There will then be a 50 percent chance that erection can begin in December and finish in January without any delay, or a 50 per cent chance that it will begin in January, in which case it will finish in February with a 75 per cent chance. This is of course dependent on the foundations being ready, and so if it looks as though the steelwork design will be completed early then it will be worth while fast tracking the foundations. On the other hand, if the design takes four months, it would he better to use the cheaper supplier and just plan to start erecting the steelwork in April saving on extra cost of of the foundations and on having erection fitters standing idle. This simple case shows that the top-down approach allows you to analyse the interrelationships between elements of risk, and management decisions based on that analysis and the actual out-turn. Following a top-down approach, you are able to develop additional detail in some areas. In the case above, for instance you could introduce a lower level of work breakdown to find out how to fast track the design of the foundations to reduce the risk. That requires the design to be broken into smaller packages of work subject to strict design parameters at the top level. Influence Diagrams Influence diagrams are tools - derived from a systems dynamics approach -that can assist a top-down analysis. They show how risks influence one another: some risks reinforce others (+), and some reduce others (-). Figure 3 is an example of an influence diagram. The power of the technique is to identify loops of influence. “Vicious cycles” have an even (or zero) number of negative influences, and “stable cycles” an odd number. In Figure 3 loop ADEKLIBA is vicious, and loop ADEGHJIBA is stable. In “vicious cycle” an externally imposed influence can be amplified indefinitely. The Bottom-Up Approach The bottom-up approach analyses risk at a low level. It can identify several critical paths, and calculate a range of outcomes for cost and duration to enable the project manager to allow appropriate contingency. However, it is essentially a negative approach to risk, as it assumes that risk elements are beyond the control of managers. It does nothing to help the manager to quantify or convey information for developing an appropriate management response to reducing or eliminating risk. The approach develops a detailed project model at a low level of breakdown. Variable durations and / or costs are assigned to work element, as in the above example. However, at a low level it is not possible to calculate the various outcomes manually, as they were above. Instead, we perform a Monte Carlo analysis. The project model is analysed many times: 100 to 10 000 is typical depending on the size of the model. Each time a random number is drawn for each parameter for which there is a range of values, and a value selected accordingly. (This makes the simplifying assumption that the risk elements are unrelated which may not be the case -see Figure 3). The cost and duration are then calculated using those values and a range of possible outcomes calculated for the project. Effectively, the project is sampled however many times the analysis is performed. The results of the Monte Carlo analysis are presented as a probability distribution for time cost or both. This may be a simple or cumulative distribution. Figure 4 shows both distributions for the duration of the warehouse project. assuming the logic given in Table 5. For this simple case, the critical path may go through either A-BD or A-C-D, and the duration can be anything from 6 to II months. The likelihood that either or both of the routes will be the critical path is: Critical path: A-B-D Both A-C-D Likelihood: 52% 24% 24% Figure (3) Influence Diagram With a project this small it is just possible to calculate these numbers by hand. With anything larger the figures have to be determined using a Monte Carlo analysis. From this we see that the median outcome is eight months (half the time the duration will be this or less) and that 90 percent of the time the duration will be less than nine months. The most likely duration (the mode) is nine months. If a nine month duration is acceptable, we may accept these figures. If not, we would need to shorten the project. The critical path figures show that the most useful effort may be put into shortening AB-D, and that may suggest fast tracking the design of the foundations. However, from this we do not see the effect of the two suppliers. That can only be analysed by the topdown approach. Accounting for Increased Costs or Reduced Revenues Monte Carlo analysts can also be applied to the costs and revenues of a project, to produce a range of likely returns. However, with the costs and revenues, the risk can be accounted for directly by allowing a contingency. Communicating the Risk Analysis The ultimate purpose of the risk model is to communicate the analysis to all the parties involved with the project: - to the owners for them to assess its value - to the champions, so they can give their support and commitment to the project - to the project managers so that they can develop their project strategies and perform what-if analyses - to the integrators, to enable them to manage the risks during implementation - to people joining the project at a later time so they know what assumptions have been made - to the users so that they know the commitments they are making. To be an effective communication tool, the model must be simple, robust, adaptable and complete. Achieving this requires considerable effort. Structuring the model in order to achieve these requirements can take 60 per cent of the total effort of risk analysis. 4 - REDUCING RISK Having identified and assessed the risk you are in a position to consider ways of reducing it. There are three basic approaches: - avoidonce: having identified the risk, you replan to eliminate it - deflection : you try to pass the risk on to someone else - contingency: you take no action in advance of the deviations occurring other than to draw up contingency plans should they occur. Pym and Wideman use an analogy of a man being shot at. He can take cover to avoid the bullets: he can deflect them using a shield or divert the bullets by placing someone else in the firing line: or he can allow them to hit him and plan to repair the damage. Avoidance The warehouse project above showed how to avoid the risk of snow holding up the preparation of the foundations by starting the work early enough so that it is finished before the snow comes. Under avoidance you change the plan for anyone of the five system objectives or any combination of them to reduce the risk or eliminate it entirely Deflection There are three ways of deflecting risk: - through insurance: by which it is passed on to a third party - through bonding: by which a security is held against the risk - through the contract: by which it is passed between owner. contractor and subcontractors. Insurance : A third party accepts an insurable risk for the payment of a premium. which reflects the impact of the risk the likelihood combined with the consequence. Bonding : One or both parties to a contract deposit money into a secure account so that if they or either party defaults the aggrieved party can take the bond in compensation. This is a way of transferring the risk of one party defaulting to that organization. Contract : Through contracts the risk is shared between owner contractor and suhcontractors. There are two common principles of contracts: (a) Risk is assigned to that pony most able and best motivated to control it. There is no point passing risk onto a contractor or subcontractor if neither has the power or the motivation to control it. The Institution of Civil Engineers is currently revising its standard forms of contract around this principle. There are four styles of contract for different approaches to sharing risk: - fixed price - cost-plus - cost reimbursable - target cost. Under fixed price contracts. Figure 5(a) the contractor accepts all the risk by taking a fixed fee for the work regardless of how much I it costs. It is assumed that the owner has completely specified the requirements and as long as they do not change the contractor can meet a given price. This approach is adopted for turnkey contracts, where the contractor takes full responsibility and delivers to the owner an operating facility. The owner has no role in its construction. Often in fixed price contracts the owner and contractor haggle over every change arguing over which one of them caused, it and whether it is Within the original specification. When the owner cannot specify the requirements, the contractor should not accept the risk, but it should be borne by the owner. The simplest way is through costplus contracts, Figure 5(b). The owner refunds all the contractor’s costs and pays a percentage as profit. The disadvantage is that the contractor is still responsible for controlling costs, and yet the higher the costs the higher the profit. This is a recipe for disaster as the party responsible for control is not motivated to do it; in fact the exact opposite. It is possible to adopt strict change control and that passes responsibility for controlling costs back to the owner, but can lead to strife. Typically cost-plus contracts are used on research contracts. Figure (5) Four types of contract Another way of overcoming the problem is to pay the contractor a fixed fee as a percentage of the estimate, instead of a percentage of the out-turn. This is a cost reimbursable contract. Figure 5 (c). The contractor can be motivated to control costs if paid a bonus for finishing under budget, or charged a penalty if over budget. However, the parameters for the bonus or penalty must be carefully set to ensure that the accepted risk is not beyond the contractor’s control. Even without a bonus the contractor may be motivated to -control costs, as that increases the percentage return. A related approach is target cost, Figure 5(d). The contractor is paid a fixed price If the out-turn is within a certain range typically ± 10 per cent of the budget. If the cost goes outside this range, then the owner and contractor share the risk at say 50p in the pound. If the costs exceed the upper limit, the owner pays the contractor an extra 50p per pound of overspend and if the price is below the range the contractor reduces the price. This is often used on development projects where there is some-idea of the likely out-turn but it is not completely determined. The contractor may also share in the benefits from the product produced. (b) Risk is shared with subcontractors if it is within their sphere of control To achieve this, back-to-back contracts are used: the clauses in the contract between owner and contractor are included in that between contractor and subcontractors. I have come across instances where the contractor feels squashed between two giants and accepts quite severe clauses from the owner to win the work but believes that the subcontractors will not accept them because they do not need the work. This often happens to contractors on defence or public sector projects. The way to avoid this is to try to get the subcontractors to make their contracts directly with the owner and use the owner's power to pull the supplier into line. The supplier may not need the business from the contractor but may have a better respect for the owner. Contingency The third response to risk is to make an allowance for it by adding a contingency. You can add an allowance to anyone of the five system objectives, but typically there are two main approaches: - make an allowance by increasing the time and/or cost budgets -plan to change the scope by drawing up contingency plans should the identified risks occur. Time And / Or Cost You can either add the allowance as a blanket figure calculated through a bottom-up approach as above or you can add it work element by work element. Either way the project manager should maintain at least two estimates, a raw estimate without contingency and an estimate with contingency. The former called the baseline is communicated to the project team as their working “budget” and the latter to the owner for the provision of money and resources. The project manager may also maintain two further estimates the most likely out-turn the figure to which they are working and the current estimate, which is the baseline with some contingency already consumed. The reason for giving the project team the baseline or current estimate as their working figure is that their costs will seldom be less than the estimate and will consume contingency if it is given to them. The reason for communicating the estimate with contingency to the owner is they want to budget for the maximum likely time and cost. Contingency Plans These are alternative methods of achieving the milestones. to be used in different circumstances. The alternative plans mayor may not cost more money to implement though presumably if they cost less it would be better to follow them in the first place. On the extension to the steam system on the ammonia plant above. It was shown how alternative plans were available should the valve shut tight shut partially and not shut at all. The latter plans each would have cost more than the first which is the one we followed although the second would have only been marginally more expensive. However it is better to plan to eliminate the risk than to plan how to overcome it and it is better to plan how to overcome it than to increase the cost and extend the duration to pay for it. Controlling Risk Having identified ways of reducing risk you can implement a plan to control the reduction. There are four basic steps in control: - draw up a plan - monitor progress against the plan - calculate variances - take action to overcome variances. The Risk Management Plan The risk management plan identifies the risk associated with a project the means by which they have been assessed and the strategy for their reduction. A risk item tracking form (Figure 6) provides a framework for r recording the relevant information for each risk. The form which may be held in a spreadsheet or computer database describes: - why the risk is significant - what is to be done to reduce it - when the risk will have its impact on the project - who is responsible for resolving the risk - how the reduction will be achieved - how much it mil cost to resolve the risk. Monitoring Risk The risks are then monitored on a regular basis (weekly fortnightly monthly or at other predetermined intervals) to determine how far each risk has actually been reduced. At each review the risk tracking forms arc sorted into their order of current importance. A list of the most significant risks usually the "top-ten" is produced giving rank this period rank last period and periods on the list. Risk Reassessment Reassessment should be carried out whenever new risks are identified in the course of risk monitoring. In addition, there should be explicit reassessment at key milestones in the project and at transition between stages. The launch meetings for subsequent stages are ideal media for this reassessment. All the above techniques are used for reassessment. It is always easier to improve on an existing plan but there is the disadvantage that new risks may be ignored. Figure (6) Risk Item Tracking Form TRIMAGI COMMUNICATIONS BV RISK ITEM TRACKING FORM PAGE 1 OF 2 PROJECT WORK PACKAGE ACTIVITY RISK NUMBER RISK IDENTIFIER NATURE OF RISK SOURCE CATEGORY EU/EP/lT/lN/L TYPE BUSINESS/INSURABLE CONTRACTUAL/MANAGEME NT/TECHNICAL / PER SONNEL DESCRIPTION: IMPACT DATE: LIKELIHOOD SUBSIDIARY RISKS ACTIVITY ACTIVITY RISK IDENTIFIER RISK IDENTIFIER RISK IMPACT SEVERITY: UKEUHOOD SCORE VL/L/M/H/VH …/3 IMPACT AREA SCHEDULE COST PERFORMANCE: RISK MONITORING MONTH RANK CODE CODE CODE LOW/MEDIUM/HIGH SEVERITY SCORE RISK SCORE SS*LS= …/5 …/15 Figure (6) Continued Risk Item Tracking Form TRIMAGI COMMUNICATIONS BV RISK ITEM TRACKING FORM PAGE 2 OF 2 CORRECTIVE ACTION DESCRIPTION PROPOSED/APPROVED RISK REDUCTION COST RESPONSIBLE MANAGER REVISED DATE UKEUHOOD START DATE: CLOSURE DATE: REVISED IMPACT SEVERITY VL/L/M/H/VH UKEUHOOD SCORE /3 LOW/MEDIUM/ HIGH SEVERITY SCORE RISK SCORE SS *LS = …/5 …/15 IMPACT AREA : SCHEDULE : COST : PERFORMANCE : MONTH ACTION TAKEN NEXT ACTION BY WHOM ISSUE : DATE : AUTHOR : APPROVED : ...
View Full Document

This note was uploaded on 01/13/2012 for the course BUS 611 611 taught by Professor None during the Spring '11 term at Ashford University.

Ask a homework question - tutors are online