2. Risk & Risk Management
• A risk is "an uncertain event or condition
that, if it occurs, has a positive or negative
effect on a project's objectives."
• Risk management includes for
identification of risks, assessment of risks
in terms of likelihood and consequences /
impacts, and defining responses to
issues.
3. Project Risk
• An uncertain event or condition that if it
occurs has a positive or negative effect on
at least one project objective such as time,
cost, scope, quality (safety).
• Risks have a cause and an impact.
4. “Risk Speak”
• As a result of:
• a [DEFINITIVE CAUSE],
• an [UNCERTAIN EVENT (Risk)] may
occur,
• which would lead to [EFFECT/IMPACT
ON OBJECTIVES].
6. Risk is Perception
Risk is often in the eye of the beholder and
is a personnel perception.
This is linked to the following:
• Attitude (which drives)
• Behaviour (which leads to)
• Consequences
and the risk ‘appetite’ of a firm/individual
10. YES
What can happen?
When & where?
How & why?
TREAT RISKS
COMMUNICATE&CONSULT
MONITOR&REVIEW
Internal Context
External Context
Risk Management Context
Develop Criteria
Define Structure
ESTABLISH THE CONTEXT
IDENTIFY RISKS
ANALYSE RISKS
Compare against Criteria
Set Pririties
NO
Identify existing controls
Determine
Consequences
Determine
Likelihood
Determine Level of Risk
EVALUATE RISKS
Identify options
Assess Options
Prepare & Implement Plans
Analyse / evaluate residual risk
Treat
Risks
11. Essential Questions
• WHAT
• WHY
• WHEN
• HOW
• WHERE
• WHO
I keep six wise serving men.
(They taught me all I knew).
There names are What & Why & When,
and How & Where & Who
(Rudyard Kipling 1902)
13. RISK PLANNING - WHAT
• Enterprise Environmental Factors – structure, culture,
resources, market conditions, PMIS
• Organisational Processes – Assets, Policies &
Procedures.
• Scope & any legal regulatory, physical, time, constraints.
• Consider business needs for the project.
• WHYIdentifies who has to what and when and at what
cost (budget for risk required). Enables focused rational
communication with others. Describes and approach to
be made
14. RISK PLANNING -WHY
• Identifies who has to do what and when
and at what cost (budget for risk required).
• Enables focused rational communication
with others.
• Describes risk management and approach
to be made
15. RISK PLANNING -WHEN
• Prior to commencement and ongoing as
part of monitoring & control.
• New situations or changes during project.
• Risk plan for formal risk review/risk
activities through project lifecycle.
16. RISK PLANNING -HOW
• Approach to be adopted – new, existing
registers. Depends on size, complexity
‘newness’ of project and project team.
Tools and techniques to be used.
• Definitions of probability and impact to be
used in RM.
• Communication and consultation with
Stakeholders.
17. PLANNING -WHERE
• Location of initial meetings, internal and
external reviews.
• On or off site
• Consider Client and contractors who either
input direct or through documents, joint
workshops etc .depending on situation.
18. RISK PLANNING -WHO
• Participants required, stakeholders or
stakeholder needs.
• Based on knowledge, experience,
expertise,
• Client and contractors to either input direct
or through documents, joint workshops
etc.
19. RISK PLANNING - DELIVERABLES
• RISK MANAGEMENT PLAN
• RISK BREAKDOWN STRUCTURE (RBS).
• Definitions of probability (likelihood) and Impact
(consequences).
• Risk Context :Client / Contractor / Consultant etc,
Internal / External
• Risk categories : Technical, External, Organisational,
Project Management (Estimates of Time / Cost),
Legal/Contract, Reputation, Safety, Quality,
Environmental as per RBS.
• Organisation Risk Manual so set ‘policy’/ protocol/
organisation rules, roles & responsibilities.
20. Risk Management Plan (Contents)
• Introduction – project background and description; philosophy
• Risk Methodology (Tools & Techniques)
• Roles & Responsibilities
• Information & Communication protocols
• Training required
• Budget
• Timing (Schedule)
• Risk Categories – RBS
• Definitions of probability & impact
• Probability / Impact Matrix & High, Medium, Low definition
• Tolerances with respect to risk categories and any predefined
actions required.
• Report Formats – registers, tracking, reports, change.
21. RISK IDENTIFICATION
Identification of risks affecting, or that may
affect the project, in a systematic manner.
Identification of what, where, when, why
and how events could prevent, delay or
enhance the achievement of the objectives.
22. RISK IDENTIFICATION - WHAT
• What can happen - the effect – the RISK.
Use of EFFECT & CONSEQUENCE to
define RISK rather than risk definition first.
• Definition is important so that it is clear
and not ambiguous.
23. RISK IDENTIFICATION - WHY
• Enables ‘definitions’ to be established so
risks are described properly and not
repeated in different guises using different
descriptors.
• Beware that a rsik is confused with cause.
24. RISK IDENTIFICATION - WHEN
• During initial planning once the plan has
been formulated.
• Plus when risks can happen during the
project life cycle (project phases,
construction, O&M, factory, delivery,
handover etc).
26. RISK IDENTIFICATION - HOW
Tools & Techniques based on:
• Information Gathering Techniques:
• Brainstorming
• Comprehensive Listings
• Delphi
• Interview
• Root Cause determination
• SWOT
• Historical records Checklists
• Questionnaires
• Pre Mortem
• Affinity diagram
• Nominal group Technique
27. RISK IDENTIFICATION - HOW
Checklist Analysis
Assumptions Analysis
Diagramming
• Cause & Effect
• Flow Charts
• Influence diagrams
32. QUALITATIVE ANALYSIS
To develop an understanding and a
prioritisation of risks so that decisions may
be made regarding the acceptance of risks,
or actions to be taken to mitigate such risks.
ID and evaluate existing controls.
Determine consequences & likelihood of risk
plus range of potential consequences
(sensitivity).
33. Evaluation / Ranking
LIKELIHOOD CONSEQUENCE
Insignificant Minor Moderate Major Catastrophic
Almost Certain Significant Risk Significant Risk High Risk High Risk High Risk
Likely Moderate Risk Significant Risk Significant Risk High Risk High Risk
Moderate Low Risk Moderate Risk Significant Risk High Risk High Risk
Unlikely Low Risk Low Risk Moderate Risk Significant Risk High Risk
Rare Low Risk Low Risk Moderate Risk Significant Risk Significant Risk
34. QUALITATIVE ANALYSIS - WHAT
• Determine the negative consequences of IDd
risks in the context of likelihood and probability
with respect to the Project and its Scope.
• Use of past records, experience, research,
prototypes, assumptions, ‘tailored’ scales and
matrices of probability & impact.
• Information and records are key – Market
factors, industry norms and range, experience of
others, public consultation, economics and
economic trends, government legislation
/planning, etc
35. QUALITATIVE ANALYSIS - WHY
• So informed decisions may be made.
• Initial screening of risks to identify ‘High
Risks’ and allow management to focus on
higher risks and allocate appropriate
resource.
• WHENAt commencement.Initial part of
prioritising risk prior to qualitative
Analysis.If there are no hard and fast data
regarding time / cost.
36. QUALITATIVE ANALYSIS - WHEN
•At commencement of the Project
•As part of prioritising risk prior to
Quantitative Analysis.
•If there are no hard and fast data regarding
time / cost thereby obviating any quantitative
analysis.
37. QUALITATIVE ANALYSIS - HOW
• INFORMATION / RISK REGISTER
• ID TEAM TO ANALYSE RISKS
• ASSUMPTIONS RECORDED
• PROBABILITY / IMPACT SCALES
• CARRY OUT ANALYSIS
• DETERMINE RISKS AND CATEGORIES
• DOCUMENT ANALYSIS
• IDENTIFY ANY TRENDS
• DECISIONS AND CATEGORISATION
• INPUT TO QUANTITATIVE ANALYSIS
38. QUALITATIVE ANALYSIS - HOW
• Structured Interviews with Experts.
• Multi – disciplinary groups
• Questionnaires
• Models & Simulations
• 3x3 and 5X5 or 10x10 matrices.
• Thresholds, risk ranking / scoring
39. QUALITATIVE ANALYSIS - WHERE
• Off site to create a working environment to
focus on risks.
• On site during specific focussed
workshops
40. QUALITATIVE ANALYSIS - WHO
• Project Manager
• Experts
• All involved disciplines and those involved
with interfaces etc.
• IDd Risk Owners / Managers
• Team Members / Contributors
• Facilitators.
41. QUALITATIVE ANALYSIS
• “I know my business” does not make the risks low;
Firms / individuals with a greater risk appetite still need
to be aware of risk and at least take a pragmatic /
realistic approach so appropriate reaction may be made
in a timely manner.
• It can’t happen to me. Bad things happen to others.
• Pushing through bids to win work – site will sort it out –
we have experienced people.
• ID Impact / Severity and Probability / Likelihood rather
than High, Medium, Low to move away from group think
as to LOW (optimistic) or HIGH (pessimistic)
43. QUANTITATIVE ANALYSIS
Numerical analysis of risk with probability
expressed as a number or percentage and
impact as a definitive cost/delay
A means of prioritising risks that have been
categorised qualitatively.
44. Quantitative Analysis
Cost Probability
Total cost Cumulative FrequencyLine Graph
-
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
405 410 415 420 425 430 435 440 445
Total cost (value)
Probability
Total cost frequency distribution
-
0.02
0.04
0.06
0.08
0.10
0.12
0.14
0.16
0.18
0.20
407.33
409.68
412.04
414.39
416.74
419.10
421.45
423.80
426.16
428.51
430.86
433.22
435.57
437.92
440.28
442.63
444.98
447.34
449.69
452.04
Total Cost (value)
Probability
45. QUANTITATIVE ANALYSIS -WHAT
• Decide upon which risks which require a
response.
• Risk Register indicates ‘high priority’ risks
based on ranking.
• Focus can be on commercial / business
exposure and ranking projects on basis of
risk.
• OR schedule
• OR performance
46. QUANTITATIVE ANALYSIS - WHY
• Determining risk exposure in tangible and
business terms so that management time
and effort is focussed on areas of greatest
risk (Business / Commercial) in order to
decrease overall project risk.
48. QUANTITATIVE ANALYSIS - HOW
• Convert probability and impacts into numerical values.
Use of expert judgement, guesstimates (educated
guesses) based on experience, historical data, industry
data, corporate knowledge.
• Tools include
1. Monte Carlo Analysis (Cost & Time)
2. Risk Management Software (Cost & Time)
3. Precedence Diagram (Time)
• Also use interviews, sensitivity analyses, EMV and
decision trees.
• Tornado Diagram
50. QUANTITATIVE ANALYSIS - WHO
• Expert input for input parameters and
review of outputs.
• Specialist software users.
51. QUANTITATIVE ANALYSIS
• Semi quantitative can be carried out if
cost/time not known exactly.
• Probability / Impact is based on time
frequency ranges and impacts in terms of
money/accident time etc.
• Accident severity is linked to financial loss.
• Monte Carlo simulations aid semi-
quantitative analysis when ranges
ID’d/guessed
52. RISK RESPONSE PLANNING -
• Determining strategy(s) and techniques for
dealing with risk.
• Evaluate estimated risk levels against pre-
established criteria and consider balance
between potential benefit vs adverse outcome
so decisions as to extent and nature of treatment
required and priorities.
• Plan for implementation of specific cost-effective
strategy and action plans to increase
benefit/reduce costs.
53. RISK RESPONSE PLANNING - WHAT
• Prioritised risks ranking. Identification of risks
within Risk thresholds, Risk Owners and
allocation of management responsibility,
financial authority.
• Contingency plans, fallback positions.
Secondary risks.
• Creation of reserves (time, cost, resources (just
in case)
• Go / No Go decisions with respect to certain
risks and action required.
54. RISK RESPONSE PLANNING - WHY
• So that appropriate plans can be made in
advance and sufficient funds etc may be
made available to respond to risk.
• Appropriate insurances or methodologies
may be adopted to reduce risk exposure.
• Selection of the appropriate choice to deal
with risks.
55. RISK RESPONSE PLANNING - WHEN
• Prior to awarding contracts.
• Prior to execution
• Prior to new activities
56. RISK RESPONSE PLANNING - HOW
• Four main methods are adopted depending on
risk rating:
• TERMINATE / AVOID - Activity is not carried
out.
• TRANSFER / ALLOCATE - Insurance, warranty,
guarantees
• TREAT / MITIGATE - Choose a specialist
supplier, build in redundancy, adopt a JV partner
• TAKE / ACCEPT - As part of regular operations
and dealt with through organisational capability
or specific operating procedures
61. RISK MONITORING & CONTROL
Monitor the effectiveness of all steps of Risk
Management Process so that risks are
treated effectively.
Any underestimates/overestimate of risk
may be identified and appropriate changes
to the plan implemented.
62. RISK MONITORING & CONTROL - WHAT
• Assess – Treat – Monitor - Assure
• Monitoring physical execution of a project,
identification of any adverse trends.
• ID of key metrics. “Cannot manage what
you don’t measure”.
• Trends – emerging issues and change ID
• Reviews of risk handling
63. RISK MONITORING & CONTROL - WHY
• Early identification of trends.
• Avoidance of risk
• Time implementation of a risk response
plan prior to risk becoming an issue
64. RISK MONITORING & CONTROL - WHEN
• Continuous to monthly to quarterly
depending on circumstances.
• At Project Phase Completion /Gateways
• On commencement of new activities
(utilising lessons learnt for repeat
activities)
65. RISK MONITORING & CONTROL - HOW
• Monitoring and measurement of key metrics.
(Rates of progress, EVM – not just money but
drawings/recruitment/materials placement etc,
NCRs)
• Definition of Trigger Levels, Thresholds,
Variance, Delays, “Drop Dead Dates”, trends.
• Audits – not blame and error but opportunity to
correct and improve; correct errors before they
become mistakes
• AVOIDING NEGLECT AND SUBSEQUENT
NEGLIGENCE
66. RISK MONITORING & CONTROL - WHERE
• On site
• Off site
• Project Retreats
• Corporate reviews
67. RISK MONITORING & CONTROL – WHO
• Project Team
• Project Controls
• Project Manager
• PM Office
• CEO/CFO
68. RISK CLOSE OUT
PMI Process Group
Not Indicated
Closure of risk register and review of
effectiveness of Risk Management Plan,
Risk ID and Risk Response Planning /
Execution.
Opportunity for lessons learnt being includd
into corporate knowledge
69. RISK CLOSE OUT
• WHAT – Risks were realised and which
controls were effective
• WHY - Lessons learnt and knowledge
• WHEN -During execution, end of stages /
partial completion
• HOW - Records / Reports / Close out
Report / Interviews
• WHERE - On site, corporate HQ
• WHO - Project Team / Facilitator
70. Value of Risk
• Return on Risk – 12.5 to 1
• Ounce of prevention is a one pound of
cure
• Stitch in time saves 9.
• (16 +9)/2 = 12.5
71. Risk Sayings:
• If it can go wrong…it will (Murphy’s Law)
• Ignoring a risk does not make it go away.
• You pay for your risk management if you do it or
not…unfortunately it may cost you more to cure
than prevent. (An ounce of prevention is worth
more than a pound of cure)
• Risk is the mind of the beholder and all too often
people believe their own hype - Optimism Bias
72. More Sayings…
• Risks vs Issue – Risk – you can smell it, Issue –
your standing in it
• A little bit of risk management can prevent a lot
of fan cleaning
• Risk...isn’t that something that to happens to
other people/projects/companies?
• …but it’s on the Risk Register…but nobody was
assigned to own/monitor/act
• Risk clusters at interfaces, junctions, boundaries
73. Conclusion
• Risk is a perception
• Risk can happen to everybody
• Risk management allows a sensible and
pragmatic approach to be taken to
executing projects
• Risk management can help avoid project
failure
• Risk management can help promote
project success.