Risk Management techniques

Risk Management

Question:

B) “We will never know if we have identified all the risks in a project”

Given that the above statement is true; explain to a member of the Board of Directors the value of using Risk Management techniques for major project.

Introduction

“Every human endeavour involves risk; the success or failure of any venture depends crucially on how we deal with it” [1]. That means there is no perfect project in the construction industry in which all the risks can be identified and solved. Risk can neither be avoided nor be solved. It can only be mitigated and then either transfers or share to any other body which is a part of the project or just retain it. The success of a project depends on how well the project team analyse the risk. All the three parameters which determine the success of a construction project which are time, cost and quality are subjected to risk or uncertainty. It is the ability of the project team; right from the concept stage through out the implementation stage that how properly they are estimating the project by providing appropriate allowances for all those anticipated risks or uncertainties [2].

This report includes a detailed analysis of various risks that can occur in a construction project. It also includes how to identify, analyse and mitigate those risks by highlighting the value of different risk management techniques that are used now-a-days for major projects with the help of a case study of 2012 London Olympic and Paralympic games. This report also explains about the systematic approach (project management techniques developed by the experts who are in the field of risk management for many years) of handling the risks. Neglecting the risk without taking that into in its context can turn a potentially profitable project to a loss making venture.

1. Risk in projects- a theoretical approach

After a brief introduction, the author feels that’s its time to explain risk in a broader frame and the management techniques to mitigate it. For that, all those management procedures need to be explained more along with the techniques used and substantiate that by using more examples. Before going into details of management aspects of the risk, the author needs to give a general idea about the difference between risk and uncertainty, and the risk classification in detail.

1.1. Risk and uncertainty

According to Smith NJ, “the terms risk and uncertainty, if used rigorously, have different meaning but in terms of construction projects the distinction drawn between uncertainty and risk is of little significance” [2]. He defined risk and uncertainty as risk exists when a decision is expressed in terms of a range of possible outcomes and when known probabilities can be attached to the outcomes while uncertainty exists where there is more than one possible outcome of a course of action but the probability of each outcome is not known [2]. Uncertainty in other words can be defined as a situation in which there is no historic data or previous history relating to the situation [14]

. “Perminova defines uncertainty, as a context for risks as events having a negative impact on the project’s outcomes, or opportunities, as events that have beneficial impact on project performance. This definition stresses dual nature of uncertainty in potentially having both positive and negative influence on the project’s outcomes”. [17] Risk involves both a threat and a challenge where an opportunity is a threat for those expects failures and a challenge to those predicts victory. It can be taken purely on the basis of probabilities or chances and at the same time, risk can be a well calculated one.

1.2. Risk classification

According to Robert Flanagan and George Norman, risks are generally of different types that can be classified based on these criteria which are by identifying the type of risks, the consequences, and the impact of risk. Smith N J and Merna T suggested an alternate method of classification of risk which is Global classification and Elemental classification. The method, they suggested is to separate the more general risks which might influence a project but may be outside the control of the project parties from the risks associated with key project elements; these are referred to as global and elemental risks.

The classification based on type of risks is usually done by assuming that the total risk is made up of market risks (Speculative risk) and specific risks (Pure risk). The specific risk, sometimes called as static risk, which is having no potential gain typically arises from the possibility of accident or technical failure, while for speculative risk, there is a possibility of loss or gain which might be financial, technical, or physical. “Moreover, a company’s systematic risk can be spit into two components: business and financial risk”. Business risk is the result of a company trading with its assets, which is borne by the equity and debt holders and the financial risk arises directly out of the gearing process brings risk only to the equity holders.[14]

The risk classification based on the impact of it can be subdivided into the environment risk, market or industry risk, company risk and the project or individual risk. This classification has done by considering the area with which the impact of the risk is affecting. The general environmental can again be divided into two parts: the physical and then the social, political and economical risks. The physical environment includes the weather and the natural phenomena like earthquake, landslips etc. Normally the risks involved in this environment cannot be controlled. By using the modern technologies, these phenomena can be identified well in advance and can take the measures to mitigate the effects of these phenomena. While in the other hand, the social, political and the economical environment risks are to some extent can be controlled. The government can control social, political and environment of a project to an extent [14]. Market risk depends on a lot of factors and it is very difficult to control it. Recession is a risk that almost all the companies are facing throughout the world also comes under market risk. These types of risks are very difficult to predict too, so the better method to tackle is to try to mitigate the consequence. Any company operates within an open market and the risk attached with the market can influence the company as well. So in a company itself, for different major projects, different management groups are assigned and thereby it can act as a separate group or consortium (joint venture with another company). By doing the there are chances for the risks with which the parent company is facing may not reach this group. But the company risks and project risks are intrinsically linked because the company must ultimately bear the consequence of the risky project.

2. Project risk management – critical analysis

“Project risk management includes the processes concerned about conducting risk management planning, identification, analysis (both qualitative and quantitative), responses, and monitoring and control on a project; most of these processes are updated throughout the project”[3].

2.1. Risk management planning:

plans how to approach the risk bound activities in the project and to execute the risk management practices into those activities. Before going into the planning for risk management, it is always better to study the project as much as possible. According to PMBOK (3rd edition), while planning an approach for managing risk, it is advisable to consider these factors as well such as, environmental factors, organisational process assets and project scope statement (objective of the project). Risk management plan or method is the outcome or result of this planning, which is used for the identification of risk in the project [3].

2.2. Risk Identification:

The best way to identify risk is a group session or a brainstorming session with all the management experts who are the part of the project. This is the best method of gaining team input and bringing expertise to the project [2] [4]. The risk management plan which is obtained as a result of the first step (Risk management planning) can be used here to identify risk. After identifying all the risk, a risk breakdown structure (RBS) can be made, which shows the risk groups, risk categories and risk events at the lowest level. Then all these identified risks can be converged under two main categories, Internal and external risks. Internal risks, which consists of risks from the side of owners, consultants, contractors, subcontractors and suppliers while external risks are political, economical, social, cultural, natural and other risks such as delays in claiming insurance etc [5]. “Identification of the risk is considered as the first and the most significant phase of the risk management process. It brings considerable benefits in terms of project understanding and provides an early indication of the need for risk management strategies”. It is impossible to know how far the risks are identified but it is likely that there will be some risks which are unknown. The purpose of identification itself is to use the combinations of different methods to try to ensure that the amount of the unknown unknowns is as small as possible [15]. The right time of doing this identification of risk process is in the appraisal phase, because then there are a large number of risks in the project, and the options for avoiding or mitigating risks are very high and at that time, the project is highly flexible.

Different methods of identification process are used by different organisations. Examining previous project’s data with similar characteristics which has got similar type of risks can be used to ensure that corporate knowledge is utilized. This option of identification is having only limited scope, but this can at least used to make a checklist of risks which has got more probability to occur [2].

“Interviewing the project personnel from each discipline and the staff from within the organisation who have experience of similar projects, ensures the corporate knowledge and personnel experience are utilized in the process of identifying risks” [2]. The benefit of doing this technique is that, the organisation can utilise the experience that these experts got from the similar pervious projects.

Once these risks are identified, detailed analysis can be done, either by qualitative analysis or by quantitative analysis or by both.

2.3. Risk analysis:

“The purpose of the risk identification is to quantify the effects on the project of the risks identified” [15]. The first and most important step in this phase is to decide which analytical technique to use. There are methods, at the simplest level in which each risk can be treated individually with no attempts made to quantify the risks or the probability of occurrence of this is not calculated. Much more detailed results can be achieved by adding various computation methodologies and by establishing the interdependency of the risks and then the calculation system will be more complex. The choice of technique will usually be based on the experience and expertise.

2.3.1. Qualitative analysis:

Prioritising risk by analysing the probability of occurrence and impact in the project. For each risk that is identified, the team needs to assess its severity in order to decide what course of action to take [16]. Expertise is required in this step, because all those analysis is done based on the knowledge from previous experiences. According to Smith N J, a typical qualitative risk assessment usually includes these issues: a brief description of the risk, the stages of the project when it may occur, the elements of the projects that could be affected, the factors that influence it to occur, the relationship with other risks, the likelihood of it occurring, how it could affect the project [2].

According to PRAM, various techniques used for doing qualitative analysis are assumption analysis, by making a check lists and prompt lists, brainstorming, Delphi technique, use of probability- impact (P-I) table, interviews ands risk register [11]. This method is basically experience based and the usage of any of the above mentioned techniques is compulsory, otherwise, the experience of the senior staffs cannot be utilised and thereby the project will be more vulnerable to risk.

2.3.2 Quantitative analysis:

analyse numerically the effect of these risks in the overall project. This is the step in which the chances for error is maximum because in this step only, the calculations of the identified risks are done. So this step requires higher attention. Based on qualitative analysis, a relative important index (RII) can be developed and using that detailed categorisation can be done [5].

The probability of a risk arising is a key factor in decisions on risk. Possible consequences of risk occurring are defined and quantified in terms of increased cost, increased time and reduced quality and performance, which can be analysed by using any of the quantitative analysis techniques, says Smith N J [2].

Various techniques used are Decision trees, influence diagrams, Probability analysis (Monte- Carlo simulation), Sensitivity analysis, Project evaluation and review techniques (PERT) and Control Interval and Memory (CIM) approach in which sensitivity analysis and probability analysis are the widely used techniques to do the quantitative analysis of risk in a project.

Sensitivity Analysis: This technique determines the risks which have the most potential impact on the project. “It examines the extent to which the uncertainty of each project element affects the objective, when all other uncertain elements are held at their baseline values” [3]. The aim of doing sensitivity analysis is to identify those components of the projects whose uncertainty most influences the uncertainty of the project’s outcome. Sensitivity analysis can be expressed by using different plotting methods like Tornado charts (a histogram method, which is useful for comparing relative importance of variables that have a high degree of uncertainty to those that are more stable.), Spider plots, and Risk-return graphs. This technique should performed on all the risks and uncertainties which may affect project in order to identify those which have a large impact on the economic return, cost, time and whatever are the objectives.

Probability Analysis (Monte-Carlo simulation): Probability analysis overcomes many limitations of sensitivity analysis by specifying a probability distribution for each risk, and then considering the effects on the risks in combination. Random sampling is used where calculation of data inserted in an equation would be difficult or impossible [18] [19]. Monte-Carlo simulation by means of random numbers provides and extremely powerful yet conceptually straight forward method of incorporating probabilistic data. The basic steps are.

* assess the range for the variables being considered, and determine the probability distribution most suited to that variable

* select a value for each variable within is specified range; this value should be randomly chosen and must take account of the probability distribution for the occurrence of the variable. This is usually achieved by generating the cumulative frequency curve for the variable and choosing a value from a random number

* run a deterministic analysis using the combination of values selected for each one of the variables

* repeat a number of times to obtain the probability distribution of the result. The number of iterations required depends on the number of variables and the degree of confidence required, but typically lies between 100 and 1000 [20].

In normal risk management processes (RMP), one of the abovementioned analyses only is used. “The effectiveness and efficiency of quantitative analysis is driven to an important extent by the quality of the qualitative analysis and the joint interpretation of both”. [6]

2.4. Risk response:

brings out the maximum possible outcomes from these risks bound activities to enhance opportunities and to reduce threats to the desired objective. With these outcomes, risks can be prioritised as high, medium and low risk according to the probability of occurrence and impact. Risk allocation strategies should be determined at the initial stages of the project by the client. The main characteristics of the available choices of risk allocation strategy can be grouped according to organisational structure or payment mechanism. The payment mechanism employed, price or cost- based, will determine the location of these contingencies [2]. The allocation of risk between parties to a contract should be identified prior to tender. The rise response, or its allocation, can take any of these four forms: Risk retention, Risk transfer, Risk reduction and Risk avoidance.

2.4.1 Risk retention:

According to Flanagan. R and Norman G, risks that produce individually small, repetitive losses are those most suited for retention. Not all risks can be transferred, but even if they are capable of being transferred it may not prove to be economical to do so. The risk will then have to be retained. Besides, it is preferred to retain a portion of risk in certain circumstances [14]. Applying the probabilistic approach to cost estimates gives a range of estimates rather than a single value. Thus a series of contingency sums can be given which provide for different probabilities of protection against risk and uncertainty [20].

2.4.2 Risk transfer:

Transferring the risk does not reduce the criticality of the source of risk, but it removes it to another party. In some cases, transfer can significantly increase risk because the party, whom it is being transferred, may not be aware of the risk they are being asked to absorb. The essential characteristic of the risk transfer is that the consequences of the risks, if they occur, are shared with or totally carried by a party other than the client. The client should expect to pay a premium for this privilege. The responsibility for initiating this form of risk response therefore lies with the client, and he should ensure that it is in his own best interests to transfer the risk [18] [20]. As per PMBOK, contracts can be used to transfer liability for specified risks to another party [3].

2.4.3 Risk reduction:

The most common and efficient way of reducing risk exposure is to share risks with other parties. Risk reduction fills in three categories: Firstly, education and training to alert the staff to potential risks. Secondly, physical protection to reduce the likelihood of loss and finally systems are needed to ensure consistency. In contractual agreement, the use of management fee types of contract will remove the adverse attitude of contractors and should reduce the likelihood of claims from the contractor for direct loss and expense [20].

2.4.4 Risk avoidance:

“Risk avoidance involves changing the project management plan to eliminate the threat posed by an adverse risk, to isolate the project objectives from the risk’s impact, or to relax the objective that is in jeopardy, such as extending the schedule or reducing scope. Some risks that arise early in the project can be avoided by clarifying requirements, obtaining information, improving communication, or acquiring expertise.”[3]

2.5. Risk monitoring and control:

tracking and monitoring the identified risks, identifying new risks, executing risk response plans, and evaluating their effectiveness throughout the project life cycle. The process of risk management can be grounded on a clear understanding about the nature and scope of decision making involvement in project management and a natural framework for examining these decisions is the project life cycle. For successful implementation of the project, a regular monitoring procedure of risk is essentially required in all the segments of this framework like conceptualisation, planning, design, construction, termination and disposal of a project. Risk Monitoring and Control is the process of identifying, analysing, and planning for newly arising risks, keeping track of the identified risks and those on the watch list, reanalysing existing risks, monitoring trigger conditions for contingency plans, monitoring residual risks, and reviewing the execution of risk responses while evaluating their effectiveness. The Risk Monitoring and Control process applies techniques, such as variance and trend analysis, which require the use of performance data generated during project execution. Risk Monitoring and Control, as well as the other risk management processes, is an ongoing process for the life of the project [3]

These abovementioned processes can be effectively explained by using a case study. The case study explains the typical risks that a major construction project is always exposed to and through this case study the author wants to prove that even if the management team has done a detailed analysis of risks, they can never say that they have identified all the risks because still there are chances for some risks being left out as unidentified.

3. London Olympics 2012 – a case study

The reason behind 2012 London Olympics to be taken as the case study is that, the author feels it is better to consider a live or recent project to discuss the risk management issues than an old project because in a live project only, there is a scope to find more risks which the management team left out without considering like the recession in this case, which is left unattended by the management group is the biggest treat the project is facing.

According to the report by Comptroller and auditor General, National Audit Office (NAO), the management team of the London Olympics has considered six major issues as their major risks that need to be considered to the successful delivery of the project. They are

(1) “Delivering the project at an immovable deadline

(2) The need for strong governance and delivery structures given the multiplicity of organisations and groups involved in the Games.

(3) The requirement for the budget to be clearly determined and effectively managed.

(4) Applying effective procurement practices.

(5) Planning for a lasting legacy.

(6) The installation of effective progress monitoring and risk management arrangements” [7].

Since this project is a major one and all these risks need severe attention, the management team planned various risk management techniques to tackle each risk individually to keep all of them under control at any time through out the project. The author finds it very essential to explain each of these abovementioned risks and the methods used to mitigate them in detail, to substantiate the value of risk management techniques to a member of the Board of Directors.

3.1. Delivering the project at an immovable deadline

The Olympic project consists of a lot of individual but interdependent projects. Effective project management works on the basis of the three parameters- Time, cost and quality and if there is any change that happens to any of these parameters can affect the other two[7]. So that implies delay in delivering any of the elements of the project puts pressure on cost and/or quality. Normally to release pressure from cost and quality that arises due to the delay in delivery of the project is to weaken the negotiating position. But in this project, these adjustments are not possible. Because any delay can affect the theme of the project. So to get rid of all these issues, they planned the project very well initially and kicked the construction off by starting the individual; non-interdependent (self dependent) works at the same time and by achieving all the milestones in construction at regular, pre-assigned intervals. Then they arrange the meeting of the representatives of all the major stakeholders and make sure that all of them are satisfied with the work done to attain the milestone within the given time.

3.2 The need for strong governance and delivery structures given the multiplicity of organisations and groups involved in the Games.

According to the Comptroller and audit general’s report, there are three major stakeholders to this project- The Government (represented by some bodies), the mayor of London and British Olympic Association. In addition to this, some other bodies are involved in delivering or funding the games. The management group deals with the risk of the need for strong governance and delivery structures by maintaining a clear focus on the need for timely decision making individually and collectively on a programme where there are multiple stakeholders and interests. The international Olympic Committee requires the host cities to organise the games and the management department decided to set up an Olympic delivery authority (ODA) to deliver the venues and the infrastructure and then to stage the games. From the previous experience they had in the past, they set up another body called LOCOG (London Organising Committee of the Olympic and Paralympic Games, which is responsible for operational and staging aspects of the game. The Olympic Delivery Authority prepares the site, builds new venues, delivers the Olympic village, infrastructure and transport projects. The only thing the management team needs to make sure is the combined effort of both the organisations in delivering the project. The technique of setting up two organisations by the management department was found successful so far, from the timely delivery of the milestones [7].

3.3 The requirement for the budget to be clearly determined and effectively managed.

One of the main risk which has got more probabilities to go wrong and which needs efficient management hands and effective techniques to deal with. So a very strong financial management set up is a prime requirement here. The need of maintaining comprehensive and accurate asset registers, which helps to transfer the asset later on at the end of the project and the need for strong contract management arrangements, with comprehensive contract records and payments made only in accordance with certified work carried out, is also of prime importance to keep in track with the income and expenditure of the project. Finally the actions required to manage this risks are setting up a budget for the project and making sure how it is funding, being sure about how the cash flow needs will be met, being clear about the costs associated with delivering the games and how to capture this amount on a consistent basis [7] [8].

3.4 Applying effective procurement practices.

This is one of the main issues as far as a major project is taken into concern. The author feels so, because fixing a procurement route for such a large project is very difficult. To get a main contractor who is doing the major share of work for a big project is equally difficult. By considering these aspects, the management team started doing the procedures well in advance, so that they got enough time for doing their analysis works done for fixing the procurement route, to do the qualification processes for selecting the main contractor and to negotiate with the preferred team about the various aspects of the project. Along with this, the management team makes sure that the application of procurement practice was effective by being clear about the respective roles and responsibilities of the Olympic Delivery Authority and its Delivery Partner, and ensuring that the arrangement enables the Authority to contain its operating costs as planned. They gained confidence in the approach to procurement by awarding contract in an open and fair way and by applying best practice [7] [8].

3.5 Planning for a lasting legacy.

Since the project is very big and requires a lot of money, the management needs to make sure that the assets that are constructing for the games should deliver the maximum service. Planning for a lasting legacy, they planned the entire development of the city of London by adding these assets to it for future purposes. So this can also be considered as one among those crucial risks. They mitigated this risk by developing robust plans for the Olympic venues with the clear focus on whole life costs, to avoid the risks of these facilities being under-used or unaffordable after the games [7].

3.6 The installation of effective progress monitoring and risk management arrangements.

A major issue for any construction project, no matter whether that is a small project or a large one, it affects very severe if there is no effective progress monitoring techniques and risk management arrangements. Especially for a high investment project like this, it is very important because of the interest of the public in the project. They managed this risk by providing a risk register for every stakeholder at different stages in developing their own risk strategies and registers to identify and manage the risks specific to delivering their responsibilities. At a particular programme level, the authority collates all of them and makes a database for registering risks and prepares action plans to mitigate them.

Although they have done all these lengthier procedures to find out risks and to eliminate it, the project is still not completely out of risks. The main threat the project facing now is the risk developed due to global economic recession. The financial set up of the project might get affected because of this risk. Now their main objective is to save the project from this risk and they are currently working on the issue which is about how to reduce or mitigate this risk. Being government is the main stakeholder and the project is a prestigious one, they will somehow manage to finish this project within time, but the cost will still remain as unknown and that itself is the risk that the management team left out with identifying after doing this detailed analysis of risk. This is the reason why they say “we will never know if we have identified all the risks in a project”.

4. Benefits of Project Risk Analysis and Management

As per PRAM, benefits of using risk management can be classified into two: Hard Benefits and Soft benefits. Hard benefits are relatively easy to express and with enough effort it would be possible to measure the amount of benefit. But soft benefits are much less easy to quantify but, can give rise to dramatic performance improvement. These two can be explained in detail as

“Hard benefits

– Enables better informed and more believable plans, schedules and budgets.

– Increases the likelihood of a project adhering to its plans.

– Leads to the use of the most suitable type of contract.

– Allows a more meaningful assessment and justification of contingencies.

– Discourages the acceptance of financially unsound projects.

– Contributes to the build-up of statistical information to assist in better management of future projects.

– Risk analysis enables objective comparison of alternatives.

– Identifies and allocates responsibility to the best risk owner and soft benefits

– Improves corporate experience and general communication

– Leads to a common understanding and improved team spirit

– Assists in the distinction between good luck/good management and bad luck/bad management

– Helps develop the ability of staff to assess risks.

– Focuses attention on the real and most important issues.

– Facilitates greater risk taking, thus