The primary objective of project risk management is to ensure the achievement of a project’s objectives by:
The risk management methodology consists of the identification, assessment, analysis, treatment, monitoring and closing of risks that may impact on the achievement of the project’s time, cost and quality objectives. The process will follow the ISO 31000 Risk Management - Principles and Guidelines on Implementation and/or the (2009) Practice Standard for Project Risk Management published by the Project Management Institute, as appropriate.
ISO 31000 defines risk as the effect of uncertainty on objectives, with the following notes providing detail of this definition:
For the purposes of the project risk management, the above definition of risk is refined by applying the following definitions to allow for effective event identification and assessment, as well as accurate quantification of adequate risk allowances in the project’s estimate and schedule:
The risk management of the Project will be initialised by a process, the objective of which is establishment of an initial risk register and risk response plan, as well as to undertake the cost and schedule quantitative risk analysis to identify the impact of risk on the Project’s budget and schedule. On completion of the initialisation process the monitoring and control of risk will commence.
The methodologies be used in the above process steps are described below:
Project Risk Identification
The purpose of risk identification is to search for and to locate sources of risk exposure, termed risk events, before they are realised. The risk workshops will be facilitated by PRA. The primary tool to be used to record, analyse, evaluate and disseminate risk information will be the project risk register, which shall allow for:
Project Risk Identification Parameters
As part of the risk identification process, the risk identification parameters for the Project and its packages are to be identified and recorded. The parameters consist of:
Scope
Objectives
Assumptions
Constraints
Schedule
Risk Breakdown Structure (RBS)
Project risks will be identified by the risk workshop participants with the aid of a RBS. This RBS identifies potential risk generators in seven risk environments, which include:
Risk assessment is the process of prioritising identified risks by estimating the probability of occurrence and the impacts of the risk event. These parameters are qualitatively or quantitatively analysed to arrive at a risk rating, which defines the ranking of each risk relative to all others. Qualitative analysis will be utilised to define relative risk ratings for the purposes of risk response prioritisation for the Project.
A risk matrix and the probability and consequence scales will be used to be used to qualitatively assess all identified risk events and determine the rating for each risk.
Quantitative Risk Analysis Procedure
The objective of quantitative risk analysis (QRA) is to quantify adequate cost and time provisions for project risk and uncertainty impacts on the Project’s time and cost objectives. The impact of project risk and project uncertainty will be analysed separately utilising the processes described below. The basis of the QRA will be the project budget and project key milestone schedule as approved at the time of undertaking the QRA. Outputs from the QRA process will be used to quantify project risk cost contingency recommendation, as well as recommendations for risk time allowances in the project schedule.
Risk Impact
The inputs for the risk impact analysis process are the estimates of the probability of occurrence and the time and direct cost impacts of the risk events as identified in the risk assessment procedure. The time variable cost impact of schedule delay will be calculated by multiplying the assessed time impacts of project risk and schedule uncertainty by the variable costs associated with the Project key milestones on which the risk and uncertainty will impact.
These estimates will be loaded into QRA models defined in cost and time impact simulation software packages, which calculate a range of possible impacts. These possible outcomes can be graphically depicted as time and cost impact distributions, examples of which are shown in the figures on the right.
Due to the forward-looking nature of the risk assessment process, estimates of probability and impact have a degree of uncertainty. This uncertainty should be included in the estimates of impact by providing a spread of potential impacts using an appropriate distribution of potential values. This information is captured in the standard risk register against each risk event.
Risk Simulation
The risk impacts will be used as input into risk models developed in risk simulation computer software packages. These software packages will be used to simulate the occurrence of the identified risks in a process often referred to as Monte Carlo analysis. The outputs from these simulation exercises are distributions graphs of costs and dates as shown in the example depicted on the right. These graphs plot the results of each iteration of the risk simulation against the proportion or number of the total iterations for which the specific result has occurred. These distribution graphs can then be used to identify risk percentile values, which are an indication of the percentage of simulation results that are equal to or less than the specific value.
Estimate Uncertainty
Estimate uncertainty associated with Project estimates will be analysed by allocating the applicable outcome ranges to each summary line in the Project and package budget that is subject to uncertainty and building a QRA model to simulate the impact of uncertainty on the budget using the estimate variability ranges for the applicable estimate classes.
Schedule Uncertainty
The inputs for schedule uncertainty analysis process are the assessment of the impact ranges of project uncertainty on the Project’s schedule key milestone activity durations. These impact ranges will be loaded into QRA models defined in a time impact simulation software package, which calculate a range of possible schedule impacts. These possible outcomes can be graphically depicted as schedule impact distributions, similar to those shown for risk analysis in the above section. The time variable cost impact of schedule uncertainty will be calculated by multiplying the assessed time impacts of schedule uncertainty by the variable costs associated with the Project key milestones on which the uncertainty will impact.
Cost and Schedule Allowances
The impact of risk and uncertainty will be combined in simulation models to determine adequate allowances to be included in the Project’s estimate and schedule. In the absence of a Project Owner policy defining the criteria applicable in quantifying project contingencies using risk analysis output, the appropriate percentile value of the impact distributions for the Project will be used to determine adequate provisions for the residual (post-response) cost and time impacts of project risk and uncertainty.
Project Risk Response Planning
The objective of risk response planning, or risk treatment as referred to in the ISO 31000 Risk Management process, is to minimise the impact of risk on the project objectives through the identification of appropriate responses. Appropriateness is defined by both the effectiveness of the response, as well as the cost of implementation. Effectiveness is the degree to which the implementation of the response will reduce the rating of the risk as measured by the risk rating matrix reflected in Appendix B. The response planning will be undertaken in a workshop of relevant members of the Project Owner’s team. The methodology is described in the following sections and this response plan will be updated following every risk review session, or as required by the project team.
Risk Categories
Each of the risk events identified in the risk identification process are allocated to one of the following risk categories:
These categories will be used to guide the formulation of appropriate risk response actions.
Project Risk Allocation and Response
Generally, risks should be allocated to the party that is best able to manage them. There are no set rules in this regard. Clients can place risk with the contractor, who in turn may increase their tender price depending on the buoyancy of the market. For those risks allocated to the project team, an individual should be assigned as responsible for the risk.
Identify and Select Treatment Options
Identify possible options for responding to each risk. These may or may not be mutually exclusive or appropriate in all circumstances. In addition to a descriptive perspective, when appropriate a cost comparison of alternative response options may be conducted.
Responses typically fall into four types, as follows:
Risk Avoidance
Avoidance in theory is a simple option. It means that a decision is taken to avoid engaging with, or action is taken to withdraw from the source of the risk, thus minimising the likelihood that any event in relation to that source can affect the project. It is important that risk avoidance does not result in inappropriate risk aversion, particularly where opportunities are involved. In this case, it may be appropriate to proceed, but with stringent risk controls such as considering an alternate approach to delivering the project or using an alternative technology.
Risk Mitigation (Reduction)
Risk mitigation can be accomplished through a reduction in the potential impact, a reduction in the likelihood or a combination of the two. While identifying risk responses it may be possible to identify upside values for the same risks (or opportunities) which will further reduce the over risk exposure.
Risk Transfer
Transfer involves sharing a risk with an external organisation such as an insurer or business partner.
The transfer may be a partial or a full transfer, however sharing may introduce new risks including failure of the other organization. In other words, no risk is fully transferable in a practical sense.
Risk Retention
The decision to retain a risk is typically taken if the risk is uncontrollable or the cost of risk reduction actions exceeds the potential risk exposure. This should include an analysis of the impact on schedule.
Risk Responsibility
Responsibility for ensuring the implementation of each identified responses will be allocated to a specific member of the Project Owner’s team. The responsible person will provide updates on the status of the response action implementation on a bi-weekly basis and attend the monthly risk reviews.
Residual Risk
Residual risk is defined as the portion of the risk impact that remains after the implementation of all identified responses. The residual risk is in essence uncontrollable and must be responded to by the establishment of contingency plans to be implemented in the event the specific risks occur. These plans should include the provision of contingency amounts to cover the cost and time impact of the residual risk.
The success of the project risk management efforts is dependent on the effective implementation of the risk responses. The risk monitoring and control process is designed to provide oversight of the implementation of the responses, identify the requirement for additional responses, and determine impacts of any changes in the project's risk profile.
The objectives of the risk monitoring and control process are to:
The risk responses will be monitored through both a formal risk review process, as well as by informal monitoring through liaison with the individuals responsible for the implementation of risk responses. Risk reviews will be held monthly and will consist of a workshop of relevant project team members. The review workshop will address the following:
In terms of project controls best practice, the cost contingency is the planned budgeted allowance to cover the cost of the identified risk events and or unforeseeable events within the project. A time contingency is the planned allowance to cover the possible delays arising from identified risk events and or unforeseeable events within the project.
The project cost and schedule risk impact outputs from the QRA process as described previously will be utilised to both establish and review the contingency provisions for project risk impact on the cost estimates and schedules. The appropriate percentile value of the project risk impact distributions will be used to determine adequate provisions for the residual (post-response) cost and time impacts of project risk. A contingency sum is provided to cover the cost of the risk under consideration or the impact of the risk on the project schedule.
Cost Distribution Graph
Copyright © 2023 Project Risk Associates - All Rights Reserved.
Powered by GoDaddy
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.