The primary objective of project risk management is to ensure the achievement of a project’s objectives by:

• Comprehensively identifying risks that might impact on the achievement of each of the Project’s objectives
• Accurately assessing the potential impacts of the identified risks
• Prioritising the requirements for risk response identification
• Formulating appropriate responses to the identified risks
• Quantifying adequate cost and time provisions for post-response residual risk impacts
• Controlling the implementation of identified risk responses
• Monitoring changes in risk exposure, identifying new risks and modifying responses.

The risk management methodology consists of the identification, assessment, analysis, treatment, monitoring and closing of risks that may impact on the achievement of the project’s time, cost and quality objectives. The process will follow the ISO 31000 Risk Management - Principles and Guidelines on Implementation and/or the (2009) Practice Standard for Project Risk Management published by the Project Management Institute, as appropriate. 

ISO 31000 defines risk as the effect of uncertainty on objectives, with the following notes providing detail of this definition:

• An effect is a deviation from the expected — positive and/or negative
• Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization- wide, project, product and process)
• Risk is often characterized by reference to potential events and consequences, or a combination of these
• Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence
• Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood.

For the purposes of the project risk management, the above definition of risk is refined by applying the following definitions to allow for effective event identification and assessment, as well as accurate quantification of adequate risk allowances in the project’s estimate and schedule:

• Project risk is the potential occurrence of an event, which if it occurs will have a negative impact (threat) or positive impact (opportunity) on the project’s objectives
• Project uncertainty is the existence of a current condition that impacts on the ability to accurately plan for the future.

The risk management of the Project will be initialised by a process, the objective of which is establishment of an initial risk register and risk response plan, as well as to undertake the cost and schedule quantitative risk analysis to identify the impact of risk on the Project’s budget and schedule. On completion of the initialisation process the monitoring and control of risk will commence.

The methodologies be used in the above process steps are described below:

Project Risk Identification

The purpose of risk identification is to search for and to locate sources of risk exposure, termed risk events, before they are realised. The risk workshops will be facilitated by PRA. The primary tool to be used to record, analyse, evaluate and disseminate risk information will be the project risk register, which shall allow for:

• Risk identification to be based on a standardised risk breakdown structure (RBS). 
• Risk identification to be event based (event/cause/impact/probability)
• Risks to carry a unique identification
• Risk identification to include the parameters necessary for qualitative analysis, as well cost and schedule quantitative risk analysis
• Recording of response planning information
• Pre- and post-response risk analysis
• Risk closing control and version control
• Easy use and interpretation by project team members who have no specialised risk management knowledge.
• A standardised Excel based risk register is to be used for capturing all risk data for the register.

Project Risk Identification Parameters

As part of the risk identification process, the risk identification parameters for the Project and its packages are to be identified and recorded. The parameters consist of:

Scope

• A high-level description of the elements that make up the scope of the Project and its packages.

Objectives

• Total cost, including direct and indirect costs, excluding contingencies
• Time objectives based on the current accepted schedule
• Quality and specifications objectives
• Any other objectives included in the approved execution plans or any other document formally accepted by the Project Owner.

Assumptions

• Assumptions made in formulating any of the objectives
• Assumptions made in formulating the execution plans.

Constraints

• Constraints that exist in executing the execution plans.

Schedule

• The schedule that identifies time objectives, related activities and their dependencies
• Time variable costs are identified for activities where applicable
• Cost consequence of time related risks are calculated utilising time variable costs for specific activities.

Risk Breakdown Structure (RBS)

Project risks will be identified by the risk workshop participants with the aid of a RBS. This RBS identifies potential risk generators in seven risk environments, which include:

• Natural environment
• Economic environment
• Government environment
• Societal environment
• Client environment
• Construction environment
• Project environment.

Risk assessment is the process of prioritising identified risks by estimating the probability of occurrence and the impacts of the risk event. These parameters are qualitatively or quantitatively analysed to arrive at a risk rating, which defines the ranking of each risk relative to all others. Qualitative analysis will be utilised to define relative risk ratings for the purposes of risk response prioritisation for the Project.

A risk matrix and the probability and consequence scales will be used to be used to qualitatively assess all identified risk events and determine the rating for each risk.

Quantitative Risk Analysis Procedure

The objective of quantitative risk analysis (QRA) is to quantify adequate cost and time provisions for project risk and uncertainty impacts on the Project’s time and cost objectives. The impact of project risk and project uncertainty will be analysed separately utilising the processes described below. The basis of the QRA will be the project budget and project key milestone schedule as approved at the time of undertaking the QRA. Outputs from the QRA process will be used to quantify project risk cost contingency recommendation, as well as recommendations for risk time allowances in the project schedule.

Risk Impact

The inputs for the risk impact analysis process are the estimates of the probability of occurrence and the time and direct cost impacts of the risk events as identified in the risk assessment procedure. The time variable cost impact of schedule delay will be calculated by multiplying the assessed time impacts of project risk and schedule uncertainty by the variable costs associated with the Project key milestones on which the risk and uncertainty will impact.

These estimates will be loaded into QRA models defined in cost and time impact simulation software packages, which calculate a range of possible impacts. These possible outcomes can be graphically depicted as time and cost impact distributions, examples of which are shown in the figures on the right.

Due to the forward-looking nature of the risk assessment process, estimates of probability and impact have a degree of uncertainty. This uncertainty should be included in the estimates of impact by providing a spread of potential impacts using an appropriate distribution of potential values. This information is captured in the standard risk register against each risk event.

Risk Simulation

The risk impacts will be used as input into risk models developed in risk simulation computer software packages. These software packages will be used to simulate the occurrence of the identified risks in a process often referred to as Monte Carlo analysis. The outputs from these simulation exercises are distributions graphs of costs and dates as shown in the example depicted on the right. These graphs plot the results of each iteration of the risk simulation against the proportion or number of the total iterations for which the specific result has occurred. These distribution graphs can then be used to identify risk percentile values, which are an indication of the percentage of simulation results that are equal to or less than the specific value.

Estimate Uncertainty 

Estimate uncertainty associated with Project estimates will be analysed by allocating the applicable outcome ranges to each summary line in the Project and package budget that is subject to uncertainty and building a QRA model to simulate the impact of uncertainty on the budget using the estimate variability ranges for the applicable estimate classes.

Schedule Uncertainty 

The inputs for schedule uncertainty analysis process are the assessment of the impact ranges of project uncertainty on the Project’s schedule key milestone activity durations. These impact ranges will be loaded into QRA models defined in a time impact simulation software package, which calculate a range of possible schedule impacts. These possible outcomes can be graphically depicted as schedule impact distributions, similar to those shown for risk analysis in the above section. The time variable cost impact of schedule uncertainty will be calculated by multiplying the assessed time impacts of schedule uncertainty by the variable costs associated with the Project key milestones on which the uncertainty will impact. 

Cost and Schedule Allowances 

The impact of risk and uncertainty will be combined in simulation models to determine adequate allowances to be included in the Project’s estimate and schedule. In the absence of a Project Owner policy defining the criteria applicable in quantifying project contingencies using risk analysis output, the appropriate  percentile value of the impact distributions for the Project will be used to determine adequate provisions for the residual (post-response) cost and time impacts of project risk and uncertainty.

Project Risk Response Planning 

The objective of risk response planning, or risk treatment as referred to in the ISO 31000 Risk Management process, is to minimise the impact of risk on the project objectives through the identification of appropriate responses. Appropriateness is defined by both the effectiveness of the response, as well as the cost of implementation. Effectiveness is the degree to which the implementation of the response will reduce the rating of the risk as measured by the risk rating matrix reflected in Appendix B. The response planning will be undertaken in a workshop of relevant members of the Project Owner’s team. The methodology is described in the following sections and this response plan will be updated following every risk review session, or as required by the project team. 

Risk Categories 

Each of the risk events identified in the risk identification process are allocated to one of the following risk categories: 

• External - Uncontrollable 
• External - Influenceable 
• Internal - Client operations (controllable) 
• Internal - User requirements (controllable) 
• Internal - Project processes (controllable). 

These categories will be used to guide the formulation of appropriate risk response actions.

Project Risk Allocation and Response 

Generally, risks should be allocated to the party that is best able to manage them. There are no set rules in this regard. Clients can place risk with the contractor, who in turn may increase their tender price depending on the buoyancy of the market. For those risks allocated to the project team, an individual should be assigned as responsible for the risk. 

Identify and Select Treatment Options 

Identify possible options for responding to each risk. These may or may not be mutually exclusive or appropriate in all circumstances. In addition to a descriptive perspective, when appropriate a cost comparison of alternative response options may be conducted. 

Responses typically fall into four types, as follows:

• Avoidance/prevention/removal
• Mitigation/reduction/optimisation
• Transference
• Retention/acceptance. 

Risk Avoidance 

Avoidance in theory is a simple option. It means that a decision is taken to avoid engaging with, or action is taken to withdraw from the source of the risk, thus minimising the likelihood that any event in relation to that source can affect the project. It is important that risk avoidance does not result in inappropriate risk aversion, particularly where opportunities are involved. In this case, it may be appropriate to proceed, but with stringent risk controls such as considering an alternate approach to delivering the project or using an alternative technology. 

Risk Mitigation (Reduction) 

Risk mitigation can be accomplished through a reduction in the potential impact, a reduction in the likelihood or a combination of the two. While identifying risk responses it may be possible to identify upside values for the same risks (or opportunities) which will further reduce the over risk exposure. 

Risk Transfer 

Transfer involves sharing a risk with an external organisation such as an insurer or business partner. 

• By contract or agreement with contracting parties
• Purchase risk insurance
• Share the risk as in a joint venture partnership. 

The transfer may be a partial or a full transfer, however sharing may introduce new risks including failure of the other organization. In other words, no risk is fully transferable in a practical sense. 

Risk Retention 

The decision to retain a risk is typically taken if the risk is uncontrollable or the cost of risk reduction actions exceeds the potential risk exposure. This should include an analysis of the impact on schedule. 

Risk Responsibility 

Responsibility for ensuring the implementation of each identified responses will be allocated to a specific member of the Project Owner’s team. The responsible person will provide updates on the status of the response action implementation on a bi-weekly basis and attend the monthly risk reviews.

Residual Risk 

Residual risk is defined as the portion of the risk impact that remains after the implementation of all identified responses. The residual risk is in essence uncontrollable and must be responded to by the establishment of contingency plans to be implemented in the event the specific risks occur. These plans should include the provision of contingency amounts to cover the cost and time impact of the residual risk. 

The success of the project risk management efforts is dependent on the effective implementation of the risk responses. The risk monitoring and control process is designed to provide oversight of the implementation of the responses, identify the requirement for additional responses, and determine impacts of any changes in the project's risk profile. 

The objectives of the risk monitoring and control process are to: 

• Review  the current risk profile and identify changes in risk probabilities and impacts
• Monitor on the implementation of risk responses and update the status of the responses in the response plan
• Update the risk register with any new risks and associated responses based on changes in project scope, project progress and changing risk generators. 

The risk responses will be monitored through both a formal risk review process, as well as by informal monitoring through liaison with the individuals responsible for the implementation of risk responses. Risk reviews will be held monthly and will consist of a workshop of relevant project team members. The review workshop will address the following: 

• A review of existing risks to revise their risks assessment if necessary or close those risks that have either occurred or will no longer occur 
• Identify and assess any new risks that may have arisen 
• Update the status of each the risk responses in the response plan.

In terms of project controls best practice, the cost contingency is the planned budgeted allowance to cover the cost of the identified risk events and or unforeseeable events within the project. A time contingency is the planned allowance to cover the possible delays arising from identified risk events and or unforeseeable events within the project. 

The project cost and schedule risk impact outputs from the QRA process as described previously will be utilised to both establish and review the contingency provisions for project risk impact on the cost estimates and schedules. The appropriate percentile value of the project risk impact distributions will be used to determine adequate provisions for the residual (post-response) cost and time impacts of project risk. A contingency sum is provided to cover the cost of the risk under consideration or the impact of the risk on the project schedule.