Risk Management in Projects

In 2006, APM defined risk management as “an organized process that allows individual risk events and overall project risk to be understood and managed proactively, optimizing the project success by minimizing threats and maximizing the opportunities” (APM, 2006, p. 26) (APM 2006).

ISO 2009 defines risk management as “a set of coordinated activities implemented in order to direct and control an organization with regard to risk” (Guide 2009)

16 Risk is always related to what can happen in the future. Risk analysis is always a proactive attitude in the sense that it contracts exclusively with potential accidents (Rausand, 2011).

There are three main steps to analyze the risk: Hazard identification, frequency and consequences analysis (figure 2-4)

Figure 2-4 – Bow-Tie Model (from Rausand, 2011, p. 6)

Risk analysis is used to find the causes of destructive events to determine the possible consequences of those destructive events. The bow-tie model is useful for illustrating both the conception and analysis of the risk matters in the products or in the projects; each threat or destructive event has a specific influence on the consequences (Kaplan and Garrick 1981) Massingham (2010) has defined risk management as a continuous management process with the objective of revealing, analyzing and assessing potential hazardous events in a system, as well as identifying and introducing efficient risk control measures to eliminate or reduce possible harm to people, the environment or other assets. It is an integrated part of all good management and contains three main elements: risk analysis, risk evaluation and risk control and reduction (Massingham 2010).

Risk analysis: The objective of risk analysis is to identify harmful threats related to the projects, and to identify the potential cause of each hazardous event.

 Identify barriers and safeguards that can prevent or reduce the hazardous events as well as reducing their impact on the project outcome.

 Determine the consequences and frequencies (establish the risk picture).

Risk evaluation: Assessing the risk picture that was established and comparing the risk with the established risk acceptance criteria.

 Consider an alternative system or optional solutions.

17

 Propose risk-reducing measures and assess the effect of the risk reduction provided by each of them in relation to the cost of measures.

 Provide input to decision-making related to risk.

Risk control and risk reduction: Making decisions regarding the introduction of new risk reducing measures or the modification of existing measures, and implementing risk reducing measures (Rausand 2013).

 Monitor the risk and propose and evaluate changes when appropriate. Communicate the risk issues to relevant stakeholders and the general public.

 As an example: make other decisions related to the risk (the proposed risk reducing measures; is it appropriate? Or which will be appropriate within the several proposals?).

 How much must be invested to reduce the risk?

According to PMI (2013), a designed review could be the performing of project documentation to identify the risk (including plans, assumptions, previous project files, contracts etc.). PMBOK has defined documentation reviews, information gathering techniques, check list analysis and assumption analysis.

Every project’s risk is considered and developed based on a set of hypotheses, scenarios or assumptions. Assumption analysis explores the validity of assumptions as they apply to the project. It identifies risks to the project from inaccuracy, instability, inconsistency or incompleteness of assumptions (PMBOK, 2013).

2.4.2.1 Project Outlook of Risks

In a project, risk may have one or more causes and, if it occurs, it may have one or more influences. Risk is an uncertain incident or condition that, if it occurs, it has an effect on the project objectives (scope, schedule, cost and quality). The objectives of project risk direction are to increase the probability and impact of positive events, and decrease the probability and impact of negative events in the project (PMBOK, 2013).

From an information perspective, Dey (2010) states that risks are a cluster of factors formed by the different viewpoints of the various stakeholders. From a project perspective, the risks can arise from the business or operational aspects; in the initial stages the business risks are mostly highlighted while the operational risks primarily considered. However, there should be an ideal balance between those two aspects without ignoring any feature on any stage within

18 the project execution time. Whereas the operational risks affect specific work activities, does the business risks affect the project as a whole (Dey 2010).

Known risks are those that have been identified and analyzed, making it possible to plan responses for further direction. Unknown risks, on the other hand, cannot be coped with proactively, which makes it recommendable that the project crew should create a contingency plan.

2.4.2.2 Risk Analysis Techniques

Risk analysis techniques are segmented into two parts: quantitative and qualitative. These are described below.

Quantitative Techniques

Quantitative risk analysis uses numerical values for frequencies, consequences and brutalities.

The numerical value may come from many different sources (such as technical data, operational data, reliability data, stakeholder’s data, maintenance data etc.) (Rausand, 2011).

One of the most complex parts accompanying projects risk management is the quantification of risk (Rebiasz 2007). The industry’s wide used key techniques include:

 Sensitivity analysis

 Expected value analysis

 Monte Carlo analysis

 Scenario planning, Fuzzy set analysis

 PERT (program evaluation and review technique)

 Risk data quality assessment

 Decision tree analysis and Probability distribution

Some of these techniques are less applicable as they necessitate the need for detailed information. This is generally not available at the planning stage, and thus there is a struggle in making accurate decisions (Dey, 2010).

Qualitative Techniques

In qualitative risk analysis, words or descriptive scales are used to describe the frequency of the identified harmful events and the brutality of the potential consequences that might result from these events. Qualitative risk analysis may be used as an initial screening activity to identify accidental scenarios that require more detailed analyses. When the data availability is

19 inadequate for a quantitative analysis, qualitative techniques can be appropriate (Rausand, 2011). The qualitative risks include risks regarding contractual obligations, variations by the client, design variations and incomplete or inaccurate cost estimate (Rebiasz, 2007). The industry’s wide used key techniques for these risks include:

 Risk probability and impact assessment (probability and impact matrix)

 FMEA (failure mode and effects analysis)

 Fault tree analysis, Event tree analysis

 Cause-consequence analysis

 Risk data quality assessment

 Risk categorization

 Risk Urgency Assessment

 Delphi Technique, Brainstorming

 Assumption and checklist analysis

 Expert Judgement

To follow these techniques, various tools are used according to organizational projects demand. Mostly used tools are: risk register, risk catalogue, spread sheets, focus group discussions etc.