I need an essay about this chapter

JAsonis
ch5.pdf

C H A P T E R 5

RISK MANAGEMENT

There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction.

—John F. Kennedy

INTRODUCTION

Every project faces its own unique challenges. Furthermore, every project is faced with limited resources, be they time, money, or workerpower. The project manager is faced with many choices concerning the allocation of these resources. As the management of risk is just one of the many activities that must be addressed, a decision will need to be made as to what level of risk management is needed.

In Chapter 1 of this book, the Project Management Institute’s definition of risk management was introduced. The five steps identified in the PMI definition are often presented in the form of a pyramid with the first step, risk management planning, at the bottom and the last step, risk monitoring and control, at the pinnacle. At first glance, the metaphor of a pyramid seems appropriate as the steps begin broadly and, as one climbs up, the focus narrows from the identification and analysis of risks, to the development of responses and actions that are then monitored through execution and completion of the project.

While the logic of this metaphor makes good sense from the perspective of process, it is useful to literally flip it upside down if we think about risk management from the perspective of what requires the greatest level of effort (see Figure 5.1). If the size of the pyramid’s steps are assumed to represent the measurement of efforts needed to accomplish them, then each step increases as we move forward in the process. In other words, the best risk planning and analysis in the world is all for naught if the appropriate responses are not developed and implemented in a timely and effective manner. This point may seem trivial at first, but it is the experience of

149

150 R I S K M A N A G E M E N T F O R D E S I G N A N D C O N S T R U C T I O N

Figure 5.1 Traditional versus Recommended Emphasis of Risk Management

the authors that ‘‘traditional’’ risk management places more emphasis on problems and their analysis than on solutions and their execution.

Of course, effective risk management requires a balanced approach with respect to risks and their responses. What the authors wish to emphasize here is that effective risk management requires more than analysis—it demands decisive action. Risks require appropriate responses just as problems require viable solutions. Risk management is a dynamic process that requires the active participation of people to be successful. This chapter will discuss each step of the risk management process in greater depth. We will focus here on the ‘‘solution’’ side of the pyramid as the previous chapters have presented and discussed the ‘‘problem’’ side.

What Is My Project’s Tolerance for Risk?

You may be asking yourself, ‘‘How much confidence am I willing to pay for?’’ In other words, what is the project’s tolerance for risk? This is an excellent question that deserves some discussion.

From a mathematical perspective, it stands to reason that all projects should maintain a tolerance for risk at the 50 percent mark. For example, assume that a quantitative risk model prepared for a middle school project identifies a figure of $32.5 million as the median predicted project value. If there are no extenuating factors (as described in the following paragraphs), then this would be a reasonable level of risk to assume.

Sadly, we do not live in a perfect world. In light of this, a project’s tolerance for risk will depend on a number of factors. These include:

■ Political sensitivity—Projects that are highly visible in the public eye sometimes have a lower tolerance for risk. On such projects, there may be greater political will, which

R I S K M A N A G E M E N T 151

translates into a greater availability of project resources to mitigate risk. Also, the fear of failure may be more acute. Often, the sunk cost effect comes into play (which will be discussed in greater detail later in this chapter).

■ Funding availability—The availability of project funding can play a huge role in how risk is managed. There may not be funding available to mitigate risks as proactively as desired. In such cases, the tolerance for risk may be higher and not necessarily by choice. The performance of a quantitative risk analysis can provide the data necessary to paint a convincing argument to decision makers that additional funds should be sought now to avoid the expenditure of even more funds later down the road. To quote Albert Einstein: ‘‘There is no force more powerful in the universe than compound interest.’’

■ Schedule criticality— Often the project schedule will have a firm hand in determining a project’s tolerance for risk. If there are key project milestones that must be met, this can increase costs dramatically, provided, of course, funds are available to be allocated. It has been the authors’ experience that many of the so-called critical milestones identified in a project’s schedule are completely artificial. Many are tied to erroneous statements made by policy makers early on in project planning. Again, a solid quantitative risk analysis can provide the data to show the cost associated with setting unreasonable milestones and can quickly change minds about what is truly critical and what is not.

Prospect Theory and Risk Tolerance The framing effect is an essential component of prospect theory, which was first presented in 1979 by Kahneman and Tversky. Contrary to expected utility theory, which posits that people make decisions based on maximizing utility, prospect theory suggests that most people make decisions based on how prospects are framed. Consider the following situation.

Imagine that the United States is preparing for the outbreak of a deadly strain of influenza that is expected to kill 60,000 people. Two alternative programs to combat the disease have been proposed. Assume that the exact scientific estimates of the consequences of the programs are as follows:

■ If program A is adopted, 20,000 people will be saved. ■ If program B is adopted, there is a one-third probability that 60,000 people will be saved and a two-thirds probability that no people will be saved.

Which of the two programs would you choose? Assume that two alternative programs to combat the disease have been proposed. Assume

that the exact scientific estimates of the consequences of the programs are as follows:

■ If program C is adopted, 40,000 people will die. ■ If program D is adopted, there is a 33 percent probability that nobody will die and a 66 percent probability that all 60,000 people will die.

Which of these two programs would you choose?

152 R I S K M A N A G E M E N T F O R D E S I G N A N D C O N S T R U C T I O N

A scientific study was conducted by Kahneman and Tversky posing similar questions to people. The results were quite remarkable:

■ If program A is adopted, 20,000 people will be saved (72 percent). ■ If program B is adopted, there is a one-third probability that 60,000 people will be saved and a two-thirds probability that no people will be saved (28 percent).

■ If program C is adopted, 40,000 people will die (22 percent). ■ If program D is adopted, there is a one-third probability that nobody will die and a two-thirds probability that 60,000 people will die (78 percent).

The results of Kahneman’s and Tversky’s study were fascinating.1 Mathematically speaking, programs A and C are identical while programs B and D are identical. However, the majority of people selected programs A and D, which is completely illogical from a mathematical standpoint. What could have caused this breakdown in logic?

The explanation has to do with the manner in which the prospective outcomes are framed. The implicit reference point of the question is that if no program is adopted, then 60,000 people will die. The outcomes of programs A and B are stated in terms of gains, and people tend to be risk-averse when encountering opportunities for gain—respondents typically prefer to take the known outcome rather than the gamble.

The outcomes of programs C and D are stated in terms of losses, and people tend to become risk-seeking when confronted by the likelihood of loss—respondents will typically prefer the gamble over the certainty of losses.

Prospect theory postulates that people evaluate from the perspective of the status quo suggested by the way a prospect is stated, and think of each prospect as involving a gain, a neutral outcome, or a loss. The influence on decision making by the way in which the problem is asked or stated is called a framing effect, and can lead to irrational decision making and, consequently, poor value.

Figure 5.2 illustrates how the framing of a prospect impacts the value that is placed on the utility of expected outcomes.

The status quo serves as the reference point, which is indicated on the graph as Point A. Many choices involve decisions between retaining the status quo and accepting an alternative to it. Because prospects are evaluated in relation to the status quo, gains will be evaluated cautiously from a risk-averse point of view, and losses will be evaluated in a risk-seeking manner.

At Point B, further losses do not lead to a large decrease in value; however, comparable gains lead to a large increase in value. The person at Point B will risk small losses in order to obtain potentially large gains. This predisposition is referred to as the sunk cost effect. The sunk cost effect has two key aspects to it. First, people tend to have an overly optimistic probability bias, whereby after making an initial investment, the perception of that investment paying dividends is increased. Second, sunk costs appear to operate chiefly in those who feel personal responsibility for the investments that are to be viewed as sunk.

The sunk cost effect is often witnessed in the domain of public projects. Projects whose costs spiral wildly out of control are effective examples of this, where public officials refuse to

R I S K M A N A G E M E N T 153

Figure 5.2 The Effect of Prospect Framing on Risk Perception

cancel a project due to the large financial and political investments made, even though doing so would offer much better value to the public welfare.

Conversely, a person at Point C will be reluctant to risk even small losses for large gains. This is because losses tend to loom larger than gains, and therefore a decision maker will be biased in favor of retaining the status quo. This is termed the endowment effect—it explains the reluctance of people to part with assets that belong to their ‘‘endowment.’’

The sunk cost and endowment effects can bias how risks are perceived based on the current status of a project at the time of risk elicitation and can therefore influence the responses of participants. A project that is significantly behind schedule or over budget may bias the information elicited from participants, just as can a project that is significantly ahead of schedule or under budget.

RISK RESPONSE PLANNING

If we are ignorant of a project’s risks, then it is likely we will stumble upon them in the dark. Understanding the risks that have been identified allows the adoption of the proper framework for asking the right questions to address them. Throughout this book, the focus has been on enhancing our understanding of risk by identifying, assessing, and modeling risks through the process of developing a risk-based estimate. In this section, the focus will be on developing strategies to reduce the effect of these risks.

154 R I S K M A N A G E M E N T F O R D E S I G N A N D C O N S T R U C T I O N

‘‘If I had an hour to solve a problem and my life depended on the answer, I would spend the first 55 minutes figuring out the proper questions to ask. For if I knew the proper questions, I could solve the problem in less than 5 minutes.’’

—Albert Einstein

The quote above speaks to the importance of understanding the nature of a problem before solving it. Everyone is aware of the genius of Albert Einstein; however, much of his success can no doubt be attributed to his keen powers of perception and observation. If we express Einstein’s breakdown of problem solving, he suggests spending about 90 percent of our time studying the problem and only 10 percent developing a solution.

With respect to risk workshops, the authors would tend to agree that this distribution of time is pretty accurate when risk response planning is included. The point must be made that many risk workshops stop once the analysis has been performed and leave the subsequent steps of risk management up to the project team to contend with. This is akin to a physician diagnosing a patient’s ailments and then sending him out the door without a remedy. As the bewildered patient walks out the door, the doctor tells him, ‘‘Don’t worry, I’m confident you’ll find a cure!’’ If you were the patient under such a scenario, no doubt you would be both worried and upset.

The authors feel it is of vital importance that a risk workshop be comprehensive in nature and offer up potential solutions to the myriad problems they have identified and analyzed. This is the domain of risk response planning.

The processof risk response planning shouldaddress the identified and quantified risk events that could affect the project. The focus is on minimizing threats and maximizing opportunities. Risk response planning can occur as part of the primary risk workshop or scheduled as a follow-up workshop. Either way, it is essential that it be performed in a timely and planned manner.

The identification of risk responses requires an organized approach and methodology in order to provide the best results. The process can be broken down into the following steps:

■ Brainstorm response strategies—Assuming that some form of qualitative or quantitative analysis was performed, the project risks will have been prioritized either through a probability and impact matrix and/or tornado diagrams, as described earlier in this book. Beginning with the highest priority risks, a brainstorming session should be initiated to identify as many potential strategies as possible for each risk. Like any good brainstorming process, the emphasis should be on the quantity of ideas and criticism should be avoided. The most effective way to arrive at the best ideas is to have a lot of ideas. Depending on whether the risk is a threat or an opportunity, consider ways of implementing the various basic strategies identified in the following section of this chapter.

■ Evaluate response strategies—Once a large number of potential responses have been identified for each risk, the focus should shift to evaluation. Each potential risk response should be discussed and evaluated by the group. The response strategies can be rated numerically (i.e., on a 1 to 10 scale where ‘‘1’’ is poor and a ‘‘10’’ is excellent) or simply be given a ‘‘yes’’ or a ‘‘no.’’

R I S K M A N A G E M E N T 155

■ Develop response strategies—Those response strategies that are determined to have merit should be developed in detail. A narrative should be prepared discussing the details of the action plan and identifying responsibilities, timelines, and resources required to execute them. If a quantitative ‘‘postresponse’’ model is to be developed, the probabilities and impacts of the risk as modified by the response strategy should also be determined.

Risk Response Strategies

The actions available to address risks are based on the following risk response strategies to deal with threats:

■ Avoidance—The surest way to deal with a risk is to avoid it completely. There are a number of different ways to do this. One way is to modify the project scope.

For example, assume that a particular retaining wall possesses a cost risk related to the geological conditions. If the retaining wall is eliminated, the risk can be avoided completely. However, the project cost may need to be increased in order to acquire additional real estate to allow for the replacement of the wall with an embankment. The question then is: Will the cost to avoid this risk be less than its expected impact? If the answer is yes, then this may be a good strategy to adopt. Many risks identified early on in a project’s lifecycle can be avoided once additional information is developed.

■ Transference—Transferring a risk is a euphemism for ‘‘passing the buck.’’ In other words, the risk can be passed on to another party, perhaps one that is more adept at dealing with a specific risk. Generally speaking, there is usually a price to be paid to do this. It is very common to pass on some risks to the contractor. The success of this strategy largely depends on the contractor’s ability to assume and reduce the risk.

For example, on a subway project one of the authors was involved with, the owner determined it would furnish the tunnel boring machine (TBM) equipment to the contractor. The risk management team felt that there was a great deal of risk associated with this approach as the contractor could blame any productivity problems on the owner-supplied TBM and file a construction claim. One strategy to deal with this risk would be to transfer it to the contractor by requiring him to furnish his own TBM. Of course, this risk transference will come at a price, but the risk management team’s analysis indicated that the cost to do so was less than the expected impact of not doing so.

■ Mitigation—Risk mitigation is a strategy that does not prevent a risk, but rather reduces its probability and/or the severity of its impact. The appropriateness of risk mitigation is often related to the time in the project’s lifespan when it is considered. Often it is easier to mitigate for risks early on and more costly to do so later in the project’s lifecycle.

For example, assume that a roadway project will require an extended period of heavy construction within 10 feet of several residences. If nothing is done to deal with this risk, it is likely that the affected residents will file a lawsuit, increase project costs, and more significantly, delay construction indefinitely. A mitigation response strategy for this risk would be to begin negotiations with the residents to temporarily relocate them for a

156 R I S K M A N A G E M E N T F O R D E S I G N A N D C O N S T R U C T I O N

period of time, thereby eliminating the chance for lengthy project delays. This particular mitigation strategy would definitely increase project costs, however, it mitigates for the risk by reducing its severity, especially in terms of schedule impacts.

■ Acceptance—The last strategy is to simply accept the risk. This is a viable strategy and may be appropriate for risks that are very small, very unlikely, or very difficult to respond to in using one of the previously mentioned strategies. It should be noted that this strategy assumes ‘‘active’’ acceptance, meaning that the appropriate risk reserves must be set aside to accommodate the risk’s occurrence. In contrast, ‘‘passive’’ acceptance is simply to ignore the risk and hope it goes away—this approach is to choose not to manage the risk at all.

Often it is worth evaluating multiple strategies in dealing with risks, especially risks having a high expected impact. More often than not, the appropriate response is fairly self-evident. For larger projects, it is worth conducting a more comprehensive approach to developing risk response strategies by holding a value methodology (VM) workshop. In the authors’ experience, a combination of risk analysis and VM has provided a very effective means of reducing project risk. There are creative solutions to dealing with risks; however, time must be devoted to doing this.

We must not forget about the risks that present opportunities for it is equally important to maximize these, just as we want to minimize threats. The following is a list of risk response strategies that apply to opportunities:

■ Exploitation—Opportunities possessing very strong potential benefits should be actively exploited. This is done by enhancing the probability that the opportunity will happen, or better yet, ensuring that it will happen. Often adopting this strategy will require some investment of project time and money to achieve, but if the return on investment is there, it will probably be worth it.

For example, assume that an office building project has the opportunity to receive additional funding if it meets certain energy efficiency requirements. This opportunity could be exploited by making improvements to the building’s HVAC and insulation systems. The risk management team should analyze the costs necessary to meet the requirements versus the additional funding it can receive. If the return on investment is there, we can enhance our chances of getting the funding by spending the additional funds on the improvements.

■ Share—Sometimes an opportunity can be capitalized on if we share the benefits with others. This speaks to the old cliché of creating a ‘‘win-win’’ situation. Most projects have many stakeholders with different objectives in mind. Often a little collaboration can go a long way in maximizing opportunities.

An example of how to utilize the share strategy is through a value engineering incentive clause. Basically, this contract clause establishes a profit sharing mechanism between an owner and a contractor whereby the contractor is encouraged to develop cost saving modifications to the design. Cost savings are typically split, sometimes with the owner

R I S K M A N A G E M E N T 157

receiving the smaller share. The U.S. Army Corps of Engineers has been using this strategy for decades, resulting in millions of dollars in cost savings.

■ Enhancement—This strategy seeks to increase the probability of the opportunity of occurring and/or the degree of the resulting benefits. Enhancement is not always a sure thing, but often it can prove to be a worthwhile approach.

For example, assume an opportunity is identified during risk analysis that indicates that there is a chance that the type of environmental document that is required could be changed for a major highway project. If the type of review can be reduced from an environmental assessment (EA) to a negative declaration (ND), the schedule could be accelerated by three months. This opportunity could be further enhanced if impacts were avoided to a certain area on the project. This could require a modification to the project scope or perhaps additional analysis. In any event, the chances of this opportunity occurring can be enhanced if specific actions are taken to do so.

Documenting Risk Response Strategies

As mentioned previously, a risk response strategy should be thoroughly developed and doc- umented. Figure 5.3 provides an example of a risk response strategy for a highway project. It includes a description of the initial risk; the preresponse and postresponse probabilities and impacts; describes the initial risk response strategies; documents specific action plans describing how the strategies will be implemented; identifies the risk owner; establishes time- lines for the action plans, meetings, reviews, and/or critical decision milestones; and identifies implementation costs and/or schedule impacts to implement the strategy.

Updating the Risk Register and Model

The risk register should be updated once the various risk response strategies have been identified. If the RBES is being utilized as the project’s primary risk register, then it can be updated directly. Similarly, if a postresponse scenario is to be modeled, the adjusted probabilities and impacts should be identified as appropriate by the team. Examples of this process are provided in Chapter 6.

VALUE ENGINEERING AND RISK MANAGEMENT

In discussing risk response planning, there are other approaches that can and should be considered to enhance the quality and efficacy of identifying and developing risk response strategies. One such approach is known as value methodology (VM).

VM has existed under several different names over the years, such as value engineering (VE), value analysis (VA), and value management. There are no essential differences between these designations and they are, for all practical purposes, interchangeable. The term value engineering has been traditionally used whenever the value methodology is applied to industrial

F ig

u re

5 .3

E xa

m p

le R

is k

R e

sp o

n se

S tr

a te

g y

D o

cu m

e n

ta ti

o n

158

R I S K M A N A G E M E N T 159

design or to the construction industry; the term value analysis for concept planning or process applications; and the term value management for administration or management applications. Value methodology is the term most commonly used today and refers to the comprehensive body of knowledge related to improving value regardless of the area of application. Value methodology is formally defined as:

A systematic process used by a multidisciplinary team to improve the value of projects through the analysis of functions.2

Value methodology is an organized process that has been effectively used within a wide range of private enterprises and public entities to achieve their continuous improvement goals, and in government agencies to better manage their limited budgets. The success of VM is due to its capacity to identify opportunities to remove unnecessary costs from projects, products, and services while assuring that performance, and other critical factors, meet or exceed the customers’ expectations.

The improvements are the result of recommendations made by multidiscipline teams under the guidance of a skilled facilitator, commonly referred to as a value specialist. The multidiscipline teams can comprise those who were involved in the design and development of the project, technical experts who were not involved with the project, or a combination of the two. There are two essential elements that set VM apart from other techniques, methodologies, and processes:

1. The application of the unique method of function analysis and its relation to cost and performance

2. The organization of the concepts and techniques into a specific job plan

These factors differentiate VM from other analytical or problem-solving methodologies. VM is often confused with cost reduction; however, cost reduction and VM are distinctly

different. Cost reduction activities are component-oriented. This often involves the act of ‘‘cheapening’’ the item—that is, reducing cost at the expense of performance.

Value methodology, conversely, is concerned with how things function rather than what they are. This function-driven mindset demands a radical transformation in our perception; in the way we approach challenges, both old and new. This functional way of thinking is, by its nature, predisposed to lead us to innovative solutions by opening our eyes and deepening our understanding of how things work. This concept of function is the very essence of value methodology.

Typically, VE studies are conducted on a project at one or more points during its design development. They involve the use of independent, multidiscipline teams that are led by a skilled facilitator following a specific job plan. Traditionally, these efforts have been independent, preplanned events that do not involve risk analysis.

Basedonyearsofexperience,however, theauthorsstronglyrecommendthatriskassessment and VE be integrated. The two processes are a natural fit—risk assessment identifies and characterizes the problems while VE generates and develops the solutions.

160 R I S K M A N A G E M E N T F O R D E S I G N A N D C O N S T R U C T I O N

Integrating Value Engineering and Risk Response Planning

Thedisciplineofriskmanagement hastraditionally focusedontheidentificationandquantification of risk. This focus on problems, while it has indeed proven to be effective in improving decisions that involve uncertainty, often misses the mark with respect to identifying appropriate responses in an innovative way that maximizes project value. Value improvement relative to the management of risk requires that attention be given to project functions. The integration of function analysis into risk management provides a powerful means to do this.

Similar to most risk workshops, an integrated VE and risk assessment workshop utilizes a multidiscipline team composed of subject matter experts (SMEs) representing various areas of knowledge relevant to the project. In addition, it requires a facilitator who is also fluent with function analysis as well as other VE techniques. This may be the same person as the risk manager or a co-facilitator who will work in conjunction with the risk lead. It is important to note that a skilled facilitator with the necessary qualifications is important, as they will ultimately be able to best drive the process and achieve the desired outcome.

Although VE techniques can be applied throughout the risk assessment process,3 this book will focus on its use during risk response planning. It is recommended that practitioners consider the following approach to integrate function analysis with the traditional risk response planning process. The following steps comprise this integrated phase:

■ Risk Object Identification—The affected area of impact is best described by the risk object. The risk object is the area affected by the risk in relation to the activity or project function being impacted. It is effectively also the elemental nature of the risk that can be managed. The object of risk for each individual risk is identified and utilized as the management target for idea development for risk response strategies. The risk object is typically the noun from the impacted project or system function, which is comprised of a two-word abridgement of a verb-noun combination.

This activity is essential to the process as the articulation of risk event descriptions into simple, concise statements of risk comprised of no more than a few words helps to focus the team on the problem. It has been the authors’ experience that participants tend to lack focus on what the actual object of risk is—while there may be a lengthy, detailed description of the event, it is still sometimes difficult to distill a concisely described risk event. This lack of clarity inhibits the ability of the team to identify solutions.

■ Brainstorming of Risk Response Strategies by Function—The brainstorming of risk response strategies by function is a three-step process. The first step is to establish the risk object, which becomes the target element that can effectively be managed, and it is also the element to which a risk response will provide the most direct buffering of risk impacts. Second, brainstorming of risk response strategies are developed by identifying the risk response function. The risk response function is a verb-noun combination that describes the risk response strategy to be employed. Third, a brief description of each idea is provided for each response strategy. Throughout the process of brainstorming, each high and moderate priority risk should receive attention. Also, the brainstorming

R I S K M A N A G E M E N T 161

process includes identification of specific strategies in the form of the function/verb that are possible to use, depending on whether the risk is a threat or an opportunity. For threats, the following function verbs are possible: ■ Accept

■ Avoid ■ Mitigate ■ Transfer

For opportunities, the following function verbs are possible:

■ Enhance ■ Exploit ■ Share

Figure 5.4 illustrates the process of transforming a risk description into a function statement. The process is similar for both threats and opportunities; however, the verb selection varies, as described above. The activity provides a simple, concise problem statement that will allow participants to visualize many potential solutions rather than just one or two.

■ Evaluation of Risk Response Strategies—The evaluation of risk response strategies are brainstormed and evaluated to determine which responses provide the most relative value to either minimizing threats or maximizing opportunities. Each response strategy should be qualitatively evaluated in relation to this criterion. For example, each response strategy can be given a green check mark, a yellow exclamation mark, or a red ‘‘X.’’ The response strategies that have green checks become the risk response strategies that are developed in further detail. The yellow exclamation marks become fall-back strategies that could be put into place as efforts to manage the risk if the preliminary strategies are not working as

Figure 5.4 Converting Response Strategies and Risk Objects into Function Statements

162 R I S K M A N A G E M E N T F O R D E S I G N A N D C O N S T R U C T I O N

effectively as anticipated. The yellow exclamation marks also have the possibility of being developed as additional risk response strategies. The red Xs are deemed to be invalid or ineffective risk response strategies to utilize in the context of the project. Keeping the evaluationsimple isbest in this casesothat the time inthe workshopcanbe mosteffectively utilized. Figure 5.5 provides an example worksheet detailing the results of this process.

■ Development of Action Plans for Risk Response Strategies—The final development of the risk action plans involves a combination of several elements. This includes the assignment of the risk to key individuals or groups that are deemed to be best equipped to manage or deal with the risk by the risk assessment workshop team. Development of action plans also includes providing more detail around the risk response strategy selected in the form of developing specific actionable steps that can be followed in order to best manage the risk.

This is just a partial example of how VE can be integrated into the RBE process. Additional information on VM/VE techniques is available through the book Value Optimization for Project and Performance Management.4

Disaster Contingency Planning

Disaster contingency planning is a deterministic approach to risk response planning that assumes a threat will occur and seeks to identify contingency and/or recovery responses to deal with the aftermath. Contingency planning is an excellent approach to manage extreme events that could have significant and severe consequences for a project. These project-related Black Swans should be addressed in some fashion and should not simply be ignored as ‘‘uncontrollable.’’ While there indeed may be no control over such risks, there are always ways to help reduce the severity of their effects should they occur. This approach to risk response planning should be considered as a complementary form of planning that can be utilized as needed and appropriate.

Contingency planning is about ‘‘hoping for the best, but planning for the worst.’’ Contingency plans must be actionable—they cannot be so outlandish that they would never be implemented. They are best aligned with the ‘‘accept’’ strategy but are more fatalistic in that they assume that the risks will occur rather than treating them as uncertain events.

Contingency planning played a major role in U.S. foreign, domestic, and defense planning during the Cold War era. A great deal of time, money, and effort was expended in planning for nuclear war. The assumption in Washington was that it would happen—the challenge was to implement strategies to find ways for citizens and their governments to survive and rebuild in the aftermath of a nuclear war.

The Deepwater Horizon catastrophe discussed in Chapter 1 is an excellent example of the result of a lack of contingency planning. Had contingency plans been identified for such a disaster, it is likely that the size and extent of the spill would have been much smaller. To be sure, there are costs involved to implement contingency plans, however, in the case of Deepwater Horizon, it is likely that had either British Petroleum, or the oil industry as a whole, invested in

F ig

u re

5 .5

E xa

m p

le o

f a

R is

k R

e sp

o n

se B

ra in

st o

rm in

g a n

d E

va lu

a ti

o n

S e

ss io

n U

si n

g F

u n

ct io

n S

ta te

m e

n ts

163

164 R I S K M A N A G E M E N T F O R D E S I G N A N D C O N S T R U C T I O N

modest contingency and recovery plans, the cost would have been a mere fraction of the $20 billion placed in escrow to settle claims.

The authors were involved in a risk assessment for a very large project (over $1 billion). An elaborate quantitative risk analysis was performed for the project, which was very comprehensive in terms of the number and types of risks identified and assessed. Despite all of the effort put into the risk elicitation, modeling, and analysis, the project failed, and for reasons that lay completely outside of the model. The risk that doomed the project was the stock market crash of 2008, which caused a loss in the majority of funding, resulting in the cancelation of the project. This risk, obviously, could not have, nor should it have been, modeled. However, had some level of basic contingency planning been performed, a number of strategies could have been identified that could have salvaged and/or better utilized the project funds that had been allocated and spent.

RISK MONITORING AND CONTROL

Risk monitoring and control is concerned with the active management of risks following the previous five steps of the risk management process. The various activities included in this step include:

■ Tracking risks on the risk register ■ Identifying new risks and retiring old ones ■ Adjusting risk response strategies or developing new ones ■ Managing risk contingency reserves ■ Monitoring the execution and effectiveness of risk response strategies

This step continues throughout the remaining life of the project and is absolutely essential. This is the part of the process where the emphasis is on ‘‘doing’’ rather than ‘‘discussing.’’

Monitoring Risk

The process of monitoring project risks is the first component of this phase of risk management. There are a number of fairly basic components of this process. These include:

■ Identify who is the owner of the risk. ■ Identify who is responsible for monitoring the risk. For the purposes of this text we will call this person the task manager. The task manager will be responsible for tracking the effectiveness of the plan, identifying any unintended consequences, and making suggestions on mid-course corrections to further mitigate the risk.

■ Identify the nature and frequency which the task manager for each risk will report to the project manager (or whoever the designated risk manager is for the project).

■ Develop a monitoring protocol with respect to the form of these updates. It is a good idea for each task manager to submit their updated risk information to the project manager

R I S K M A N A G E M E N T 165

so he or she can update the master risk register. It is important to maintain a master document in order to ensure that all of the different updates coming from different sources are consolidated.

■ The project manager should distribute updates of the risk register to the risk management team as they develop, or establish a schedule for regular status updates (i.e., weekly, monthly, and so forth).

One of the most effective tools in monitoring risks and their responses is the development of a risk monitoring schedule. Figure 5.6 is an example of this. Essentially, each risk is added to a master schedule using scheduling software such as Primavera or Microsoft Project. The specific action plans identified in the risk response strategy documentation are noted and specific dates are targeted for processes, meetings, and key milestones. The vertical dark line indicates the last status update. The risk manager can use this tool to check with the various risk owners what the status is and hold them accountable for their responsibilities.

Anotherriskmonitoringapproachincludes thedevelopment ofariskmanagement information system, which is essentially a risk database. This approach is recommended for very large projects with many risks and/or many potential response strategies and action plans. The database structure is similar to that of a risk register; however, more detailed information can be maintained relative to schedule and status. Figure 5.7 shows a screenshot for a risk management information system developed for a highway project.

As risks are addressed during project design and delivery, the risk reserve fund (i.e., contingency) must also be managed as funds are allocated to implement specific risk response strategies and any risk-related cost or time impacts. This information should also be monitored as the project moves through its lifecycle and adjustments made as necessary.

Controlling Risk

Projects change as they move through their lifecycle. Sometimes these changes are radical in nature. It is therefore important to validate the risks on the risk register as the project evolves. For example, the project’s scope could change significantly or the schedule could change unexpectedly. In these cases, it will be necessary for the risk management team to reevaluate the risks.

It may be necessary to hold more than one workshop on large, complex projects; these should be included in the schedule to ensure that they are not delayed until the very end. There are three project milestones where this makes good sense. These include:

■ Concept development—Conducting a risk workshop at the end of concept development will be useful in finalizing the initial design approach. Sometimes, large risks emerge that were not initially identified. Usually the large ‘‘project-killer’’ type risks are identified at this stage. In such cases it is not uncommon for this to result in significant design changes or even lead to a switch to a different design concept.

■ Preliminary design—A risk workshop should be planned sometime during the preliminary engineering or design phase. The timing of this will depend on when, or if, a risk

F ig

u re

5 .6

E xa

m p

le o

f a

R is

k M

o n

it o

ri n

g S

ch e

d u

le

166

R I S K M A N A G E M E N T 167

Figure 5.7 Example of a Risk Management Information System

workshop was held at the concept design phase. A risk workshop held at this phase will generally identify numerous risks related to design development issues and includes things like schedule delays related to technical reviews, real estate acquisition, and uncertainties related to the design.

■ Final Design—It may be wise to conduct a risk workshop sometime during the final design phase. Such workshops are generally geared at focusing on construction- and contract-related risks.

Interim risk reviews should be scheduled on a regular basis between these major project milestones and during construction as necessary. Updates can be made as necessary to existing risks; modifications to ongoing risk response strategies can be implemented; identification of new risks and the development of new response strategies to deal with them can be exercised.

The National Cooperative Highway Research Program (NCHRP) identified a number of keys to success for cost estimating and risk management.5 These include:

1. Complete every step in the estimation process during all phases of project development.

2. Document estimate basis, assumptions, and backup calculations thoroughly.

3. Identify project risks and uncertainties early, and use these explicitly identified risks to establish appropriate contingencies.

4. Anticipate external cost influences and incorporate them into the estimate.

5. Perform estimate reviews to confirm that the estimate is accurate and fully reflects project scope.

168 R I S K M A N A G E M E N T F O R D E S I G N A N D C O N S T R U C T I O N

6. Employ all steps in the risk management process.

7. Communicate cost uncertainty in project estimates through the use of ranges and/or explicit contingency amounts.

8. Tie risks to cost ranges and contingencies as a means of explaining cost uncertainty to all stakeholders.

9. Develop risk management plans and assign responsibility for resolving each risk.

10. Monitor project threats and opportunities as a means of resolving project contingency.

SUMMARY

Risk response planning requires a concerted team effort in order to identify effective solutions that will adequately address the problems identified during risk assessment. Similar to risk assessment, risk response planning requires that sufficient time and resources be allocated. It is the experience of the authors that often the activities of risk response planning, monitoring, and control do not receive adequate attention. Returning back to the bridge metaphor in Chapter 1, risk assessment carries us only halfway across the river. Risk response planning, monitoring, and control are necessary to complete our journey.

The application of value methodology is a particularly effective vehicle for identifying and developing broad strategies and specific action plans to deal with risks.

One of the key tenants in effectively managing risks is assigning specific responsibilities to people and then holding them accountable. There is an old saying that states, ‘‘If it’s everybody’s job, it’s nobody’s responsibility.’’ This is especially true when it comes to effective risk management. Risks are abstract and ephemeral by nature and many people have a hard time taking them seriously because they either don’t believe they can happen on their project or, if they do, that they can be easily addressed. As was discussed in the previous chapter, there are numerous cognitive biases that further exacerbate this problem.

Effective risk management requires the same diligence as managing scope, schedule, and cost as unchecked risks are likely to have unexpected impacts to each of these areas.

ENDNOTES 1. A. Tversky and Daniel Kahneman, ‘‘Choices, Values and Frames.’’ American Psychologist 39 (1984), 341–350. 2. SAVE International Value Standard (2007). 3. R. Stewart and G. Brink, ‘‘Function Driven Risk Management.’’ Value World, Summer 2010, SAVE International. 4. R. Stewart, Value Optimization for Project and Performance Management. Hoboken, NJ: John Wiley and Sons, 2010.

5. National Cooperative Highway Research Program, Report 658, Guidebook on Risk Analysis Tools and Management Practices to Control TransportationProject Costs, 2010. Washington, DC: Transportation Research Board, 2010.