Project Initiation, Planning and Execution

MBA643

Project Risk, Finance, and

Monitoring

Workshop 5

How to manage project risk

Copyright Notice

COPYRIGHT COMMONWEALTH OF AUSTRALIA

Copyright Regulations 1969 WARNING

This material has been reproduced and communicated to you by or on behalf of

Kaplan Higher Education pursuant to Part VB of the Copyright Act 1968 (the Act).

The material in this communication may be subject to copyright under the Act. Any

further reproduction or communication of this material by you may be the subject of

copyright protection under the Act.

Do not remove this notice

Principles for managing project risk

In the past few weeks we have sought to provide

students with some concrete skills to assist in

selecting projects and assessing their financial

viability.

This week though we take a step back and look at

some of the key principles and processes in

managing project risk. These include:

• Risk planning

• Risk assessment

• Risk types and identification

• Risk handling and responses

Learning objectives

By the end of this week’s workshop students should

be able to:

• Describe and discuss the principles and

processes of risk planning

• Demonstrate an understanding of risk assessment

• Identify, explain, and discuss different types of

project risk

• Explain and critically assess how to handle or deal

with risk and identify and discuss specific risk

responses

Workshop activity Managing project risk

Working in small groups and drawing on you own

experience or understanding of projects and project risk

please list as many potential risks or threats as you can for

the following types of projects:

1. A large IT project

2. A government social policy project

3. A national health/medical records/data initiative

4. A international financial services project

Project risk planning

“You can observe a lot by just watching”

– Yogi Berra

Planning for risk involves paying attention. When we don’t watch, projects fail.

According to some research as many as 75% of all projects fail. This figure

from research completed in 1994 might be viewed sceptically, but what it

suggests is that a great many projects don’t succeed.

Most projects fail for three reasons:

• They are actually impossible to achieve

• They are over-constrained

• They are not competently managed

Source: Kendrick, T. (2015), Chapter 2, Planning for risk management

Project risk planning

To help manage and avoid risk, therefore, requires

planning. Project risk planning can be defined as the

detailed formulation of a program of action for the

management of risk.

It is the process to:

• Develop and document an organised, comprehensive,

and interactive risk management strategy

• Determine the methods to be used to execute a

program’s risk management strategy

• Plan for adequate resources

Source: Kerzner, H. (2013), p.720

The project risk management plan

A risk is any uncertain event that may affect you project. While not all risks

can be avoided or overcome, they can usually be managed or mitigated

by careful risk planning.

Risk planning is an iterative process that involves understanding and

identifying risks, analysing them, determining how to handle or respond to

them, and then monitoring them, before commencing the process over

again.

Perhaps the single most important output from risk planning is

development of the project risk management plan. Risk planning sets out

the risk management strategy and process, but the risk management plan

puts this in to practice.

The project risk management plan Like most forms of planning, there is no one, single way

to develop or create a risk management plan. There are,

however, several key areas that need to be addressed in

your risk management plan.

These are:

• Risk assessment – This is where broad issues are

identified and which are analysed in terms of their

consequences and the probability that they might

occur. (In Week Three we have already discussed how

to develop just such a risk matrix)

• Risk identification – This is where we try to identify

specific examples of project risks. At this point they can

also be categorised or grouped according to type.

• Risk handling and responses – This is where we determine how specific risks should

be handled or dealt with, what strategies we will use. We might also determine

classes of risk responses relating to groups or types of risk.

• Risk monitoring – In this final stage we monitor and/or measure the impact of

particular risks or risk events. The information extracted from this stage should feed

back into our risk planning activities.

Project risk management plan templates

Your risk management plan should focus on the four issues described above:

• Assessment

• Identification

• Handling and responses

• Monitoring (and measuring)

The precise layout of your risk management plan, however, and any additional information that you

might choose to include may vary depending upon your organisation or specific interests and

requirements.

Following are a number of risk management plan templates that you may find suitable when you com

to develop you own risk management plan:

• Risk management plan template No. 1

• Risk management plan template No. 2

• Risk management plan template No. 3

Workshop activity Project risk planning

In the previous slide we referred to the use

of templates in order to assist in the

development of an organisational risk

management plan. Using the templates

referred to above along with any others

you might locate please try to identify what

sort of information people might include

beyond the four key areas we have

already discussed. That is, assessment,

identification, handing, and monitoring.

What other things do people see as

worthy of inclusion in their risk

management plan?

Please take ten minutes to identify

information before spending a further five

to ten minutes to discuss it.

Risk assessment

Risk assessment is the broad term used to describe the overall process of

identification, analysis, and evaluation of risk. It involves considering risk in

terms of the probability and consequences of risk events, as well as other

possible considerations, such as the frequency of occurrence, the time to

impact, and the relationships to other risk events.

It can be a difficult and time consuming element of project risk

management, but it is also one of the most important.

There are a number of ways to assess and analyse risk. We will examine a

number of these next week, including:

• decision tree analysis

• scenario analysis

• sensitivity analysis

• break even analysis.

One key method, however, which we have already explored briefly is the

qualitative risk matrix.

Risk assessment The Risk Matrix

Risk assessment The Risk Matrix

Key elements of the risk matrix, therefore, include:

• The probability of a risk event occurring

Which is usually aggregated into between four or five groups ranging from rare to

almost certain. These group headings can also be further defined by a ‘historical’

description, such as “May occur, but only in rare circumstances”.

• The consequences of a risk event occurring

Which is usually aggregated into between four or five groups ranging from

insignificant to catastrophic. These group headings can also be further defined by

developing definitions which might be applied according to who or what might be

impacted, such as people, finances, data, the environment, etc.

• Response type and timeframe

Which is usually aggregated into three or four different organisational response

types, such as low risk, medium risk, high risk, and extreme risk. For each risk

response type an action would be determined which would reflect the seriousness

of the risk event and the timeframe in which the response should occur. The

response types are usually colour coded to demonstrate which risk events are most

serious and require most immediate attention.

Workshop activity Risk assessment

The Northern Sugar Alliance – SugarFree ©

The Northern Sugar Alliance operates a sugar mill in northern NSW. It has

recently decided to expand operations by introducing a new low GI, low calorie

sugar product. Management believes the product, SugarFree will be a market

winner as consumers search for lower calorific products which are still ‘all natural’.

The new product though requires a new refining process. This will mean the mill

will need to generate more power. There may be additional fumes and some

additional waste product which they plan to experiment using as a fertilizer on

adjacent farmland where cane is grown. All of this will require regulatory and

government approval. They will also need to borrow to make their expansion

happen, but they are confident that the business case supports their plans.

In groups prepare a number of different risk matrices. Each matrix should

try to identify a couple (either two or three depending upon time available)

of different response groups that might be affected by risk events. What

types of response groups can you think of that might be relevant in this

situation?

Risk identification The next key phase is the risk identification phase. At this time we seek to start to identify specific risk types or

risk events.

There are a number of methods or approaches that companies can use to do this. Such methods will include

information or data that is either objective or subjective.

Objective information/data (often in the form of quantitative data) includes:

• Recorded experiences from previous projects (this may exist in the form of what is known as a ‘risk register’

– a document that seeks to build up a dossier of historical project risks and the circumstances surrounding

them)

• Project or program reviews and evaluations

• Related project files and descriptions

• Performance data

Subjective (qualitative) information/data includes:

• Expert advice

(One particular method involving expert advice is referred to as Delphi Technique in which a team of experts

is consulted anonymously and provided with information briefings. Responses to the information briefings

are received and then sent back to the experts for further consideration until some degree of consensus is

achieved about the nature of perceived risks)

• Interviews and personal responses or experiences (where companies interview project participants and

stakeholders in an effort to identify potential risks)

• Brainstorming (usually in small groups involving project participants)

• SWOT analysis – Strengths, Weaknesses, Opportunities, and Threats (again, usually in small groups

involving project participants)

Risk identification

Many individual or specific risks fall under common risk categories. These provide a useful starting point to

identify precise risk events. Risk checklist categories include:

• Technical issues – do we have the technical capacities, what are the technical implications or linkages, is

there scalability, can we meet technical costs, are there additional technical fees or charges, etc.

• Costs – have we accounted for everything, how thorough are our cost projections, have we included

contingencies, etc.

• Scheduling – can we complete the project on time, have we produced a critical path, do we have

contingencies for scheduling overruns, what happens if we miss a deadline, are there costs involved in

missing a deadline, etc.

• Contractual – do we have appropriate contractual safeguards in place relating to supply chains, staffing, etc.;

what are the implications or costs associated with breaches of contract

• Financial – is the project budget sufficient, are our budget projections/predictions appropriate, do we have

contingencies, etc.

• Political – do we have all regulatory approvals, is the project politically acceptable, is there a chance the

project might be politically targeted, have we consulted widely enough with all relevant stakeholder and

interest groups, etc.

• Environmental – are there implications for the environment, have we accounted for environment protections,

do we have all necessary and regulatory approvals, etc.

• People – do we have the necessary staff to see the project through to completion, are there ongoing staffing

considerations, are there training issues or requirements, have we considered safety and occupational

welfare issues, etc.

Risk checklist categories

Risk identification Life-cycle risk analysis

Source: Kerzner (2013), p.723

A further type of risk identification is know as life-

cycle risk analysis in which broad types of risk

events are identified as relating to specific phases in

the project life cycle.

In the example above, four project stages are

identified: project approval, preliminary and detailed

planning, execution, and closure.

For each of these phases, generic risks have been

identified. As suggested by the accompanying graph.

In the early stages of the project the risks are high as

information and detail is low. As the project

progresses, however, as more is known and as

milestones are ticked off, total project risk falls.

Correspondingly, though, as the project nears

completion, as greater investments pour into the

project the commercial stake in the project

increases.

As each project phase is completed, the remaining

risks associated with each remaining phase become

more important and the dollar stake associated with

them becomes higher.

Risk identification

“The value in each of these approaches to risk identification

lies in the methodical nature of the approach, which forces

disciplined, consistent evaluation of potential risk issues. All

these approaches should be considered for each project,

and a mixture of approaches is likely to be superior to any

single method…Finally, it is important that all project

personnel should be involved in risk identification.

Designating a small subset of people to perform risk

identification almost always diminishes the results from both

a technical perspective and a behavioural perspective and

can lead to decreased risk management effectiveness.”

Kerzner (2013) p.727

Workshop activity Risk identification

The Northern Sugar Alliance – SugarFree ©

In the previous activity you nominated several different risk assessment

categories that the Northern Sugar Alliance might reflect on during their risk

management activities.

Building on the broad categories that you identified, given the scenario

provided and working in the same groups, students are now asked to try to

identify some specific risk events for each of the (two or three)

categories that you previously identified.

• Where possible try to think of risk events that fall under each of the relevant ‘consequence levels’.

• So, if you identified the ‘environment’ as one of your broad risk categories, now try to identify

an actual event that might fit within each consequence level, such as insignificant, minor,

moderate, major, catastrophic.

• Again, the idea here is not to demonstrate a detailed knowledge of sugar cane farming, but rather

to demonstrate an ability to begin to think in terms of project risks, risk levels, and potential risk

responses.

Risk handling and responses

For most types of project risk there are usually four (generic) possible

ways in which they might be handled. These are:

• You can try to avoid it

• You can try to mitigate it

• You can try to transfer it

• You can accept it

Risk handling and responses There are a number of factors that will influence what type of

response we adopt when dealing with or handling risk. These

include:

• The amount of quality information that is available about the

actual hazard that has given rise to the risk – what is known as

descriptive uncertainty

• The amount of quality information on the magnitude of any

potential damage – what is known as measurement uncertainty

• The existence of cost-effective alternatives – what are known as

equitable risks

• The existence of high-cost alternatives or possibly the lack of

options – what are known as inequitable risks

• The length of exposure to the risk

Source: Kerzner (2013) p.742

Risk handling and responses

Risk avoidance

The best thing you can do with a risk is avoid it. If you can prevent it from happening, it

won’t hurt your project. The easiest way to avoid falling off a cliff is to move away from

the edge. But walking away from the risk might not always be an option for every project.

Risk avoidance, perhaps more correctly, seeks to redesign project basics in order reduce

or limit the opportunities for risk. It might ask: Why do we need to be near the edge in the

first place. Can we achieve our goal without even being up the cliff? Almost by definition

then, risk avoidance is something that you do at the start of a project, something which

should become an integral part of the planning process.

Risk mitigation

If you can’t avoid the risk, you can try to mitigate it, or reduce its effects. This means

taking some sort of action that will cause it to do as little damage to your project as

possible. It is a form of risk management. It is a case where you are aware that risk

exists, but where you have taken steps to minimise the effects of that risk. This might be

done by early prototyping so as to understand what might happen in given

circumstances; design experiments, also as a means of understanding the nature of the

risks involved, and modelling or simulations. All of these activities can be time consuming

and can add to the costs of a project, but by developing an awareness of the risks you

can more effectively limit the effects which will almost certainly produce cost benefits in

the long run.

Risk handling and responses

Risk transference

An effective way to deal with a risk is to pay someone else to accept it for you – most of

us do this all the time. It is a kind of risk sharing. The most common way we transfer risk

is by taking out insurance. Other common types of risk transfer include the use of third

party contracts where external providers might take responsibility for a particular aspect

of a project. This is especially popular (and practical) where it is unlikely that you will

have all the necessary expertise to complete the project to the required standards.

Appropriately developed third party contracts can ensure that all the risks associated with

particular aspects of the project are the responsibility of an expert partner. Difficulties

usually only arise when the third party contracts do not adequately spell out exactly what

the expectations and obligations of all parties are.

Risk acceptance

Almost everything in life carries some degree of risk. When you can’t avoid, mitigate, or

transfer a risk, you simply have to accept it. But even when you accept a risk, at least

you’ve looked at the alternatives and you know what will happen if it occurs. If you

understand the nature of the risk you can plan for its eventuality, and this will likely help

you reduce its ultimate impact or severity.

Workshop activity Risk handling and responses

Risk monitoring

One final project risk management activity relates to the

monitoring and evaluation of project activities and data.

Systematically monitoring, tracking, and measuring project

activities and results using established metrics and against

articulated objectives and standards is essential for ensuring

that the project remains on track.

Monitoring results can also provide the basis for developing

additional risk handling strategies, or updating existing risk

handling strategies and re-analysing known risks.

Risk monitoring

Risk management indicator system

Costs Performance Scheduling

Behind target Behind target Behind schedule

On target On target On schedule

Ahead of target Ahead of target Ahead of schedule

The key function of risk monitoring processes is to establish a management indicator

system that keeps track of:

• Costs

• Project performance

• Scheduling

The indicator system might offer visual cues and reporting on whether the project is

meeting or falling behind expected milestones. These cues might suggest what areas are

on target, what areas are behind target, and what areas are ahead of target.

The aim of the management indicator system is to provide an early warning of potential

problems in order to allow or trigger management action.

Risk monitoring

Risk management indicator system

Each monitoring area should be underpinned by acknowledged

performance measures or metrics. For example:

• Cost measures might include budget forecasts against actuals, and

actual income and expenditure against forecasts. It might track

supply chains, labour, and hours worked.

• Performance measures might include staff appraisals, the ability to

meet technical specifications and standards, regulatory

accreditations, and stakeholder feedback and input to determine

whether the project is achieving its objectives.

• Scheduling measures might include critical path analysis and project

performance against GANTT or PERT charts to ensure that

milestones are met.

Workshop activity Risk monitoring

In the previous slides we introduced the concept of the ‘risk

management indicator system’. We suggested that the three key

areas for monitoring were costs, performance, and scheduling.

We also provided a number of examples for specific metrics that

might be used to assess performance in these areas.

In groups identify as many additional metrics for these

monitoring areas as possible, then discuss them with the

class. You can use internet research.

Do you think some are more valuable than others? Is there

one particular metric that you think should always be

included?

Next Week

In our next week we will spend time looking

specifically at how we analyse and model project

risk when we examine several key functions.

These include what are known as:

• Break even analysis

• Scenario analysis

• Sensitivity analysis

• Decision tree analysis