Ch3 Project Risk Management.docx

Project Management Chapter 3: Project Risk Management Introduction The project manager must: Manage risk through the project life cycle Identify the present risks in the project and in the environment Transfer or reduce unacceptable risk Set up monitoring and control systems to manage residual risk Risk analysis a basic function of the human cognitive process, where the human mind considers a risk as a form of model in which possible events and outcomes are considered in terms of possible actions, and then compares possible gains and losses and makes a subjective decision Background to risk: Risk management evolved with the design and development of the first commercial nuclear reactors for electricity generation in the US and UK in the 1950’s Risk, in our context, is a measure of the probability and consequence of not achieving a specific project goal. It therefore depends on both the likelihood (probability) of an event occurring and on the consequences (impact) if that event should occur. 1.level equation for risk: Risk = f (event, uncertainty, consequences) When the probability of an event occurring is impossible to calculate, an assessment of the necessary safeguard would be necessary: 2.level equation of risk: Risk = f (event, hazard, safeguard) Where hazard: source of danger, and safeguard: defence/mitigation against the hazard The impact and probability of risk can be considered in terms of the exposure of the organisation and the organisations sensitivity to a particular risk profile Exposure: a measure of the vulnerability of parts of the organisation to risk impacts An organisation is exposed to risk when a realised change in a variable within a given time scale will result in a change in one or more of its key performance indicators The greater the potential change in performance, the greater the exposure A measure of the vulnerability of the organisation Sensitivity: A function of three elements: 1) Significance (severity) of the organisations exposures to the realisation of different events 2) Likelihood of different events occurring 3) Ability to manage the implications of these different events Sensitivity is therefore a measure of likelihood and impact, modified to some extent by the ability of the organisation to manage these variables Having an effective risk management programme implies better possibilities of taking advantage of risky opportunities in the marketplace Risk is inevitable and can lead to both positive and negative outcomes, and it raises the need for an effective way of managing risk to make sure it is effectively addressed and used. A decision maker operating under conditions of risk will be concerned with: What can go wrong with the project? What are the possible outcomes of these risks? Where do these risks and consequent outcomes originate? Do we have control over these risks and if so are we using it? Are the risks and consequent outcomes in any way related? What is the degree of exposure of the organisation to these risks? How sensitive is the organisation to each degree of exposure? Do these risks affect the achievement of the overall strategic objectives of the organisation+ What response options do we have? What contingencies and emergency responses are in place? Can we match the worst-case scenario? If not, which scenario reaches the limit of our response abilities? What is the potential reward associated with each risk? Are we prepared to accept a risk and corresponding outcome that is beyond our limits to absorb? In addressing these questions it is advisable to consider a number of facts about risks in general: All aspects of life and enterprise are subject to risk Not all risks can be eliminated. Monitoring and control systems must effectively try to manage residual risk The potentially most profitable opportunities usually carry the most risk Accepting high levels of risk can intimidate the competition Risk management allows opportunities and associated risks to be analysed and therefore acts as an aid to decision making Risk management operates at different level. Strategic planners consider strategic risk, while operational managers consider operational risk. In addition emergency risk and unforeseeable risk most be considered at all levels Single risks should not be considered in isolation, because there may be intrinsic links between the various risk levels. Operational risk directly affects strategic risk The human cognitive process Pattern recognition and attention: People make decisions in relation to perceived risks and rewards, and each situation may be perceived differently by different people concerning the different possible effects of the risk event In assessing risk the human cognitive process involves different stages: 1) Pattern recognition: The brain takes incoming information and stores it temporarily at a superficial level It then compares that information to previously stored information in order to make an assessment of what the new information represents 2) Attention: Acts as a kind of filter that filters out any unnecessary information so that only information relevant to the decision is considered 3) Memory: Short term memory stores the basic pattern recognition information Once interpreted and after subjective assessment through attention, any relevant information is stored in the long-term memory Some information becomes permanently fixed in the long-term memory Bounded rationality An approach to information processing, based on the philosophy that a being will generally opt for rational behaviour within constraints Most cognitive processes will be based on reasoning , and therefore logical and rational outcomes, based on pattern recognition and learning, will be preferred to illogical and irrational ones The decision maker within bounded rationality therefore looks at all possible actions and all possible outcomes and separate outcomes into acceptable and unacceptable outcomes. The decision maker then rejects any action that leads to unacceptable outcomes and considers those options that lead to acceptable outcomes Acceptable outcomes can be considered as goals of the decision maker Decisions are the made based on past experience and current information Risk forecasting and prediction momentum Bounded rationality therefore uses knowledge of past events to assess a current risk in making a decision.This assumes that acceptable outcomes in the past will continue to be acceptable outcomes during the current evaluation process This is the concept of risk forecasting, which is: Based on experience As much subjective as objective based Possible to subject it to complex modelling as in chaos theory, but not restricted to complex mathematical modelling An area that is perhaps best evaluated using a combination of modelling and subjective approaches Based on using data from past experience in order to allow extrapolation as basis for predicting future trends In other words, what happened in the past will happen in the future unless something happens to change it (prediction momentum) In developing a forecast, a decision maker uses a two-stage process: Infers what the future is like before the proposed action Infers what the future will be like after the proposed action Important considerations regarding forecasting: Accurate data: any forecasting technique is only as accurate as the data used in developing and operating it. Time limits: the accuracy of a prediction is generally a function of the time scale required. The longer the time scale, the more difficult it is to make accurate predictions Cost: Detailed and complex forecasting is a labour-intensive task Vision: Intuition and bias are powerful influences on any forecasting application, and it can be very difficult to erase them from the equation. It is nevertheless important that the project manager attempts to predict future events, although this may be very difficult. Intuition and bias Intuition is a combination of experience and extrapolations forward. It is an example of pooled interdependency within the cognitive process Intuition can be both individual and organisational, because organisations store and use collective experience in the same way as individuals Bias is the tendency for a person or group to misinterpret data or observations because of their own perceptions or outcome preferences The decision model Analysis and synthesis of a problem form a 4-stage process: 1) Framing Allows the decision maker to avoid working on the wrong problem It configures the cognitive process to work at the correct level. Once the problem has been identified, the various components of the problem are evaluated 2) Formulation Provided a formal model based on the decision makers problem, and uses the development of a decision basis, which comprises 3 parts: 1) The alternatives available: clear, specified or detected 2) The relationship between the possible decisions and outcomes 3) The preference of the decision maker 3) Evaluation Involves a synthesis of all the data in order to establish a ranking order of options 4) Appraisal Examines the sensitivity of the decision and the effects of risk on the ranking order Risk handling Classical risk-handling philosophies include: 1) The Bunker approach: Decision makers using this approach try to allow for every possible risk, assume the worst-case scenario, and price accordingly. The end result is a very expensive initial estimate of the project This approach is often used in high-quality projects where consequences of failure are significant Advocates are sometimes known as “what happens if “ –people (WHIF) 2) The Ostrich approach: This approach assumed that everything will be alright, sometimes known as “All Goes According To Plan” (AGAP), and is the antithesis of the WHIF-approach Do not make provisions for possible problems or divergences from the desired course 3) The “gut reaction” approach: Sometimes used by experienced decision makers, such as market traders Uses a combination of experience, knowledge, extrapolation and subjective assessment Not normally recommended for everyday risk handling 4) The aggressive approach: Assumes that uncontrollable risks can be managed and controlled by pure aggression and determination Risk assessment and control The risk assessment process acts as a mean of evaluating the residual risk so that some form of monitoring and control system can be established Risk management is a strategic approach, and risk assessment and control therefore has to form a part of a long-term operational process. Risk assessment is part of the collective risk analysis process: Risk analysis involves determination of the probability of individual risky events occurring and also establishing some measure of the potential consequences of ach event occurring, together with some kind of monitoring and control system Risk handling is the process of dealing with risks Risk feedback is process where the results of occurred risks are analysed and any results and items for use in future strategies are fed back into the system Risk analysis, handling and feedback are often referred to collectively as Risk control Effective risk management Elements of risk assessment Is about identifying and assessing all potential risk areas within the project, and is probably the most difficult phase of the project risk-management process Risk has been defined as a combination of uncertainty and constraint Constraints are often difficult to remove Uncertainty comprises almost every aspect of project, and therefore only those areas with the most severe constraints and greatest uncertainty Elements of project risk assessment Elements of risk control Involves the thorough investigation of the entire project and will include reviewing the projects plans, documents and contract to identify all possible areas where there may be uncertainty or ambiguity about what is proposed or the method through which objectives are to be achieved The constraints inherent in the project must underpin all these investigations and should be considered The performance of individual sections where risks have been identified are then monitored to ensure that risk is being minimised and control any changes in the level of risk Risk control is particularly important in monitoring the evolution of risks, because risks often change over time Activities on the projects critical path should come under particular scrutiny because any risk to the successful and timely completion of these will impact on and compromise the completion schedule of the project as a whole Risk identification Any persons perception of risk may depend on: Where the individual is in the organisation The power level of the individual The immediate area of authority of the individual The responsibilities of the individual For any risk, there is a cause and an effect, and for any risk there could be various possible causes or sources. Some sources are easier to see beforehand than others, and some risks are more controllable than others Risk identification can also be linked to the projects life cycles, and generally project risk will diminish as the project progresses. This is because more and more information becomes agreed and the scope for changes resulting in risk is reduced Changes in later stages may however occur, often at significant cost Project and strategic risk Project risk: limited to those aspects of risk that are considered entirely in relation to the project. Examples are: Delays caused by bad weather Errors in specific contract documents Cost increases caused by changes in individual supplier prices Day-to-day breakdown of plant and equipment Individual absenteeism or labour problems Strategic risk: applicable more to the long-run Are more difficult to manage than project risk. Examples: Variations on competitor behaviour Changes in the economy Impact of IT and new technology Strategic risk is concerned with variables that can affect the progression and development of the organisation in its attempt to mode from current position and to the desired position Types of risk 1) Strategic risk Risk relating to the long-term performance of the organisation Variables include markets, corporate governance (ethics) and stakeholders (shareholders, business partners, customers and suppliers) 2) Operational risk Includes the process itself, the asset base, the people within the project team and the legal controls within which the organisation operates Project risk is one type of operational risk The process of operational risk management includes the product itself, its suitability for market demand, marketing, sales and delivery 3) Financial risk Includes market, credit, capital structure and reporting risks 4) Knowledge risk IT hardware and software, information management, knowledge management, and planning 5) Catastrophic risk Risks that cannot be predicted effectively and therefore cannot be quantified accurately. Usually covered by contingencies and reserved These types of risk all linked to some extent Market risk and static risk Market risk (business risk or dynamic risk) Concerned with both positive and negative values (outcomes, gains/losses) Market business risk is primarily concerned with the risk to all stakeholders within the company, while market financial risk is restricted to equity holders Market risk is measured by changes and variations in the general marketplace, and is therefore unavoidable Examples: share floatations, competitor activities, R&D investments, new product releases and general economic activity Market risk can be spilt into two components: Market business risk (MBR): caused by asset trading, and risk is distributed among shareholders, creditors, employees and all other stakeholders Market financial risk (MFR): caused by the gearing ration of the organisation, and measures the risk of dividends falling to zero Static risk (specific risk or insurable risk) Considers losses only, and seeks to minimise problems or losses at a given level Examples: fire insurance, third party and public liability insurance, tortuous liability insurance, personnel insurance and other forms of insurance Specific risk can also be reduced by mergers and acquisitions, where the specific risk of the company is diversified across a wider range of business areas External and internal risk External risk: risks with little control possibilities for the organisation Competitor risk: Behaviour and actions of competitors that can affect the performance and revenues of the organisation Market demand risk: Variations in customer tastes and preferences and consequently demand for the products and services of the organisation Innovation risk: For many products today, consumers expect rapidly developing technology and release of new products. It may be significant for the organisation if it is not able to deliver. Exposure risk: Gearing levels can affect the way the organisation can adapt to changes in the environment Shareholder risk: A firm that depends on shareholder equity depends on satisfied shareholders who receive their annual dividends Political risk: Government fiscal policy and the consequent performance of the economy can affect the performance of the organisation Statute risk: Governments changing statutes and regulations can also affect the profitability of companies. Impact risk: The ability to withstand risk impacts depends on the exposure of the company risk profile and the sensitivity of different sectors of the company to that impact Internal risk: originate from within the organisation Operational processes risk: Human resources availability risk Production capacity risk Time-based competition risk Variations in customer demand risk Process failure risk Health and safety compliance risk Tactical response risk Change risk Financial risk: Borrowing risk Cash flow risk Equity risk Concentration risk Collateral (security) risk Opportunity loss risk Opportunity cost risk Exchange rate risk Management risk: Management error risk Leadership risk Outsourcing risk Strategy implementation risk Communications risk IT and technology risk System obsolescence risk Breakdown and failure risk Fraud risk Malicious virus risk System compromise risk Capacity limit risk Predictable and unpredictable risk Predictable risk: known unknown risks Unpredictable risk: unknown unknowns Risk conditions and decision making The conditions under which decisions about risk are made is crucial to the success of the outcome 1) Conditions of certainty: The outcome is known and foreseeable from the information that is available to the decision maker The decision maker knows with 100% certainty what the outcome will be 2) Conditions of risk: There is a reasonable probability that an event will occur and where some kind of assessment can be made. (known unknown events) Most risk management and decision making take place under conditions of risk In the decision making process probabilities are assigned to each individual state of nature 3) Conditions of uncertainty: Apply when it is not possible to identify any known events (unknown unknown) Not possible to predict outcomes with any accuracy “Risks are insurable, while uncertainties are not” Under conditions of uncertainty it is not possible to predict what state of nature will apply, and one of several uncertainty criteria may apply: Hurwicz Criterion (maximax): The decision maker is always optimistic and seeks to maximise profits by an all-or nothing approach. The decision maker is not concerned with potential losses Based on maximising profits at the risk of maximum loss A high-risk strategy for decision making Wald Criterion (maximin): The decision maker is pessimistic and seeks to minimise losses, and will only consider minimum profits Used when the company cannot make a loss Savage Criterion (minimax): The decision maker is a bad loser, and therefore attempts to minimise the maximum regret. The maximum regret is the largest regret for each strategy and the largest regret is the greatest difference within a state of nature The total regret values represent the difference between the maximum possible outcome and the minimum possible outcome within a given state of nature Laplace criterion: Attempts to convert decision making under conditions of uncertainty into decision making under conditions of risk Subjective probabilities are assigned to each possible outcome Objective probabilities are based on long-term frequencies of occurrence Subjective probabilities are based on the degree of belief of confidence experienced by the decision maker Subjective probabilities can be deduced by comparing the required risk with a hypothetical risk The Laplace Criterion assumes that Baynesian theory applies, which states that if the probabilities of each state of nature are not known, they can be assumed to be equal. The probability of each nature is therefore the average pay-off value The need for a risk management strategy A risk management strategy needs to align strategy, production, human resources, technology, leadership and knowledge It needs to cross functional and project boundaries and unite all sections of the organisation in the envelope of Total Strategic Risk Management (TSRM) As with TQM, TSRM has to reach all sections and has to be forward looking and predictive instead of just reactive TSRM has to consider all key performance indicators of the organisation, both static and dynamic TSRM must be developed alongside, and be integrated with, strategic planning and management The concept of risk management A risk management system aims to identify the primary risks that an organisation is exposed to, so that an informed assessment can be made and proper decisions made to safeguard the organisation A risk management system should be: Practical Realistic Compliant with internal and external standards Cost-efficient Risk management Most risk management systems contain 5 distinct areas: 1) Risk Identification Concept of finding all risks that are likely to impact on a given project and explore the linkages and interdependencies between them This builds up a picture of a risk profile Risk identification is the starting point for the whole risk management process, and it is therefore necessary that it is thorough and detailed and accounts for all project aspects and their inherent risks Risk philosophy Project cost, time, quality, status and resource risk Technical risk Production risk Engineering risk Not all risks are high impact, high probability, but the cumulative effect can be similar to a high impact risk There are several established risk identification typologies for project risk: Internal risk: identified by using a WBS External risk: relate to factors such as interest rates and levels of economic activity, which are difficult to identify and evaluate Project risks: These overlap internal and external risks, and are a feature of the specific project and of the administration and control techniques applied within the project environment (OBS, team membership, leadership, communications) Overall risk can therefore be considered as a combination of these 3 sources of risk Risk sources can often be identified in terms of objective and subjective sources: Objective: sum total of past experience on past projects in relation to current project Subjective: sum total of current knowledge based on current experience It is important that the identification process is concerned with the source of risk rather than the event itself or the effect. This is because the risk taker can do something about the sources of the risk, but not very much about the event or the effects The most obvious and widely used method for risk identification is brainstorming, where as many people as possible look at the project scenario and try to identify as many risks as possible. These include internal, external and controllable, uncontrollable, and all other forms of risk that can affect the project Brainstorming: Phase 1: The creative phase Phase 2: Evaluation phase 2) Risk Classification Most work on classifying risk is linked to so-called portfolio theory, which considers risk classification from financial point of view and the beta-coefficient Primary classifications: Market risk vs. Static risk A 3-level classification system is suggested: 1) Risk type 2) Risk extent 3) Risk impact (maximum loss, cost of loss, cost of covering the loss, insurance cost, reliability of predictions) Risk types and impacts 3) Risk analysis Risk analysis is based on the identification of all feasible options and data relating to the various risks and to the analysis of the various outcomes of any decision Risk analysis comprises 6 basic steps: 1) Evaluate all the options. All factors that affect the risk, brainstorming 2) Consider the risk attitude of the decision maker 3) Consider the characteristics of the risks: controllable ?/impact? 4) Establish a measurement system: qualitative or quantitative, or combined approach 5) Interpret the results/prediction 6) Make the decision: which risks are to be retained and which are to be transferred to other parties Risk map: A risk map simply shows individual isolated risks on an axis of probability of occurrence against impact Basic risk map Quadrant 1: High impact, high probability: dangerous risks which cannot be survived over the long-term. Immediate action is required Quadrant 2: High impact, low probability: require close attention and are typically driven by external factors beyond management control. May be generally insurable and require contingency planning Quadrant 3: low impact, high probability: often relate to day-to-day operations and compliance issues. Left to accumulate these risks can equate risk of quadrant 2. Quadrant 4: low impact, low probability: not of sufficient stature to allocate specific resources, and represent areas that could be outsourced A risk map is dynamic and can be used to trace the development of risks over time, and can therefore be used as planning tools (current risk map vs. target risk map) (Target risk including those internal and controllable) Risk mapping is a fundamental tool, and its usefulness lies in its flexibility. It is by far the mostly used tool for risk classification and , to some extent, for risk identification. It can be closely linked to the OBS and the WBS, and the TRM that acts as the link between OBS and WBS . Risk map with variability limits Risk grid: an alternative to the risk map The form of the risk grid depends on: probability of risk occurring and impact, and the risk attitude of the risk taker Risk grid   Severity   Probability Low Medium High Catastrophic Negligible Retain Retain Retain Retain Unlikely Retain Retain Part insurance Part insurance Average Retain Part insurance Full insurance Full insurance Likely Part insurance Full insurance Full insurance Cease activity Inevitable Full insurance Cease activity Cease activity Cease activity 4) Risk attitude Much risk evaluation is subjective and therefore dependent on the risk attitude of the risk taker and the perceived level of risk faced Risk takers can be: Risk seeking Risk neutral Risk averse Risk attitude is also dependent on the type of setting the decision is made: A group will take accept more risk than an individual A multidisciplinary group will be even more risky decisions All teams tend to take more risky decisions the longer they are together as a team. 5) Risk response, control, policy and reporting Risk response: the response depends on the nature of the risk, the detail of the analysis and the attitude of the risk taker Variables that affect risk response: Company policy Lack of relevant information on cause and effect Length of time of exposure to the risk Individual vs. team interests Involuntary risk (acceptable risk) Alternatives (cost/non-cost effective) The risk response may sometimes be determined by contract requirements Risk response basically centres on risk distribution which depends on: Is the outcome of the project worth the risk? Who (which party to the contract) has the greatest risk control? Who has the greatest risk liability? (Most EU legal systems put the onus of risk on the party who would be least affected by it occurring) What incentive does each party have? (It is generally prudent to maintain at least some interest in the risk for both parties) Response options: Risk retention Uninformed risk retention is a high risk strategy In general, risk retention applies to low impact, low probability risks Example: manufacturers retaining the risk of 5% defect rate, but allows this risk transferred back by a guarantee or warranty Risk reduction Risk reduction by: Engineering it out Training and development Redefining aims and objectives Risk reduction falls into 4 categories: 1) Education and training (driving more slowly) 2) Physical protection to reduce likelihood of loss (designing a robust vehicle) 3) Systems for contingency and WHIF considerations (side bags and roll-bars) 4) Physical protection to people and property (buying a high-safety car) A risk-reduction matrix comprises 3 categories: risk, how to reduce probability, how to reduce impact Risk transfer Contractual clauses (damages clauses) or through negotiation Most common: insurance contracts Relevant factors to insurance: The insurability of the risk The cost of the insurance premium The maximum probable loss (total cost if risk occurs The likely cost of the loss The likely cost of paying for the loss in left uninsured Risk avoidance Involves removing the risk in all forms from the project Normally associated with pre-contract negotiations Seeking additional information on the risk Risk control, policy and reporting Risk control is the process of using the information that has been learned on a project to assist in the later development of the project. The storage and classification of learned information is crucial to any risk management system Risk control also involves monitoring risks that have been dealt with at a previous stage, to ensure the characteristics of these risks do not evolve Experience with risk and risk management is often documented into a “risk handbook”, which may be incorporated into the organisations “best practice” documentation There must also be frequent reporting on high impact, high probability risks present Risk reports should be produced to a time-table and be controlled by an overall strategy, with the frequency depending on the significance of the risk A risk policy establishes a number of elements: Overall aims and objectives concerning risk (overall and specific) Accountability for individual managers Established through a TRM Formalised reporting channels Risk tolerances (direct variance envelope) Authorisation procedures Risk, contracts and procurement A contract is a classic way of managing risk, and is simply a formal agreement between two parties which records the rights and obligations of each party to the contract It is a tool for risk transfer and mitigation When risk is transferred to contractors and suppliers, their tender price will be higher to reflect the increased risk A contract will also reduce potential conflict in that responsibilities and obligations have been agreed in the contract Reasons for conflict or disagreement include: Inadequate and defective contract documentation Inappropriate contractual arrangements Incorrect estimating and pricing Unreasonable risk as allocated by the contract Breakdown in personal communication Insolvency Interface management system problems Vague or unclear contractual terms Ambiguous specification The main consideration in terms of contracts and contract law, is commensurate risk, which is an obligation when accepting a contract Commensurate risk is the risk of being unable to fulfil the obligation or duty because one’s own inadequacy, incapacity, inadvertence or error, or because of interference from outside events and sources Within any contractual agreements, the contract defines only the ground rules. The execution of the contract depends on goodwill, intent and the relationship between the parties Basic contract theory: Typical contract documents include items as follows: The signature block and project title: identify the project and its parties The definition of contract terms and scope: range and extent of works in sufficient detail to identify the limits of the project Information and facilities to be provided by the client: additional obligations of the client Project approvals: required approvals during project progress (milestones) Payment systems: monthly valuation with reasonable allowance added for variations, materials delivered, legally committed funds and allocation of overhead and provisional percentages. Final account at project completion Working drawings: full design information of the project The specification: the technical performance of the product or service being provided Schedules: various component and assembly requirements General conditions: standard forms of contract, often sector generic Specific conditions: specific terms and conditions applied by the client Provision for change and variations: provision for ordering and execution of variations, together with procedures for valuing variations and payment systems The form of tender: a legal offer to carry out the works and appendices contains a summary of any additional contractual information, such as fees and contingencies Dispute resolution: the process of dealing with disputes and arguments. First a recourse to arbitration and then a recourse to litigation: Alternative Dispute Resolution (ADR) Bonds and warranties: specify what provision is required and how this is to be executed Contracts involving public finance often contain a detailed bond cover (covers the contractor performance up to completion and hand-over), with guarantees and warranties (cover quality and reliability of the finished product) over and above this in some cases. The warranty may be insurance backed In order for a contract to exist, there must be: Offer and acceptance: when the contractor completes a bid in the form of a tender, that is his or her offer, and when the client accepts that offer, that is the contractual acceptance Consideration: a fee charged in advance to retain the services, i.e a deposit may be necessary to make the contract valid Capacity: The contract can be void of a party to the contract accepts fully knowing that he will not be able to fulfil the contract Legal relations: the terms and conditions in the contract must relate to actions that are not illegal Communication: Acceptance must be communicated to the bidder for the contract to be valid Alternatives to fulfilment of the contract includes: Breach: where one party acts in contravention with one ore more terms or conditions Frustration: where a contract cannot be performed, even if both parties wish to do so. Rescission: where there has been and error or misunderstanding in the preparation of the original contract. The courts can then elect to rescind one or more contract terms if they are not acceptable, for example in the case of contradictory terms Rectification: where a contract term has been wrongly worded or phrased Void: e.g. when the contract goods are illegal Termination/determination: under certain circumstances a contract may be determined, and this means that both parties to the contract cease works, and the party that has determined the contract can seek reimbursement against the party who has been determined (e.g. determination by the contractor because the client has not paid agreed sums of money Procurement: The process by which goods and services are acquired, and the process by which the organisation tries to attract and contract good quality services Good procurement leads to good suppliers and this in turn leads to increased performance and improved profitability Most large organisations have a legal section that is responsible for procurement and the preparation and execution of contracts. Procurement can act at a strategic level or at project level: Strategic level: involves the corporate strategy of the organisation Project level: restricted to procurement options relevant to the project only Procurement involved a number of life-cycle phases: Objective phase: the objectives of the procurement process are established and reconciled with the objectives of the project and with the overall objectives of the organisation Exposure phase: a list of different possible sources of supply is made and examined in regard to past experience. Alternatively the procurement objectives may be advertised and expressions of interest may be invited Alternatives phase: involves a scrutiny of the various alternative sources available., including checks of the bidders plants, records, financial numbers etc. Documentation phase: the client (or its consultants) prepare contract documents that describe the works in some way, and to such a level of detail that all ambiguity, or as much as possible, is removed. This is important because it allows all bidders to bid on the same basis The idea is to produce true parity of tender Tendering phase: those applicants selected to proceed may be invited to tender or bid as the preferred source. This also involved the client preparing a formal document that describe the liabilities and obligations of the tender contract Award phase: the bids/tenders are analysed, usually by a legal expert and by a cost expert, and checked for all requirements necessary Contract administration phase: the contract is awarded and the client or its consultants administer the contract in order to ensure that both parties comply with the contract Characteristics of contracts: Controllable risk: include such factors as human error and decision making. These risks are internal to the project and controllable by good management and good quality-control procedures Uncontrollable risk: include factors that are outside the immediate control of the project. Some may be reduced by the use of insurance contracts In all cases there will be some fundamental contractual risks, including: Adequacy of design: latent(hidden) and patent (obvious) defects Project eventual cost: the risk for cost overruns may be client –or contractor based Safety and indemnification for accidents: provisions for indemnity Third-party insurance: insurance against damage to third parties (people or property) Fire, flood etc Completion deadlines: liquidated and ascertained damages: if the project is completed late, both the client and the contractor are likely to loose money, and as a result most contracts include specific clauses to protect against late completion Punitive Liquidated (cash) Ascertained (based on actual losses incurred) Express and implied terms Express terms are those that are clearly expressed within the wording of the contract; Fundamental risks Most contracts for goods and services Sale and delivery of an automobile Implied terms are those that can be implied from the wording of the contract or from common usage Liabilities (reasonable duty of care) Contract for professional services Most professional service person is generally required to carry professional indemnity insurance (PII) Transfer of risk in contracts Contracts are vehicles for risk transfer, and risk can generally be transferred to whatever degree is considered necessary by the person who is drafting the contract. An increase in level of risk transfer will be accompanied by an increase in the cost of doing so Risk is sometimes transferred through indemnity clauses (hold harmless clauses), where specific risks for specific events are seeked transferred onto named party Reasonable transfer of risk through contract also depends on the ability of the risk bearer to absorb any damages Variation orders and change notices No matter how well prepared and detailed the contract documents are, there will always be some information that is missing at the tender pricing stage, in addition, once the works start, there will be unforeseen changes that in turn will require changes to the contract itself This raises the need for some form of change control and change management system Variations allow for changes to be made to a contract without invalidating it. Changes can be technical or administrative The main requirement for a variation order is that it has to be fair to both parties of the contract Claims risk When variations occur, and the project performance is affected, the parties to the contract might seek reimbursement from the party that caused the delay or change. This is usually done through the assembly and submission of a direct claim Most standard forms of contract list items that are acceptable as the basis for a contractor claim, these are items that the contractor has no control over and that therefore have to be classified as client risk Typical examples of client risk include: Failure to provide information within a reasonable time of the contractor requesting it Late instructions Errors or omissions in the contract documents Delays caused by nominated subcontractors Delays caused by client consultants Changes in statute Non-availability of labour Civil commotion and disruption Declaration of war or war damage Exceptionally adverse weather Determination of contract by contractor A contractor may also be able to claim reimbursement on other grounds (normally insured by client): Fire Flood Lightning Impact or aerial devices Ionising radiation The contractor is generally also required to carry some insurance: Employers liability for employees Liability for damage to third party persons of property Escape of potentially harmful or hazardous materials Large contractors generally cover these risks with some kind of all-risks policy Version 2 Module 3: Project Risk Management Introduction This module introduces the concept of risk management. A good project manager also has to be an effective risk manager. All projects are subject to risk of one kind or another, and the project manager has to be able to manage this risk through the life cycle of the project. In order to do this, the project manager has to be able to look at the project and its environment, and identify the risks that are present. The project manager also has to be able to transfer or reduce unacceptable risks and then set up monitoring and control systems so that the residual risk can be managed effectively. Risk is an inherent factor of virtually every human endeavor. Human beings naturally consider risk and reward as part of the decision-making process. The consideration is not always formalized and may occur at a subconscious level. If a gamble is placing a bet on a horse, he or she might consider a whole range of variables that relate to the possible outcome of the race. These outcomes might include the fitness of the horse, the competition, the racetrack conditions, and so on. Another gambler, who is playing poker, might have no idea of what the competition has to offer and uses a more intuitive, less structured and formalized approach to assessing the potential risks and rewards of folding or playing. Between these two extremes, the human reasoning and evaluation of any particular event is based on the decision making within the limits of what are acceptable and non-acceptable outcomes. The gambler does not like to lose, but there is a difference between losing what he or she can afford and losing what he or she cannot afford. Risk analysis can therefore be considered as a basic function of the human cognitive process. People evaluate potential risks and rewards when deciding on whether or not to do something. The human mind considers a risk as a form of model in which possible events and outcomes are considered in terms of possible actions. The possible gains are then balanced against the possible losses, and a subjective, (or objective) decision is made. The same consideration applies to project management. Projects tend to be complex and one-off. They may operate within an environment that is characterized by uncertainty. The project manager has to make decisions under conditions where risk is an everyday factor. A project managers is therefore and inherent risk taker. The ability to be able to identify and control risk is a primary project-management function. The project manager has to be able to evaluate fully all the relevant risk information in order to make an informed decision that gives the best balance of potential favorable outcome against potential negative outcome. This module considers the origin of risk and briefly considers how the human thought process addresses risk. It goes on to look at decision-making under conditions of certainty, risk, and uncertainty. The module then explores the basic components of a generic management system and considers the association between risk and contracts. Learning Objectives By the time you have finished this module, you should understand: What is risk, and why it is important; The difference between certainty, risk, and uncertainty; How decisions can be made under each condition; The concept of risk management; The basic components of a risk management system; The basics of contract theory and how contracts are used to transfer risk; Learning Summary The Concept of Risk Risk is all around us and plays a part in virtually everything we do. Risk management originated in the US and the UK during the design of the first nuclear power stations. Risk management has to consider both individual risks and also the overall collective effect of other risks. The net impact of individual and collective risks can be quite different. Risk is a measure of the probability and consequence of not achieving a specific project goal. It therefore depends both on the likelihood (probability) of an event occurring and on the consequences (impact) of that event should it occur. Risk is a function of the probability of an event occurring and the consequences of the event if it does happen. RISK=F(event, uncertainty, consequences) Risk is also a function of the level of hazard represented by an event and the degree of safeguard that is put in place to counter it. RISK=F(event, hazard, safeguard) An organization’s sensitivity to risk is a function of three elements. These are: The degree of exposure (or vulnerability) to particular risk impacts The significance (or severity) of the enterprise’s exposures to the realization of different of events. The firm’s ability to manage the implications of those different possible events, should they occur. Sensitivity is therefore a measure of likelihood and impact, modified to some extent by the ability of the organization to manage these variables. The use of risks to create value is changing. The profile of risk management and the risks defined by organizations in decision-making are also changing. This is an uncertain world. Very few things are certain apart from taxes and death. In such an environment, all investments must be subject to some degree of uncertainty and therefore risk. Risk management is a key element of the management of investment and the generation of return. Risk and opportunity go hand in hand. Everybody is on the lookout for a good opportunity. Opportunities exit within an uncertain world and therefore subject to uncertainty and risk. The relevant risks have to be effectively managed if opportunities are to be exploited. Risk intimidates competitors. It prevents them from taking advantage of market opportunities that exhibit hazard above a certain level. Risk and risk management should not be seen as purely static. Risk management is not just about identifying potential negative events and then taking precautions against them. It is about looking at the complex world of business and analyzing the myriad opportunities that present themselves and then making an informed decision on which are the best ones to commit to. In order to succeed, companies have to take risks. They have to commit scarce and expensive resources to uncertain business activities. The more research and analysis that can be put into the risks that underlie those activities, the better. Risk is therefore both a good thing, and a bad thing. It is the driving force behind innovation and enterprise, but it is also a threat if not properly evaluated and managed. It is particularly significant in a project context, where the work is typically complex and does not form part of a repetitive cycle. The Human Cognitive Process Decision-making and risk are fundamental elements of the human cognitive process. People make decisions in relation to perceived rewards and risk; the decision-making process is largely dependent upon perceived rewards and risks. Perception of risk varies from person to person and in relation to the potential effects of the risk event. Most aspects of the human cognitive process make a subjective evaluation of risk. This ability is a basic survival tool and has been essential for human development. Pattern recognition is where the brain takes incoming information and stores it temporarily at a superficial level, and then compares that information to previously stored information in order to make an assessment of what the new information represents. Bounded rationality is based on the philosophy that a being will generally opt for rational behavior within constraints. The relationship between possible actions and acceptable outcomes determines what actions are to be considered as part of the decision-making processes. Possible actions are subject to the constraints of acceptable outcomes, and satisfactory outcomes are not necessarily optimal outcomes. ‘Prediction momentum’ allows forward projections based on current events and past experience to be made. Any forecasting technique is only as accurate as the data that are used in developing it and operating it. The primary determinants of prediction model development and application are time scale, cost of production, and lack of bias about future events. Intuition can be both individual and organizational. Companies store and use collective experience in much the same way individuals do. Most researchers would agree that the analysis and synthesis of a problem is a four-stage process. These stages are framing, formulation, evaluation, and appraisal. Risk Handling Risk control is particularly important in monitoring the evolution of risks. Risks change in terms of probability and impact over time; it is imperative that any such evolutions are monitored and controlled in modern business. Types of Risk Market risk is dynamic. It is concerned with both positive and negative values, or potential gains and losses. Static risk considers losses only. It looks at the potential losses that could occur and seeks to implement safeguards and protection in order to minimize the extent of the loss. External risk originates and operates outside the organization. Typically, the organization has little or no control over external risk. Internal risks originate from within the organization; at least in theory, the company should have some control over them. Predictable risks are ‘known unknown’ risks, such as changes in interest rates during times of fluctuations in the economy. Unpredictable risks are the ‘unkown unkowns’ such as the collapse of a major bank. These are unforeseeable. Risk Conditions and Decision-Making In general terms, there are three possible circumstances under which decision can be made. These are conditions of certainty, conditions of risk, and conditions of uncertainty. Decision making under conditions of certainty implies that the decision maker knows with 100 per cent accuracy what the outcome will be. In other words, all the necessary decision-making data and information are available to assist the decision maker in making the right decision. There will be one dominant strategy or risk that will produce larger gains or smaller losses than any other risk, for all states of nature. There are no probabilities assigned to each state of nature (equal likelihood of occurrence). Decision making under conditions of risk implies that the level of risk can be assessed and quantified in some way. The difference between conditions of uncertainty and conditions of risk is that under risk there are assigned probabilities. These relate to the “known unkowns”. Under conditions of uncertainty, it is no possible to predict what state of nature will apply. There are several uncertainty criteria that can be considered. These are Hurwicz, Wald, Savage, and Laplace. The Hurwicz criterion is sometimes referred to as the “maximax” criterion. The decision maker is always optimistic and seeks to maximize profits by an all or nothing approach. The decision maker is not concerned with how much he or she can afford to lose. The Wald criterion is sometimes referred to as the “Maximin” criterion. The decision maker is pessimistic and seeks to minimize losses. The decision-maker is concerned with how much he can afford to lose. He will consider only the minimum profits (not losses); losses are not considered to be an option. The Savage criterion is sometimes referred to as the “Minimax” criterion. The decision make is a “bad Loser”. He or she therefore attempts to minimize the maximum regret. The maximum regret is the largest regret for each strategy, and the largest regret is the greatest difference within a state of nature column in the pay-off matrix. The LaPlace criterion attempts to convert decision making under uncertainty into decision making under risk. The Concept of Risk Management Risk can be a good thing. Without risk there is no reward, and risk breeds innovation. Risk is therefore to be encouraged within and organization, but it is also dangerous and therefore has to be managed. A risk management system aims to identify the primary risks that an organization is exposed to, so that an informed assessment and proper decisions can be made to safeguard the organization. Most risk Management systems contain five distinct areas: Risk identification Risk classification Risk analysis Risk attitude Risk response Risk sources are often classified in terms of objective and subjective sources. Objective sources use the sum total of past experience of past projects in relation to the current project. This source is sometimes referred to as “experience”. Subjective sources use the sum total of current knowledge based on current experience. Estimate of current performance are made based on optimistic, likely, and pessimistic estimates, relevant to current estimates. Risk identification often makes use of brainstorming techniques. Most work on classifying risk is linked (at least in part) to so-called portfolio theory. Risk can be primarily classified in terms of : Risk type Risk extent Risk impact. Once the risks have been identified and classified, they have then to be analyzed. Risk analysis is based on the identification of all feasible option and data relating to the various risks, and to the analysis of the various outcomes of any decision. Most risk analysis approaches involve the identification of risk drivers. The risk drivers are all the factors that influence the impact and probability of the identified risk. The process of risk mapping is sometimes referred to as “risk profiling” or even “risk foot-printing”. It is basically a process for showing the relationship between risk probability and impact for a range of given risks, as a function of time. A basic risk map has four quadrants; it is relatively easy to expand this to more sectors. Quadrant 1 (red zone: high impact/high probability) represents the dangerous risks. No business can survive accepting these risks at this critical level over the long term. They have to be addressed at once and immediate action has to be taken. They are strategically important and appropriate action is immediately required. Quadrant 2 (upper yellow zone: high impact/low probability) represents risks that are not as crucial as those in the red zone. However, they require close attention as they include the severe effects of extraordinary events. Quadrant 3 (lower yellow zone: low impact/high probability) represents risks that are often related to day-to-day operations and compliance issues. They are “unmanaged hurricanes”. Quadrant 4 (green zone: low impact/low probability) represents risks that are not of sufficient stature to allocate specific resources. They are generally insignificant and are acceptable at their present level. The attitude of the risk taker is obviously an element in risk management. Much risk evaluation is subjective and therefore the perceived level or risk involved with a course of action depends on the attitude of the risk taker. Different types of people and even different professions characteristically exhibit different standard risk-attitude characteristics. Risk response basically centers on risk distribution. Obvious risk responses include: Risk retention Risk reduction Risk transfer Risk avoidance Seek additional information about risk Ignoring the risk is obviously itself a high-risk strategy. Informed risk retention is another consideration. This is most suited to risks that are characterized by small and repetitive losses. Risk may be reduced by a number of means. It may be possible to engineer risk out of the equation/ In addition, risk may be reduced by training and development, or by redefining the aims and objectives of the project. Risk transfer involves transferring the risk to others. There are numerous ways in which this can be done. Liability could be transferred through contractual clauses or through negotiation. Probably the most common way of transferring risk is through an insurance contract. Not all risks can be transferred, and there may be some risks where it is not economical to do so. Risk avoidance means removing the risk in all forms from the project. Risk avoidance is synonymous with refusal to accept risks. It is normally associated with pre-contract negotiations. Risk may sometimes be avoided or reduced by seeking additional decision-relevant information. Some uncertainty is caused by a lack of relevant information; and the level of perceived risk may be reduced if more information is made available. Risk, Contracts and Procurement A contract is a classic way of managing risk. It is simply a formal agreement between two or more parties. It records the rights and obligations of each party to the contract. A contract is therefore a tool for risk transfer and mitigation. A contract also allows risk to be controlled. In addition, it provides guidance for each party in the event of a dispute or conflict. In order for a contract to exist there must be: Offer and acceptance (mutual agreement) Consideration-i.e. some form of payment (depending on the legal system) Capacity Intention to create legal relations Communication Alternatives to performance include the following: Breach Frustration Rescission Rectification Illegality Voider Termination/determination If variations occur, or if the project is delayed or changed for other reasons, the parties to the contract might have recourse to seek reimbursement from the party that has caused the delay or change. This is usually done through the assembly and submission of a direct claim. If this is disputed, the party might seek recourse through litigation, in which case the claim would be converted into a claim for damages. Most standard forms of contract list items that are acceptable as the basis for a contractor claim. These are items that the contractor has no control over, and therefore have to be classified as client risk. Typical examples of client risk include: Failure to provide information within a reasonable time of the contractor requesting it Late instructions Errors and omissions in the contract documents Delays caused by nominated subcontractors Delays caused by client consultants Changes in statute Non-availability of labor Civil commotion and disruption Declaration of war and/or war damage Exceptionally adverse weather (where appropriate) Determination of contract by contractor