Qualitative risk assessment
Other techniques
Risk analysis of cash flows, investment appraisals and business cases
Determining the impact of risk and uncertainty on the cash flows can be done by developing a combined time and cost model. Some software has the ability to do this or it can be achieved in Excel. Where the analysis is based on a business or investment case it is usual to carry out this analysis in a spreadsheet model.
This analysis examines the variability of the components of a business (or project) that affect cash flows and outputs variables for profit, rate of return or other financial measures. The analysis is particularly useful for predicting funding requirements and contingency drawdown. It is difficult and time consuming to do and can be challenging to explain the outputs and to turn them into meaningful management information. Some caution should be taken when considering this kind of analysis and the use to which the results are being put.
Management and control of risk
Once the team has agreed on the initial risks that have been identified and assessed, the major task is to identify actions and controls to manage them. As with many elements of risk management there are many approaches that can be taken and lots of terminology to contend with. The reality is very simple – we initiate some activity to limit the likelihood or impact of the risk. The activity can either be continual (a control) or a specific action.
To ensure that risks are managed each risk is assigned an owner and the owner analyses the risk and determines what actions (mitigation, contingency or observation) or controls should be taken to control them. He also identifies the level of resources that should be committed to the risk action plans. They will also consider the proximity of the risk and prioritise which risks are more important at what stage of the project and should take priority. Proximity in this case is the point at which you need to do something before it is too late to be effective. Risk management requires continuous monitoring and action if it is to be effective and should be regularly under review as part of the monthly cycle for project control.
Selecting risks for active management
Effort should be concentrated upon the major risks throughout the preparation work stage and the business justification and delivery strategy stages. It is neither practical nor cost effective to actively manage all risks on the risk register. Only those which represent the greatest threat to the project require this treatment.
There are several ways to select risks for active management and many different criteria to use. The aim is to highlight the ones that have the biggest potential impact and can be most effectively managed. Risks that have a big impact but over which we can have very little impact should be recognised but not necessarily actively managed.
It is not necessarily acceptable or desirable to do nothing or to defer mitigation on risks with a middle and lower range severity and some form of monitoring and management may still be required unless the risk becomes tolerable.
Account should be taken of the cost of mitigation when assessing the controls and actions to be taken. In the vast majority of cases risk mitigation is assessed as having no cost and suggests that a management action is the primary activity. These mitigations tend to be harder to measure their effectiveness and an assessment of the effectiveness and the outcome should always be considered. Regular monitoring of the actions and the effectiveness of controls should be carried out to assure the process.
Main risk response strategies
Risk response strategies can be defined as an appropriate procedure or step implemented to respond to a risk, particularly when this risk generates a high degree of exposure unacceptable to the project/ programme.
There are a number of different ways to respond to a risk, some of which are given below:
Risk reduction: where the level of risk, or exposure to risk, is unacceptable. Proactive actions are required either to reduce the probability (through control options) of the event occurring or the impact of it occuring.
These actions could include redesign or more detailed design, value management or engineering exercises, different method of construction or changing some of the risk allocation strategies.
Risk transfer: where accepting the risk would give the client the best value for money. This consists in transferring the responsibility of managing the risk to a third party able to better control a part of it. The most common form of risk transfer is through contract but care should be taken as true and total risk transfer is difficult to achieve and the risk tends to remain with the client. It might include an insurance cover where appropriate.Risk sharing: where the risks are not totally transferred and shared by different parties. Modern procurement routes include the application of pain/gain formulae. The parties share the gain if the cost is lower than the cost plan and the pain in case the cost is higher.
Rigorous review and follow ups of identified risk mitigation actions and regular updates of the risk register are essential to get the full benefits of risk management.
Update risk register
The risk owner should update the risks on a regular basis as set out in the risk management plan and in particular reflect the actions being taken and their effectiveness and the current status of the risk including any changes in its assessment.
At agreed intervals (for instance at project meetings) the risk manager should review the progress of the management actions and update the register. These reviews are normally conducted informally within an agenda item at routine meetings.