You are on page 1of 27

British Standard

Licensed Copy: Rupert Heygate-Browne, Agip KOC, 30 September 2003, Uncontrolled Copy, (c) BSI

A single copy of this British Standard is licensed to
Rupert Heygate-Browne
30 September 2003

This is an uncontrolled copy. Ensure use of the most
current version of this document by searching British
Standards Online at bsonline.techindex.co.uk

BRITISH STANDARD |
| BS 6079-3:2000
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Project management Ð |
|
|
|
|
|
|
|
|
Part 3: Guide to the management of |
|
|
business related project risk |
|
|
|
|
|
|
|
|
|
|
|
|
|
Licensed Copy: Rupert Heygate-Browne, Agip KOC, 30 September 2003, Uncontrolled Copy, (c) BSI

|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ICS 03.100.50 |
|
|
|
|
|
|
|
|
NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW
|
|
|
|

upon which the following bodies were represented: Association of Project Managers BEAMA Ltd. Agip KOC. having been prepared under the direction of the Management Systems Sector Committee. Uncontrolled Copy.) Health and Safety Executive Highways Agency Institute of Quality Assurance Institution of Civil Engineers Institution of Incorporated Executive Engineers Institution of Mechanical Engineers Ministry of Defence Operational Research Society Royal Institution of Chartered Surveyors Society of British Aerospace Companies Ltd. of Management Accountants Federation of the Electronics Industry Fellowship for Operational Research Licensed Copy: Rupert Heygate-Browne. (c) BSI GAMBICA (BEAMA Ltd. No. Date Comments The following BSI references relate to the work on this standard: Committee reference MS/2 Draft for comment 99/402000 DC ISBN 0 580 33122 9 . BS 6079-3:2000 Committees responsible for this British Standard The preparation of this British Standard was entrusted by Technical Committee MS/2. 30 September 2003. Project Management. was published under the authority of the Standards Committee and comes into effect on 15 January 2000  BSI 01-2000 Amendments issued since publication Amd. South Bank University Co-opted members This British Standard. British Computer Society British Standards Society British Telecommunications plc Chartered Inst.

Uncontrolled Copy. 30 September 2003. Agip KOC. BS 6079-3:2000 Contents Page Committees responsible Inside front cover Foreword ii Introduction 1 1 Scope 3 2 Terms and definitions 3 3 The business related project risk management model 3 4 Undertaking risk management 7 Annex A (informative) Communication in risk management 16 Annex B (informative) Business and risk management tools and techniques 17 Annex C (informative) Risk perception 18 Annex D (informative) Stakeholder analysis 20 Licensed Copy: Rupert Heygate-Browne. (c) BSI Annex E (informative) Common examples of business and project risk 21 Figure 1 Ð The risk management process 2 Figure 2 Ð The relationships between businesses. projects. and sub-projects 4 Figure 3 Ð Business level risk management steps 8 Figure 4 Ð Project and sub-project level management steps 9 Figure 5 Ð Scheme for evaluating risks 13 Table 1 Ð Decision making levels 5 Table 2 Ð Examples of decision makers 5 Table 3 Ð The relationship between decision making focus. and decision making levels in the context of risk management 6 Table 4 Ð Basic qualitative analysis 12 Table 5 Ð Counter measures 13 Table 6 Ð Opportunities 14  BSI 01-2000 i .

Licensed Copy: Rupert Heygate-Browne. It should not be quoted as if it were a specification. The publication contains guidance and recommendations. Agip KOC. Uncontrolled Copy. and should not be used for certification purposes. ii  BSI 01-2000 . an inside front cover. pages 1 to 21 and a back cover. (c) BSI Summary of pages This document comprises a front cover. A British Standard does not purport to include all the necessary provisions of a contract. 1) This was originally published as BS 6079:1996. 30 September 2003. Ð Part 2: Project Management Ð Vocabulary2). 2) In the course of preparation. It is a part of a series of standards that consists of: Ð Part 1: Project Management Ð Guide to project management1). Users of British Standards are responsible for their correct application. The BSI copyright notice displayed in this document indicates when the document was last issued. pages i and ii. Compliance with a British Standard does not of itself confer immunity from legal obligations. BS 6079-3:2000 Foreword This British Standard has been prepared by Technical Committee MS/2. Ð Part 3: Project Management Ð Guide to the management of business related project risk.

Ð improved control of project and business costs. and readiness to. Individuals and organizations can lose described in this standard is applicable for each substantial sums of money as a result of not paying aspect of the business activity focus at each level of sufficient attention to the identification and decision making. exploit all Annex E gives a listing of some common types of beneficial opportunities. they are be many more organizations with influence and dismissed on the grounds that ªit couldn't happen vested interests than is readily acknowledged. risks are rarely ignored the identification of project and business when initial plans are made. The risk management process or sector. Ð actions being implemented in time to be Annex C describes the significant aspects of risk effective. Even when an analysis is undertaken. Annex A describes the importance of effective The benefits of systematic risk identification and risk communication within risk management. Ð appreciation of. assessing. 30 September 2003. Managing business related project risk involves Licensed Copy: Rupert Heygate-Browne. business risk. can be used to provide an analytical framework. Ð greater control over innovation and business development. In order to manage risk effectively. opportunities arising in the course of their activities the business. project. and controlling risk within a broad Risk management is a core process within any framework. This is because it is only in management is therefore as much about looking relation to an organization's or individual's specified ahead to identify further opportunities as it is about goals that risk arises. or decisions taken. to stakeholders. objectives is itself a major cause of project failure. BS 6079-3:2000 Introduction This standard describes a process for identifying. Ð fewer costly surprises through effective and transparent contingency planning. management include: Annex B gives an overview of management tools that Ð more realistic business and project planning. It is simply that it is rare for highlights the importance of stakeholder analysis and all risks to be identified and taken into account suggests that it is integrated into the risk systematically in the early stages of planning. can be risk management factors. Although it is often suggested that formal risk management does not begin until the first actual risk A vital part in clarifying goals and assessing risk is assessment has taken place. Unless the stakeholders are well known that managers and their teams generally identified and understood at an early stage the true know what can go wrong and what worthwhile extent of the management task and the source of opportunities might occur.  BSI 01-2000 1 . activity illustrated in Figure 1. Equally. (c) BSI efficient and effective management of risk can make a significant contribution to the economic and taking account of business risks that affect its general welfare of society. Taking hereº. a team context in which its projects will be carried out. Ð greater certainty of achieving business goals Annex D describes the principles involved in and project objectives. or sub-project goals need to be if these are not recognized in good time. throughout the life of each project. Within any project there are also inherent risks to the project itself. The main features of this process are business or organization regardless of size. Ð improved loss control. It is management process. perception which can impede risk management. stakeholder analysis. identified and actively managed. all stakeholders are easily recognizable and there can sometimes when risks are foreseen. Confusion over project avoiding or mitigating losses. Similarly. full advantage Projects are the principal means by which a business cannot be taken of potentially beneficial moves forward. Uncontrolled Copy. In this way. Risk assessment should therefore be seen as stakeholders into account can ensure that planning part of a continuous review process conducted is much more ªviewpoint orientedº. Agip KOC. management of threats to their goals and to the projects they commission. Without the benefit of much risk can go unrecognized. The guidance in this standard proceed with projects. Ð increased flexibility as a result of understanding all options and their associated risks. On a wider level. as well as that of the projects and project risks that affect the business. Identifying systematic risk analysis however. Not will not always maintain and update it. Risk clearly identified. businesses and projects directly concerned. the Annexes A to E are informative and give background many risks to the business that occur as a information for a fuller understanding of associated consequence of the projects it undertakes. and to its sub-projects. it is not always stakeholders also helps define the relationship possible for them to exploit their knowledge to the between the business and its environment and the full.

30 September 2003. Licensed Copy: Rupert Heygate-Browne. Agip KOC. Uncontrolled Copy. (c) BSI 2 BS 6079-3:2000 Figure 1 Ð The risk management process  BSI 01-2000 .

some effect on the interests and goals of those at risk if a of which can be described as business initiatives but risk event happens or a risky situation materializes which nonetheless have the same general characteristics. target risk levels or other industrial.7 managers. These are as follows: 2.2 stakeholder risk individual. It is not intended as a substitute for specific risk management standards that address risk assessment in distinct systematic application of policies. evaluating. The model outlined in this guide is shaped by two generic perspectives that can be applied to any kind Ð judge the magnitude of their likely consequences of business or project. Risk management 2. technological risk. their interests satisfactory.4 a) defining the relationships between the risk assessment businesses and its projects. a measure of risk consequence This standard offers generic guidance only and it is 2. and influences 2. 3. commercial and public or voluntary criteria sectors. for dealing with risk 2.14 goals stakeholder analysis NOTE Such contingencies could make the result more or less process for identifying stakeholders.8 to the circumstances and needs of the particular risk impact organization.)  BSI 01-2000 3 . a contingency) that can affect the prospects of achieving business or project 2. overall process of risk analysis and risk evaluation b) modelling the decision making processes associated with activities at different levels within 2. Uncontrolled Copy. either or both of whom are almost always responsible to higher levels of authority for one or risk identification more projects of various types and sizes. group or organization having a vested uncertainty inherent in plans and the possibility of interest or influence on the business or its projects something happening (i. analysing.13 2. determination of what could pose a risk It is intended that its application will be proportional 2. and monitoring risk NOTE This standard advises that risk management is treated as an integral part of good management practice. applications.1 2. procedures. and practices to the tasks of identifying. BS 6079-3:2000 1 Scope 2. such as health and safety. 30 September 2003.5 either the business or project. It is applicable to a wide evaluating and comparing the level of risk against spectrum of project organizations operating in the predetermined standards. NOTE This is also referred to as ªrisk transferº. treating.3 risk analysis 3 The business related project risk systematic use of available information to: management model Ð characterize the risks. or areas of methods. Agip KOC.1 General Ð determine how often the specified events could occur.e.11 2 Terms and definitions risk treatment For the purposes of this British Standard the selection and implementation of appropriate options following terms and definitions apply.10 is an iterative process consisting of steps that enable continual risk sharing improvement in decision making.12 residual risk secondary risk risk remaining after risk treatment measures have risk arising from the risk treatment process been taken 2. It is written for project sponsors and project 2. Its effective use depends on the experience and judgement of the practitioners applying the spreading of risk by sharing it with others guidance. risk consequence (Sub-projects often exist within larger projects.6 This standard gives guidance on the identification risk evaluation and control of business related risks encountered process used to decide risk management priorities by when undertaking projects. 2.9 Licensed Copy: Rupert Heygate-Browne. and not simply on routinely following the steps outlined. (c) BSI not suitable for certification or contractual purposes.

such as by other parties. The sub-projects. Similarly. project can consist of several sub-projects. An illustration is where one business contracts regulatory bodies. markets. Agip KOC. respectively) that established it initially a) Businesses can set up projects in which the and which contributes inputs to it. to varying degrees. the with another for the supply of parts required by Licensed Copy: Rupert Heygate-Browne. Projects should be viewed in exactly the same way Here also. the legislative framework. and this larger project then provides the external environment EXAMPLE for its sub-projects. both desired and the business boundary. Uncontrolled Copy. and acts on those inputs to produce by both parties to the relationship. or pollution. which are then returned to the c) Collaborative or partnership projects can be set same environment. and so on). Construction work could be divided between separate plastering. is at follows. project risks are also shared in various ways between the parties involved. Figure 2 Ð The relationships between businesses. BS 6079-3:2000 The effects of decisions in all parts of the business EXAMPLE and at all levels within the business and its projects A project that trains staff to undertake new jobs can be far reaching and should not be considered in can be carried out by a team from the isolation. and will be wholly retained projects within the business. Sources include other EXAMPLE businesses and organizations. Project inputs of a business and between the business and its (including risks to the project from the business). risky for the associated projects and businesses. Risks from this type of Any business takes inputs from its external relationship are born directly. and carpentry The model. experience constraints. electrical. projects. 30 September 2003. also produce outputs. shows the nature of sub-projects. project. (and sub-project. individually and jointly expect to receive benefits. as businesses. profits. Businesses operate in an external environment from b) Businesses can set up projects that are partly which they can derive key opportunities and also within and partly outside the business boundary. The nature and extent of these up by two or more parties from which they outputs will influence the future of the business. governments. Annex A gives guidance on the and outputs (including risks to the business from factors that can play a part in an effective the project). initiated to manage a particular risk. such as insurers. (c) BSI financial system. risk from the associated business.2 The relationship between businesses and outputs in this context. Risks that can arise from the functioning of the project should also be considered as 3. and indirectly goods or services. business. the first business. A sub-project could also be project risks. Three types of relationships can be identified as sub-project (and sub-sub-project. environment. are mostly retained within the communication strategy. Each project. Software production could be divided business and project relationships relevant to between teams (sub-projects) responsible for understanding how to manage business related different modules. and sub-projects 4  BSI 01-2000 . because the business or businesses that set up a project are significant elements of that A project can itself be composed of several project's external environment. wholly or partly within the initial project or business. and society at large. along with other outputs. a large sub-projects. shown in Figure 2. projects is essential. Good communication between each level organization's training department. inputs and outputs are maintained wholly within and projects.

6 Operational decision making 3. It should proceed in the order to attain the goals set. Table 1 Ð Decision making levels Decision making Examples of decision making level Strategic Establishing/confirming goals. Operational Implementing tactical choices and managing operational risks.4 to 3. and far-reaching and sometimes unintentional Ð operational. It is concerned much as the senior management of an organization with the broad implementation of strategic level set strategy for the organization as a whole. and the different levels of decision making. decisions. and at three levels: influenced strongly by choices made by decision Ð strategic. decision. context of goal setting.7. Strategic can pose risks for the others. The usually take responsibility for the different types of scope of tactical decision making is narrower. Operational decision making is principles of the tasks required to achieve a goal. and. However. Table 3 gives an overview of for goal setting and policymaking are more the relationship between the focus of decisions made restricted. three decision making levels not only occur within the business but are also found within projects and 3. tactical decision making should be concerned with the Table 1 gives an overview of the levels of decision medium term and choices of approach and method making.4 Strategic decision making Operational decision making. The risks associated with These levels generally correspond to long. 30 September 2003. For example. The three types of decision making are the time frame. Uncontrolled Copy. stakeholders and setting in context for tactical and sometimes operational decisions for each activity/project. or adopt Decision making is an activity concerned with new goals. project and sub-project levels. The goals. key risks. Since these can only be indicative. 3. implementation. strategic direction of the Tactical decision making bridges the gap between project is the province of the business sponsor. the use and meaning projects are conducted. Table 2 gives typical examples of those who within the framework set at the strategic level. the terms are more specifically applied within this Strategic decisions relating to projects can Licensed Copy: Rupert Heygate-Browne. narrowest focus and should take place within the Once goals have been established. by which time circumstances could have changed markedly. The business related decisions should therefore be reviewed on a regular project risk management model emphasizes that the basis.e. consequences for subsequent activities and the way In the context of this standard. and any constraints that concentrating on the shorter term. BS 6079-3:2000 3. Choices of strategic decision makers are wide-ranging and decisions can have Ð tactical. financial responsibilities. In general. i. through to action/s to accomplish the within which tactical decision making operates. at sometimes be taken far in advance of their business. more likely to be routinized.3 Levels of decision making for risk could hinder progress.5 Tactical decision making sub-projects. Tactical Choosing how to deploy the most appropriate means for attaining goals and managing tactical risks within the restraints set at strategic level. ranging from activity to Strategic decision making sets the basic framework identify goals. makers at this level. strategic of this terminology reflects normal usage. Table 2 Ð Examples of decision makers Decision For the business For the project For the sub-project making Strategic Non executive and executive Project sponsor Project manager senior management Tactical Middle management Project manager Sub-project management Operational Operations manager Project team and suppliers Sub-project team and suppliers  BSI 01-2000 5 . It is at this level that management decisions can be taken to modify old goals. or to change the business or project in attaining certain goals. strategic and operational decisions. and scope described in 3. should have the Goals are set by strategic level decision making. (c) BSI standard at all three levels of decision making. means. strategic decision framework and constraints established by tactical making should focus on the environment and broad decision makers. medium. this type of decision making will not always become and short-term decision making activities and each apparent until well into the future. constraints. Agip KOC. and decision makers Strategic decision making should also identify the should follow rules and procedures closely means for reaching the goal. Risk management decision making takes place scope of strategic decision making is very wide. decisions should be concerned with the longer term.

Agip KOC. feeds Feeds back risk analyses to tactical decisions. Identifies project risks in the light of Identifies sub-project risks. project. tactical risks. Identifies and evaluates risks of risk Identified any consequent risks.6Licensed Copy: Rupert Heygate-Browne. potential business level risks identified. decision making processes. corporate policies and objectives. level. new or altered risks or strategic project Transfers upwards new or modified risks. strategic sub-project risks. Transfers potentially unforeseen or new Sets context. project goals and project process. looking at business and Carries out preliminary risk analysis for the sub-project. Tactical decision Sets policy for risk management Carries out risk analyses. Feeds back to sub-project strategic level Feeds back to strategic project level all any potential modifications to risks. systems. Identifies any consequent risks. evaluates and develops making planning process ± risk analyses. (long term goals) Establishes risk management goals and received project goals. 30 September 2003. making analyses for the business and project. and decision making levels in the context of risk management Decision making type Focus of decision making For the business For the project For the sub-project Strategic decision Project initiation and preliminary risk Clarifies project goals and priorities. Clarifies sub-project goals and priorities. goals) management process. management process. develops treatment plans and options. environment to business decision makers. treatments. Transfers upwards new or modified Transfers upwards any new or modified tactical risks. back to higher level. Carries out preliminary risk analysis for processes.  BSI 01-2000 . evaluation and Analyses. (short term goals) Commits resources and makes go/no-go Identifies risks arising from this. Operational Establishes relevant committees. (c) BSI BS 6079-3:2000 Table 3 Ð The relationship between decision making focus. treatment plans for sub-project risks. (medium term evaluation and treatment. Uncontrolled Copy. Establishes sub-project risk Can contribute to changes in overall Transfers risks concerning the project management process. Establishes project risk management process. Implements risk management Implements sub-project risk treatment. principles for risk Provides feedback to business level on risks identified to project level. etc.

and sub-project levels. risks sub-project environment are important to the risk concerning project delivery. of the risks is cross-functional as long as the risks Ð the various features of the business. safety. which should. business. but can scope of risk to be managed and on risk differ in detail. rigid distinction should not be made between the For project and sub-project. See Figure 4. process as follows. For the business level. or treatment without first putting the work in context sub-project have to meet. in risks emanating from flawed decision making at particular those due to risk perception (see annex C higher and lower levels.  BSI 01-2000 7 . Both business goals and project objectives. BS 6079-3:2000 3. If problems are not correctly identified. the steps that should be identification. corporate liability Ð without a clear view of the full range of in respect of projects and human resources. Agip KOC. or are subsequently integrated.2 Identification of risks and risk making levels management scope In order to facilitate the identification and 4. This presented in a schematic form for ease of approach should recognize that the three levels of description. and agreement emphasis is sometimes put on risk analysis and risk on. and sub-project. and being certain as to what or who could be at risk. the goals identified at phases as the process of risk management will often these levels that either require decisions to be made involve the iterative retracing of steps. management process.1 General to deal separately with risk identification.2. A considered as significant. takes place in the context of goals and other Annex B gives an overview of various methods of constraints established by the level above (project risk management and analysis tools. project. and is equivalent to problem solving. management these activities are sometimes given The focus of the first set of activities should be to scant attention or even ignored altogether.7 Combining business focus and decision 4. It should be noted that identifying risks decision making occur at each of the focus levels ± and defining the full scope of risk management business. However. although There are two broad phases to the risk management eventually both will run concurrently. issues can arise during problem solving business or the project (or both) should be that require a return to problem-framing activities. as b) The second deals with assessing and managing follows. The risk identification process should be systematic. The basic structure of the process is described in 4. The steps that should be considered at the project. 30 September 2003. should be decision making and problem solving. and are described separately. the newly identified risk. environmental safeguards. a) The first phase concentrates on defining the and sub-project levels are broadly similar. Problem framing Ð risk management at each decision making level is therefore critical to effective risk management.) the skills and experience of those involved. Uncontrolled Copy. method. project.2. followed by risk assessment and treatment. It is advisable 4. It is not goals are initially established at the business exhaustive but highlights the key features of each level). (c) BSI managed. the full set of goals that the business. problem These steps are important because: solving is likely to be misdirected. Instead. at the higher level or that pose risks which cannot Effective problem framing is critical to all business be dealt with effectively at these levels. for example. involve all those likely to be affected by the Figure 3. the other two levels. ensure clarity and understanding of. project performance. risks (threats or opportunities) that might affect the Nonetheless. The implications activity is a creative task. if risk is to be effectively for background information). Yet in risk considered significant. Licensed Copy: Rupert Heygate-Browne. Attempts to compress the process are likely to limit 4 Undertaking risk management the ability to identify risks effectively. (Some aspects of the risk management decisions reached.1 General management of business related project risks it is useful to combine the business activity focus with The steps and activities within this phase are the decision making levels perspective. and the extent to which they are able to handle some of the Decision making at any level should take account of constraints on management decision making. project. project. should be accomplished for each of the misleading. This can be compared to problem considered at the business level differ from those at framing activity. as far as for risk management activities are indicated in possible. Ð failure to establish or communicate clear goals Consideration should be given to undertaking and project objectives is itself a common source of separate risk management exercises where the scope business related project risk. Its effectiveness is dependent on process noted in Figure 3 are described in clause 4. See Figure 3. risk phases of risk management and the steps within identification is severely constrained and could be each phase.

(c) BSI 8 BS 6079-3:2000 Figure 3 Ð Business level risk management steps  BSI 01-2000 . 30 September 2003. Licensed Copy: Rupert Heygate-Browne. Agip KOC. Uncontrolled Copy.

Ð those of the overall business. Ð What constitutes success.  BSI 01-2000 9 . investment decision maker and other relevant Business goals and the fit of the project goals can stakeholders? sometimes initially seem unclear or uncertain. Stakeholder analysis helps managers establish an understanding of the full range of individuals and groups that could have an effect on a business and its projects. established Ð What is the attractiveness of the project to the at the business level. Ð What are the goals of the project? However. as stakeholder analysis (see annex D). the fit can be confirmed. 30 September 2003. Agip KOC. as project boundaries and scope are These questions can also be addressed as part of a established and as an overall risk management much wider project review involving such techniques strategy is developed.2 Business level goal setting Goals and project scope and boundaries can be At the business level. Uncontrolled Copy. and precision enhanced. primary goals should be: identified by seeking answers to the questions such as the following. BS 6079-3:2000 Licensed Copy: Rupert Heygate-Browne. and Ð In whose interests is the project being initiated? Ð those of the project which the business is sponsoring or participating in. The technique also enables the most important stakeholders to be identified especially those whose interests should be taken into account if the project is to be successful. (c) BSI Figure 4 Ð Project and sub-project level risk management steps 4.2. what constitutes Business and project goals should also fit with the failure? overall business objectives and policies. Ð Who are the stakeholders? Ð Who will benefit from the successful It is important that project goals fit with those of the completion of the project? business in order to avoid either the business or project threatening the success of the other.

can be brought directly into play as a source of risk At the business level the context includes. ensuring clarity of objectives. political. probable common or underlying causes of risk Some stakeholders will only come into prominence (if any). 30 September 2003. At the project and sub-project levels. That is.2. this will then necessitate decisions threats to business and/or project. Once the full extent project levels. project level or share with other organizations. collaborators. the external environment of the organization the business and its projects.3 Project and sub-project goal/objective threats or opportunities upwards from sub-project to setting project. It business and project goals to include those relating includes other businesses. Agip KOC.3 Risk identification and strategy At the project and sub-project levels. scope should be allowed (even in these phases) for communicating potentially unforeseen 4. business. project hierarchy to the appropriate level of b) other goals identified through stakeholder management. The final set of goals for a project (or sub-project) communities. (c) BSI On completion of a stakeholder analysis. project managers. and the risk management strategy is completed. This is important because it stakeholder if the project manager decides to do establishes the high level or large scale sources of something that creates an interest for them. and higher business or too risky to pursue. BS 6079-3:2000 Once goals have been established. the financial. or project. respective levels of responsibility. they should through use of a variety of techniques to clarify proceed to implement the risk management strategy goals. and therefore constitute identified as a result of stakeholder analysis and sources of risk to the business. Should this be the case. In this constraint or threat (as well as opportunity). the emphasis is likely to be on that level. to make an effective assessment be added as a result of detailed planning at those of overall business related project risk requires an levels. overall project or sub-project goals following an initial risk assessment. the emphasis is likely to be on the of goals and related risks has been established. both for way. Annex E gives a listing of some common at the project level as a result of decisions taken by examples of business and project risk. Managers at each level of authority should be given The complete set of goals for a business in the means to manage the risks they identify. For example. Some goals identified as part of stakeholder analysis The relative emphasis of each step in the process is or risk management could turn out to be either more likely to vary with the level in the business/project at important than the goals originally set by the which it is carried out. legislative. independently of the decisions made at business competitive and cultural environments in which the level. environmental 10  BSI 01-2000 . If this is connection with a project consists of: not possible. At the business. and which risks to pass down to the implementing the risk management strategy. project and sub-project managers goals to be met should be established and reviewed have completed these initial steps for their in the same way as at the business level. making level most suited and capable of handling it. social. who could hinder or should thus consist of goals handed to them. analysis and other techniques.e. scope and boundaries. other project planning and review techniques and Licensed Copy: Rupert Heygate-Browne. should be put into operation. and Responsibility for dealing with individual risks c) other goals identified as a result of risk should rest with the management and decision assessment. but only achieve the status of project can be identified. Uncontrolled Copy. the full set of Once business. 4. the context or activists could be part of the total business environment in which they will have to be achieved environment. Project (and sub-project) managers additional goals have to be met in order to complete should then distinguish between goals and related the project successfully. and confirmation of at their level.3. it risks for which they can be responsible. and so on. Decisions made at project (or sub-project) idea of how specific risks relate to each other and to level can bring in other stakeholders not previously the desired goals and an understanding of the considered at higher activity focus levels.1 Risk model clarification goals should be those set by the level above Risk identification should focus first on individual (i. For the broad understanding of potential opportunities and business level. the primary 4. a system for passing information about those risks upwards or downwards through the a) initial goals identified by the business. and from project to business levels. Situations like this should prompt a review of business (and therefore the project) is carried out. then earlier stages. competitors and to managing this new group of stakeholders. Nevertheless. it could be modifications to the goals as a result of the risk apparent that existing goals have to be modified and assessment. Nonetheless. example. business goals. goals facilitate the project's goals. and those will be necessary to review the project's fit with the (if any) that cannot be managed at their level. respectively) but others will risks. for through decisions made at project level. Lower down the being taken about whether to handle some risks at decision making tree. and other groups such as residents.

Treatment can then be Ð market testing and research. or cause other goals to be given understanding and agreement on the part of those attention as a result of consequential risks arising analysing the risks if it is to be useful. together with other key stakeholders likelihood and consequences of each risk or set of directly involved in managing the project. to be adopted by the business. For example. between possible events or processes themselves. and the other hand. on a) the likelihood of their occurrence. the risks are inter-related and there b) the potential consequences for the business and are underlying or common causes. requirements. is difficult. Techniques include interviews. setting up a risk register or a database that lists and Techniques for information gathering vary. The risk management strategy itself can Table 4 should be used with care as it requires clear affect overall goals. and the Ð relevant experience. and include decisions about those risks to be handled by the project A classification system like the one used in managers. engineering and/or other relevant models. characteristics.  BSI 01-2000 11 . relating to the identification. and finally risk treatment historical data into meaningful information for the plans. analysis and overall A risk evaluation should then be made to determine assessment of the risk. goals continues to be acceptable. individual risks one at a time. are truly independent. Uncontrolled Copy. focus groups. If. magnitude of one risk could affect the presence or Whilst the objectives of risk analysis are easy to magnitude of another. and analysing it. The risk management strategy should cover the Table 4 illustrates the kind of analysis possible at this overall approach and principles of risk management level. library searches and translation of any quantitative indicators. financial. cause. including their ranked importance. desired goals. team workshops. These scales can be developed and adjusted to the basis on which development of an initial risk suit different qualities of data. This forms risks. Risk registers can be more or less detailed present. information on risk likelihood and consequence Effective risk modelling in this way requires an could include the following: understanding of causes and causal relationships Ð records and other sources of historical data. directed to the common cause and as a consequence will usually be more cost effective than picking off Ð application of behavioural. but describes all identified risks and records decisions should always fit the characteristics of the data to be made concerning their assessment and treatment.3. the presence or projects. Risks should be listed with details of their self-completion questionnaires. and play an essential role in risk management as a primary document of record. This Managers also need to ensure that the fit between form of classification can be applied to both threats these goals. Risk analysis can be conducted by both qualitative and quantitative methods. collected. or are related in such a way that management Ð experiments with prototypes. this assumption will not undermine the subsequent risk assessment or All risks should be assessed on two levels: invalidate decisions on how to treat the risk. Classification from the treatment of primary risks. Decisions made on the basis state in principle. 30 September 2003. and between those events or processes. The main outputs from this phase should include Ð use of specialist and/or external expertise.2 Risk analysis clarify and make explicit their understanding of the A risk analysis should be made to establish the ways in which the risks might affect the goals. One outcome of risk modelling can be Ð reviews of research into project success and the discovery that several risks share a common failure. and analysis management strategy can proceed. economic. If the risks and which risks need less attention. and the overall project and business and to opportunities. Some goals of risks will also depend on assessment of existing could be too risky to pursue and could be dropped. which risks could have been made that certain risks can be require further (and possibly more detailed) studies considered independently of each other. Agip KOC. in practice obtaining adequate Licensed Copy: Rupert Heygate-Browne. The type of analysis The main outcome of the phase should be a clear depends on the nature and quality of data available. Sources of pose risks. BS 6079-3:2000 Once risks have been identified. of those risks is simplified. (c) BSI of flawed assumptions or estimates will themselves information. measures and procedures for managing them. managers should 4. an assumption which risks take the highest priority. understanding of the risk model and accompanying A qualitative assessment should use words or assumptions on the part of the business and project descriptive scales to describe the combined managers. This likelihood and potential consequences of the should include assessing all significant assumptions individual risks or sets of risks previously identified.

such as is doubt over the initial assessment. although it will to minimize risk at very little cost. established. It is often overlooked prioritized list of treatable risks for further that in conducting quantitative analyses. Uncontrolled Copy. Where this is be necessary to re-evaluate them at regular possible. be set aside for the time being as not requiring further attention. involve inaccurate assumptions. or low priority. whether they are critical. circumstances. as high. If the analysis is otherwise insignificant should be recorded and set undertaken at an early stage it is sometimes possible aside from further consideration. In doing this. are those provide the basis for evaluating the risks. are necessary for The first step in risk evaluation should be to classify the process. quantitative identified in early business level studies. which could be incorrect or illustrated in Figure 5. any attempt to assess risk as a basis for acceptable limits. quantitative risk analysis should be used with care ± a) Threats can be classed as unacceptable in any to inform but not decide. and whether analyses can provide process of risk evaluation should result in a additional useful information. or could be affected by They too should be recorded. BS 6079-3:2000 Table 4 Ð Basic qualitative analysis Likelihood of risk Degree of risk impact Minimal Moderate Significant Likely Medium High High Possible Low Medium High Unlikely Low Low Medium Even where reliable data is available. It could be that could significantly enhance the value of a that all that is required is that risks are categorized project to the business. judgement regarding the seriousness of the risk consequences than on likelihood of occurrence. potential criteria should then be reviewed. these risks should have been are likely to be affected by other risks. Agip KOC. 12  BSI 01-2000 . Once a framework is of record and be regularly updated. establish whether there are risks that could seriously often expressed as probabilities. Risks set aside at one point in the from further consideration at this point. To what degree damage the business or project. the consequences. care should f) The third group of opportunities contains those be taken not to set aside risks that might act in that will have a negligible effect on the project. deemed worthwhile and can be managed within However. (likely to have been quantitatively the resulting information should identified in early business level studies). and which could be quantitative analysis is appropriate depends on the untreatable in the light of previously defined criteria. where there are catastrophic It can be appropriate to employ quantitative analysis consequences for the business or project or where for the more significant risks. where excessive treatment costs that far outweigh the risks are themselves combinations of other risks. decision making will increase the chances of a Opportunities should be classified according to successful outcome. and can be set aside other risks.3.3 Risk evaluation sometimes provide a more detailed assessment using The purpose of risk evaluation should first be to Licensed Copy: Rupert Heygate-Browne. A scheme for evaluating risks is decisions and estimates. combination with other risks. 30 September 2003. medium. qualitative All risks and supporting information arising from analysis should still be conducted first. nature and quality of the data available for particular If this proves to be the case. concerned. Quantitative analysis can 4. It is overall risk management process should be sometimes necessary to re-evaluate them at a later re-examined if new information or changing stage. especially when there they are unacceptable on other grounds. circumstances suggest that this might be necessary. or benefits. However. (c) BSI numerical values given to likelihood and impact. methods can be difficult to apply with any certainty b) Threats that are obviously negligible or as to the value of the analysis. Ideally. Risk registers should serve as a document likelihood and impact of risks. depending on the occurring. with the risk analysis should be compiled in the form of a object of getting a broad feel for the relative register. desirable or negligible. subjective consideration. The past is seldom a good predictor of both threats and opportunities into three broad the future and numerical estimates emerging from categories. project goals and risks. Second. facilitate achievement of project goals judgement of the managers and other stakeholders to a level greater than the minimum specified. the nature of the project. Whether analysis is conducted qualitatively or d) Critical opportunities. Risk c) Threats are classed as acceptable if they are assessment is unlikely to be straightforward. Those that fall into e) Desirable opportunities are those that. some form of quantitative risk analyses can be appropriate. risk evaluation is more likely to depend on intervals. if the low category can then.

whether it is worth doing so. reviewed to establish whether they are treatable and Risk sharing Sharing risks in part or in full with if so. It could be that some Eliminating or Changing or abandoning goals unacceptable or critical risks are actually found to avoiding specifically associated with the risk be acceptable. and intervening to mitigate analysed further to decide on appropriate forms and occurrence. threat. acting to reduce the levels of treatment. The treatment of threats involves considering counter measures.e. Treatable risks ± threat and impact. In extreme cases a project Reducing the Changing project approach. Agip KOC. what was previously a risk no Risks that are classified as unacceptable should be longer relevant. 4. e. or desirable. or whether they can be treated in the course of normal management procedures and activity. further in question.3. risks that are tolerable. an insurer. Conversely. Table 5 contains a summary of counter measures that can be adopted to minimize threats.  BSI 01-2000 13 . 30 September 2003. particularly associated. (c) BSI Figure 5 Ð Scheme for evaluating risks All risks other than the negligible and insignificant Table 5 Ð Counter measures should be subjected to further analysis and Measure Summary evaluation. or causes of i. If they are not another stakeholder who could be treatable.4 Risk treatment Reducing the Developing contingency plans for The risk treatment process should involve identifying consequences responding to the threat if it and evaluating a significant range of options for occurs. even if other steps have treating risks.g. For both threats and opportunities the first step should be to decide whether special treatment is necessary. will have to be cancelled or abandoned as a result of possibility identifying causal links between identifying an intolerable risk. BS 6079-3:2000 Licensed Copy: Rupert Heygate-Browne. or desirable ± can be threats. management plans. and preparing and implementing risk been taken to minimize the risk. it could be necessary to review the criteria involved solely to facilitate risk for treating risks or the goals with which they are treatment. or choosing alternative examination could reveal that some acceptable or approaches or processes that make desirable risks are unacceptable or critical. Uncontrolled Copy. The aim should be to confirm or amend the initial categorization.

Sufficient Facilitating Choosing project approach resources should then be allocated to implement the accordingly. beneficial stakeholders' The nature of the plan should be dictated by the outcomes. and those whose goals are at assessment to decide which actions are appropriate.5 Implementation measures to ensure their occurrence. 30 September 2003. 14  BSI 01-2000 . are to be avoided altogether. Where Ð its cost compared with the anticipated benefits insurance is chosen. enhancing other agreed actions. pursuing opportunities. insuring against loss or failure. and communicated to other significant stakeholders. Enhancing Changing project approach. All risk management. strategy prove inadequate. occurs. A distinction should be facilitators help facilitate occurrence of the made between: Ð preventive counter measures built into the Licensed Copy: Rupert Heygate-Browne. If new stakeholders are to the risk management plan (see annex A). current activities of the business. Ð the kind of actions involved. Ideally. (c) BSI opportunity. for example. BS 6079-3:2000 Treatment of opportunities involves considering 4. This is especially important when effective. and particularly ones that could pose a greater risk inspections. and project. appropriate counter measures or facilitative actions Ð any secondary risk associated with the action. funds to restore the status quo as well as to complete the project as originally intended. and likelihood examining causal links between Ð mitigation measures which are put in place but opportunity and project. Ð its effectiveness in containing the risk or should be monitored for performance so that enhancing an opportunity. Agip KOC. Possible methods of does not have any unforeseen consequences. characteristics of the risks and the treatment Involving Involving stakeholders who can designed to address the risk. Enhancing Developing plans for taking full consequences advantage of an opportunity if it Preventive counter measures might. review include performance evaluation. other than those which Ð monitoring of the agreed risk indicators. plan should be formulated. can be implemented should the risk management This is to check that the counter-measure itself. it should provide for sufficient of treating the risk. indicators of likelihood Ð monitoring of the risks so that they can be seen of occurrence should be identified. Re-evaluation of the risks and the search for new ones should take place on a regular basis. This will allow ongoing feedback on than that which the treatment is designed to which assessment and treatment activities are most minimize. This should be agreed by These can include any or all of the following. In parallel be involved as a result of treatment decisions. which will not be operationalized unless the risk arises. plans for dealing Table 6 Ð Opportunities with risk should be incorporated in the general Measure Summary business or project management plan.3. risk is essential throughout the implementation of given the level of the risk. the managers concerned. Communication between managers implementing the These measures should then be compared to the risk treatment measures. involve a decision to use a tried method rather than an innovative approach about which there is less Any treatment measure should be assessed in terms certainty as to outcome. These can then to fall within the previously expected limits. especially treatment measures. Mitigation includes. be monitored as part of the risk treatment plans. Table 6 contains Following the identification of risk treatment a summary of measures that can be adopted to measures and risk indicators. the risk management plan. for of the following: example. Uncontrolled Copy. For each risk to be treated. a risk management increase the likelihood of an opportunity occurring. audits. their with this ongoing communication. there should be: interests should be integrated with the previous Ð regular monitoring of resource usage against analyses.

This is partly because more than one namely. and management. identification. Clear lines of with an appropriate level of decentralization (to communication among team members are also ensure individuals and groups actively manage their important. Similarly. or has. and responsiveness. management. especially to manage the risk. own risks). There are however. Risk management should be integrated fully with business and project management. For these business related project risk management are: reasons an incremental approach to business and Ð developing the organization's policy for risk project development is less risky. The management of risk can usefully be treated as a sub-process of the business or project. to continuously consider and monitor At the same time. within which senior members set the Ð establishing a programme for managing risk at framework of tasks for those lower in the organizational. If this From this perspective. if there is not a specialist risk including that arising from their own decision co-ordinator or manager. f) A clear hierarchy of responsibility and Ð establishing the organizational infrastructure. This person or department has done all that is necessary works by encouraging everyone. project and hierarchy. there is a risk that people making and actions. leadership. if there b) A culture of risk management needs to be is a separate manager for the risk management developed and encouraged throughout the function. is decentralized to permit prompt and flexible Ð monitoring and reviewing the effectiveness of responses to local conditions. the management guidelines doesn't happen. their job. The risk manager should take account of the following factors. information and ideas held by other set out in BS 6079-1 can be applied to the people will not always be understood or accepted by management of risk within any business or related management. other people will tend to assume that business. BS 6079-3:2000 4.4 Managing the process e) Elements of the ªlearning organizationº This subclause draws attention to some issues in the approach. managers. some additional points enhanced when there is a better understanding. on that can usefully be emphasized in the particular the part of those supporting them. the Licensed Copy: Rupert Heygate-Browne. then people act as if that the associated risks.  BSI 01-2000 15 . This advice is a) Duplication and overlap of functions and tasks aimed at meeting one of the shortcomings of the can make a reliable system out of less reliable functional (staff and line) approach to managing. Uncontrolled Copy. analysis. and fed through into its projects. Risk management can be significantly project. responsibility will. decision making sub-project levels. (in order to ensure an overview and intentions and appropriate levels of involvement that overall risk management is actually carried out) enhance understanding. been met. For risk. that if something is someone else's perspective is brought to bear on a problem and responsibility. of the situations context of managing the risk management process faced by those taking ªriskyº decisions as part of itself. in particular a willingness to learn from process of managing business related project risk. 30 September 2003. There is clearly a need to balance functional d) High levels of communication of plans and centralization. Agip KOC. (c) BSI Risk managers should involve all key members of the setting up and successful implementation of a risk business and its projects in the process of risk management strategy can be treated as a project. cross-organizational. mistakes (and to avoid allocating blame) contribute to awareness and to a willingness to Four key steps in the effective management of raise potential risks for consideration. will assume that someone else is taking care of risks c) Training and simulations (exploration of that they do not themselves directly identify and ªwhat ifº scenarios) can heighten risk awareness manage themselves. parts. Within this framework. organization's management of risk.

This annex attention to how the communication is made. Uncontrolled Copy. the organization chart for a project could All these can affect the project itself. one business. should be integrated with the overall sponsor. and the management and development of risk to business and project management effectiveness. BS 6079-3:2000 Annex A (informative) exchange messages on. it is important to pay organizational and technical processes. and management of structures within a project and with the business communications. risks might go unrecognized or emerge later than and the management of associated risks. In face-to-face more technical aspects of communicating. or hinder. process requiring attention to a large number of When sending messages. communication in the context of business and project the overall communication process and do much to risk management will not be just about risks. The draws attention to some important factors that should words in a communication contribute only a small part be attended to. (c) BSI of what is received. how they receive messages. the structures of the organization. In this context. and ensuring that communication. also affect how the message key aspects of the communication process as follows: is received. such as subordinates' fear of They also have an important degree of control over blame. other factors such as effectiveness and minimizes risk. Only then can an Communication timing also affects non-face-to-face appropriate communication strategy. The way in which these messages are sent and received can have an effect on Communication in risk management overall project risk itself as communication about risk Effective communication about risks is a critical factor influences risk perception. stakeholders is designed to achieve. and stakeholders' place. This is why there needs to in risk management. communications. be a significant management. about anything else stakeholders feel the need to 16  BSI 01-2000 . Licensed Copy: Rupert Heygate-Browne. These are likely to be different in every Managers should also bear in mind that situation. that maximizes communication. structures do not hinder this process. and should take account of Emphasis has been placed in these guidelines on the risk perception issues (see annex C). Informal channels can also help. have direct necessary or desirable. It is important that formal relationships (see annex D). can in itself. the physical appearance of a written document. Attention should be given This results in ineffective or inaccurate upward to sending appropriate messages. they work. and the timing of communication. managers communication. to seeking to educate communication factors vary according to how the and develop understanding. The between the formal and informal communications communications strategy. Care should be taken that Effective communication management requires an this does not develop in ways that threaten the appreciation of these channels. or fear that higher managers will not listen. dress). the use of of purposes that communicating with particular space. Both to ensure that good upward communication does take communications to stakeholders. can affect communication among often informal ones outside the control of managers. Where projects involve more than stakeholders themselves. Upward communication can be control over sending messages to other stakeholders. Before attending to the communication is being made. but also encourage risk identification. what they are. risk management process. be developed. It is vital to effective risk management messages received are interpreted correctly. whether in be integration between business and project risk general or about risks. and the process be quite complex. a) sending of messages to other stakeholders by the Communicating within an organization is affected by business and project managers. important non-verbal factors include should therefore decide on the purpose or combination body language (facial expression. This could be relatively simple for a c) independent communication amongst single organization. Managers therefore. and how business or project. the communication strategy. Poor communication. Non-verbal the basis of managerial authority. hindered by other factors. or the The communications strategy should cover the three nature of language used. and communication. It is important to ensure a fit of business and project risk management. The need for upward communication of information about communications strategy should be developed in risks perceived to be beyond the handling capacity of tandem with the strategy for managing stakeholder those at that level of activity. perceptions of how managers received their Communication also takes place along other channels. An organizational chart is a diagram of the formal lines of b) receipt of messages from other stakeholders. and this can strongly influence the meaning ordering or instructing someone to do something on that the recipient gives to the message. and the needs of the communications strategy. Non-verbal communication also The reasons for communicating vary greatly from occurs. otherwise the Managers concerned with the business and project. stakeholders themselves. understand and using a medium with which they are Achieving effective communication of risk is a complex comfortable. always have to bear these two Care should be taken to express any message using considerations in mind when communicating in the words and images that the target audience can context of risk management. Agip KOC. 30 September 2003.

The process of listening is This was originally developed for public sector therefore also critical to effective communication.1 Assumptions analysis Licensed Copy: Rupert Heygate-Browne.6 Systems dynamic modelling be alternative interpretations.2 contains a selection involves the scrutiny of statements of belief concerning of business strategy analysis tools that can be used in future outcomes and an assessment of their stability conjunction with stakeholder analysis to aid risk and significance to the project. and sub-project relationships. or where there is Cumulative frequency plots are often used to represent uncertainty about precise objectives and actions. The advantage of checklists is that they can SAST attempts to explore and bring to the surface. Further statistical analyses can identify B. effectively. 30 September 2003.3 Risk management and analysis tools Business and risk management tools and B.3 Checklists allocation. It is designed for use messages.2. The plotting of these ªSº shaped facilitator is useful.2. A process of group identification and discussion of risks which is mediated by a facilitator. It is designed for group use. often based on facilitator is required. Discussion is B. real-time interactive computer based support system. It Tasks are assigned a value of between zero and 100 % is designed for use in groups.4 Criticality analysis analysis Often used in conjunction with Monte Carlo This has been developed from psychology and social Simulation. Facilitation is required. environment. project. It requires a facilitator.3. and can be used in group situations.1 Decision conferencing further analysis can be assigned to a risk ªownerº. however. A project budgets. and the effectively is about actively decoding and interpreting inter-relationship between issues. The list in B. Strategic choice requires a strong facilitator hearing or reading superficially.2. It uses a might actually be trying to communicate. BS 6079-3:2000 Managers typically spend more of their time receiving B. and what the sender This is based on control system theory. options and their relative utilities. A process project to allow identification of risk. This will result in a list management in the context of the business. and is based on the need to manage although it is usually taken for granted.2. This soft-systems methodology is a systematic thinking process for tackling situations where problems and B.2.2.3 outlines B.1 General identified areas of uncertainty.3.  BSI 01-2000 17 . They underlying assumptions of management control can. Listening uncertainty about values. whether there might B. and is used extensively for strategic questions about resource B. Checklists should be kept flexible enough to allow B. the project. be structured to rapidly identify sources of risk. Skilled and purposeful facilitation of this process is This is based on decision analysis.2 A selection of business strategy techniques kept as open as possible by discouraging criticism. and is different in quality from merely in groups. B. and usually Checklists contain questions on specific areas of the makes use of computer based tools. past project experience within an organization.2 SAST Ð strategic assumption surfacing changes in the format as project experience informs and testing practice.2 Brainstorming major risk management and analysis tools and techniques. and is very facilitator according to their potential to affect the duration of dependent. Annex B (informative) B.5 Strategic choice than sending messages. possible risks are discussed planning constructively and those risks thought worthy of B.4 SSM Ð soft systems methodology which activities are most likely to introduce the most uncertainty to the project. In order to listen although it can be used by a group facilitating itself. It is the likelihood of certain milestones achieving targets regarded as appropriate for any type and level of and are often used in determining bid prices and problem identification and problem solving activity.3 SODA Ð strategic options development and B. Agip KOC.3.5 Cumulative frequency plots (S curves) issues can at first be unclear. computer program to provide feedback. be overly prescriptive and overlook risks systems and actions. which are not based on past project performance.3. that support management decision making and Once identified. managers should pay close attention to how they are interpreting a message. This process principally This annex contains two lists.3. and considers essential. (c) BSI techniques Assumptions analysis is a process designed to formally record and assess the assumptions underlying B. criticality analysis identifies which activities psychology as a negotiating method and uses a could become most critical if not effectively managed. of identified project risks which require further action. Uncontrolled Copy. planning issues. B. curves can be used to quantify the interaction of the likelihood of certain events and their cumulative effect upon the project as a whole. though not essential.

They permit the characteristics. Event trees show the various which can be used for the management of those risks. BS 6079-3:2000 B. following stages. including the intended design conditions. usually courses of action.3.3. Interviews can sometimes be of the project common throughout the activities.11 HAZOP study Hazard and operability (HAZOP) methods were originally developed for use in the chemical industry Annex C (informative) but are equally appropriate for other process plants. and eventually risk treatment from other known probabilities.3. initial event. each part of the process is reviewed to largely through causing us to make assumptions that discover how deviation from planned performance can might not always be accurate. for example.3.9 Event tree analysis B. any calculation of the probability of different outcomes quantitative indicators. These can be project which most effect the outcomes.3.3. This method is a process of quantitative simulation of B. This project risks and their outcomes.14 Prompt lists Licensed Copy: Rupert Heygate-Browne.3. Agip KOC. as a fault tree.3. These are then evaluated according monetary value (EMV) method. In risk management. A deductive method of working backwards from a B. Risk registers can be more or less detailed and B. This allows the to assessments of probability and can involve calculation and selection of the best yielding computer simulation of complex relationships. HAZOP studies undertaken in pure objectivity and rational behaviour is usually the design stage can result in avoidance of some risks impossible because of the ways in which we perceive through project re-design. way in which we do this affects our decision making.6 Decision analysis B. the occur. analysis can be performed through spreadsheet As these fault trees are often complex.3. 18  BSI 01-2000 . FTA works by Sensitivity analysis is a form of quantitative modelling consecutively analysing the previous functional system. plans. 30 September 2003. brainstorming session. First. Finally. ªspider plotsº or ªrisk return graphsº for ease of interpretation.10 Fault tree analysis often play an essential role in risk management.1 General and operability problems throughout the whole production process and it often proceeds through the Perception relates to how we see things and situations. Interviews can risks will be explored.3.15 Risk registers and databases A tool for representing the sequence of possible This comprises a document or database which lists all outcomes following the occurrence of a specified identified risks along with other useful information. These the only way that information can be elicited where can be a useful focus of attention during a group sessions are impractical or inappropriate. Uncontrolled Copy. Understanding this helps managers to devise ways of controlling the risks that arise from the limits on our ability to be objective. the form of ªtornado chartsº. It often utilizes the expected depicted as nodes. Sensitivity analysed in either a qualitative or quantitative fashion.13 Monte Carlo simulation in undertaking the project. However. in can depend on sophisticated mathematical formulae. It Risk perception is a procedure for systematically identifying hazards C. Prompt lists are created in order to ensure that a B. The analysis identifies those elements of the conventional symbols. including their ranked importance. problems is specified.8 Expert interviews broad range of categories of project risk are examined in the risk identification process. using explored. a full description of the plant is and is a critical factor in risk management because the undertaken. B.7 Delphi technique possible outcomes through generating values and Structured method of consulting a group of experts on weights for each possible outcome. quantification software and the results represented. alternatives in relation to the organization's objectives B. (c) BSI until it is felt that a consensus has been achieved.3. a detailed assessment of how these aim should be to achieve as thorough and as objective deviations can result in either hazards or operability an assessment of a situation as possible.16 Sensitivity analysis ªtop eventº resulting in system failure. combinations of events and the ways in which the Risks are listed with information about their chain of events can be broken. risk.12 Influence diagrams Decision analysis is a method used to determine Influence diagrams are used to represent chains of optional strategies and choose between alternative causation between events and decisions. which allows combinations of ªwhat ifº scenarios to be These chains of causation are then represented. Secondly. Prompt lists will Interviewing technical experts is often used to identify identify headings appropriate to each project in which and assess probable risks in the project. independently and then circulated amongst the group B. B. Some might begin by working be relatively structured or unstructured but should be through activities while others concentrate on aspects systematically recorded. This process is computer-generated simulation results in a probability usually conducted by a chairperson who structures the simulation of possible model outcomes which can then consultation so that opinions are first collected be used by the project management to evaluate risks.

Objective risk assessments can diminishes. 30 September 2003. which the risk is being perceived. while car passengers and others not in more objective can find themselves labelled as control of the situation. Managers do not it to be responsible for a number of near and actual always recognize long range planning as worthwhile disasters. or opportunities. Licensed Copy: Rupert Heygate-Browne. when considering relationships with stakeholders. Among the most f) Perceived importance important factors are the following. group perception. there is a high level of group synergy. and. Conversely. and so give tomorrow's urgent problem more The second kind of group behaviour that can pose a attention. or that probability or likelihood of occurrence. e) Presentation of things or events with obvious adverse consequences for any attempts at The way in which things are presented to the an objective risk perception. but dependent on someone ªnegativeº. This can they feel they understand. can manage. obvious. and overlook others and perceptions of risk vary with a number of factors because of the way we perceive the problem in the related to the individual. It also affects what we expect is opportunity. and level of risk. If people feel something is important. they tend to People tend to underestimate risks associated with overestimate the risks involved. as well as those of others. an outcome. b) Relative place in space C. it overestimate the risks from the same thing. and the circumstances under first place. there is a tendency to overestimate decision making. who perhaps know each other well.4 Risk perception and stakeholder perception of the kind of risk. decision maker has been shown to influence C. or both. we look for risks we Perception of risk by individuals is highly subjective. A manager familiar relationships. Car drivers underestimate the risks from be lost in all this and someone who attempts to be their driving. are justification. own perceptual limitations. It is particularly things or events are presented in a negative light. not an actual individuals. while the general public Since a) to f) all feed through into risk management. perceptions of desirable outcomes. People is important to take them into account if risk who play football. Experts often happen with perceived threats. present things or events to themselves affects how and how perception influences stakeholder they perceive the risks involved. and have shown always given sufficient attention. Others objectively as possible. overestimate the risks. issues of risk arising from human factors C.  BSI 01-2000 19 . but in reality what is shaping Where the group is composed of like-minded people's perceptions is the distance. with technical issues will generally overlook. If things are presented in a positive The way we perceive something not only affects our manner. or rock climbing. and evaluation of actual risk. BS 6079-3:2000 Risk perception issues can be considered under three This has another side ± the way in which individuals headings ± individual perception. underestimate the risk of injury in football. It is vital to be aware of our however. rather than exaggerate the problem or situation without becoming involved in minor issues of the day. their perception of the risks involves easily be exacerbated. and what we desire. Agip KOC. for example. else being in control. Uncontrolled Copy. such as wanting to be seen as eager and willing by d) Degree of personal control important members of the group. or engage in adventure sports.2 Individual risk perception or behaviour. management is to proceed as effectively and as have a fair idea of the risks they run. and understanding of risk in different situations. or downplay. a a) Familiarity and understanding decision. This happens because the As with space. Subconsciously. than those far away.3 Perception by groups Things or events people perceive as being physically There are two kinds of behaviour in groups that affect near to them are often seen as posing greater risk risk perception and identification. the group can begin to act too well from the perspective of objective c) Relative place in time risk identification. The two kinds of group behaviour can act together. and overestimate the risk from sports like hang and to take remedial steps to check our perceptions gliding. or as incurring risks that need situation. This can happen even when the benefits of risk occurs when members of a group begin to concentrating on the longer term. important to take account of expectations and there is a tendency to overestimate threat. the problem can event. There can be some more objective truth in this. Since others in the If someone feels they are controlling some thing or groups can also have similar motives. (c) BSI underestimate risk. if likely to happen. On the other hand. Psychologists have called seen as occurring at a more distant time are not this kind of behaviour ªgroup-thinkº. things occurring soon are seen as individuals in the group assume too much about a inherently more risky. regardless of the things or events that are familiar to them. no one notices. because they all make the same attending to without delay. or benefit from. relationships involved. and underestimate threat. things assumptions. They can do this for a variety of reasons.

if a stakeholder feels that they have an interest. ranging from understand. Many risk factors stem from the also be important to ensure that teams are not too expectations and perceptions that different project ªcomfortableº as a result of having worked together stakeholders have of the project. groups. (c) BSI particular risks are not properly taken into account in main ways: project risk management decisions. inhibit. provides an indication of project boundaries. and projects. Stakeholder analysis is another. and significantly.5 Implications for risk management boundaries. This follows from consideration of Whatever the nature of their interest. they should be aware that other organizations. they can be affected by the business on the risk to be managed. management tools and techniques do not encourage Identifying other stakeholders draws attention to attention to the human and organizational factors objectives the project has to achieve in order to reach affecting business and projects although it is widely the intended goals. Ð identification of the wider business and project C. Interests stakeholder relationship to the project can change are defined by individuals and groups themselves. and overcome. and the way in which it and its projects. Introduction of newcomers can help stakeholders are. If those expectations are not met. important stakeholders can lie outside those inner How stakeholders perceive project risks can be boundaries. stakeholders' hostility to the project. should be managed. rather than project objectives. managers can incur Ð identification of risks and risk sources. If their assessment differs from that of the project risk to the project and perhaps to the business. and treatment. or what that interest is. Traditional risk limiting concern to a narrower set of activities. Other management processes. and in terms of processes. stakeholders will not always make the same who have an interest in the business or project. they can place different values and priorities have this interest. the consequences of perceptual problems Ð identification of the wider business goals and and issues are potentially negative (threats. The consequences for business related project risk management are that if stakeholders' perceptions of Stakeholder analysis helps risk management in four Licensed Copy: Rupert Heygate-Browne. and the fact that there is no expert consensus on a particular issue will then be overlooking significant causes of risk. Because they addition. It can risk factors. interests are. and objectives that have to be fulfilled in order to reach the Annex D (informative) project goals. opportunities). Failure to do so increases the likelihood of opposing viewpoints. But if they are in a communication. or can wish to exert an influence. Understanding risk perception (see annex C) is one way to begin to handle these factors. In general. they can pose a risk to the project. They can therefore be difficult to influenced in various ways. enables business and project managers to teams require effective management to ensure that identify potential areas of conflict. to participation in the project. including business and project teams. Project boundaries extend beyond the business or businesses concerned to include all Stakeholder analysis relevant stakeholders. the more they are able to identify potential cross-functional groups have been found useful. identification can be managed by seeking a variety of The more a manager knows about the business or its perspectives on an issue. in assessment. In this way. and hence require particular attention in order to deflect. Experts can be challenged by others with analysis. or both. However. accepted that these factors are major sources of risk. and attitudes to risk and outsiders who have little to lose or gain from performance. They can identify different risks. Ð identification of the relationships between The risk posed by perceptual biases to risk different types of risk. or influence. control. then the who has an interest. outcomes. Project managers should assess this risk unrealistic limits on stakeholder and risk analysis. approaches to roles newcomers' contributions are not excluded. and what their perceptions and to minimize the possibility of ªgroupthinkº. position to pose risks to the business or project. Multi-functional teams. 30 September 2003. 20  BSI 01-2000 . Engaging in these kinds of activity can also pose attempts should be made to include them in the risk further risks. involvement in the project or the business can also It is not enough to identify stakeholders who are part help the objectivity of the risk identification and of the business or project organization. Uncontrolled Copy. and imposes exposed. alongside the potential of threats from failing to meet If a project's stakeholders are identified. this also stakeholders' expectations. managers. BS 6079-3:2000 When business and project managers assess risks for Stakeholders are all those individuals. it is possible to gain Stakeholder analysis has been found to be particularly a fuller appreciation of the potential scope of risks useful in risk management and as a general support to associated with the project than would be achieved by management decision making. Understanding who well in the past. Including and responsibilities. then they will also have different expectations about when and how that risk is to be It is not up to business or project managers to define managed. Agip KOC. the existence of individual and group factors affecting perception of that interest means that they are a potential source of risk.

floods. (c) BSI understanding of relationships between stakeholders The following list notes the major legal considerations that can be built upon. Ð poor staff selection procedures. and decisions about relevant that can affect business risk: types and appropriate levels of stakeholder Ð unforeseen inclusion of contingent liabilities. Ð human error/incompetence. To develop this strategy can require Ð pollution incidents.  BSI 01-2000 21 . E. can occur in association with a business and its Ð management under performance. financial. E. stakeholder analysis is a tool in total risk Ð change of government. Ð collapse of contractors. Ð corporate policies.). It also requires E. Uncontrolled Copy. The following list notes the major technical Ð perceptual errors regarding risk. Ð management competence. project risk E.8 Technical/operational Ð vested interests. Ð professional negligence. Ð market fluctuations. Stakeholder identification and analysis enables Ð higher than anticipated compensation costs. and the extent of The following list notes the major economic involvement of stakeholders in this analysis has to be considerations that can affect business risk: judged at the time.7 Commercial E. Annex E (informative) Ð inflation. Ð fraud. as well as those further away. The strategy towards The following list notes the physical environmental stakeholders should aim to minimize the threat they factors that can affect business risk: could pose to the business project. or new stakeholders involved or E. On occasions it can be risky to share stakeholder analysis too publicly. Ð changes in tax or tariff structure. Ð performance failure.5 Legal Licensed Copy: Rupert Heygate-Browne. and maximize any Ð natural disasters (earthquake. Ð loss of intellectual property rights. Ð increased costs of revenue collection. BS 6079-3:2000 Finally. Ð cost and time over-runs. requirements. also be linked to the risk communication strategy Ð storms/tempests. understanding of any conflicts of interest between Ð aircraft/ship/vehicle collisions.4 Environmental stakeholders on particular issues. Ð poor leadership. Many different types of risks. Ð personality clashes. 30 September 2003. Ð management practices. technical. This process should landslides etc. The following list notes some of the external factors (stemming from government. It should be noted that the listing is not comprehensive. regulation and society) Ð operation lifetime lower than expected. Common examples of business and Ð failure to meet revenue targets. strategic. Ð residual maintenance problems. (e.g.1 General The following list notes the major commercial The following subclauses list some of the most considerations that can affect business risk: common types of business and project related risk that Ð under performance to specification. Ð inadequate authority. opportunity they could provide. Ð unexpected regulatory controls or licensing Ð dismantling/decommissioning costs. such as Ð war and disorder. Agip KOC.3 Political/societal Ð structural failure. considerations that can affect business risk: Ð individual or group interests. can be traced Ð failure to obtain appropriate approval to the behaviour and decision making of stakeholders.6 Economic/financial identified. Ð interest rate instability. including those close to the project. planning consent). and reviewed whenever major arrangements. Ð lack of clarity over roles and responsibilities. Ð exchange rate fluctuation. stakeholders. Ð failure of plant and machinery. projects. Ð shortage of working capital. (annex A). E. Ð insolvency of promoter. participation at different stages of the project. Ð inadequate design. changes are made. Ð safety. that can affect risk in business: Ð residual value of assets lower than expected. identification. managers to develop strategies for handling relationships with particular stakeholders or groups of E. Stakeholder analysis should be undertaken at the Ð failure to achieve satisfactory contractual beginning of a project. Ð insufficient capital revenues.2 Human factors Ð failure of suppliers to meet contracts (quality or The following list notes the major human resource issues that are associated with business risk: quantity or timescales). and so on. Ð nationalization.

the terms may include royalty payments or a licensing | | agreement. | | the identity of which can be found on the inside front cover. Except as permitted | under the Copyright. Contact the Information Centre. | | | Subscribing members of BSI are kept up to date with standards developments and | receive substantial discounts on the purchase price of standards. | | Fax: 020 8996 7048. | | Tel: 020 8996 7070. It is | incorporated by Royal Charter. | | Fax: 020 8996 7001. Tel: 020 8996 9000. | | | In response to orders for international standards. Tel: 020 8996 7111. For details of | | these and other benefits contact Membership Administration. unless | | otherwise requested. | | | Copyright | | | Copyright subsists in all BSI publications. of | | the publications of the international standardization bodies. | | | Revisions | | | British Standards are updated by amendment or revision. We | | would be grateful if anyone finding an inaccuracy or ambiguity while using this | British Standard would inform the Secretary of the technical committee responsible. of | | necessary details such as symbols. Tel: 020 8996 7002. international and foreign standards publications should be | | addressed to Customer Services. | | stored in a retrieval system or transmitted in any form or by any means ± electronic. type or grade designations. | | | If permission is granted. | | | It is the constant aim of BSI to improve the quality of our products and services. Agip KOC. Details and advice can be obtained from the Copyright Manager. | | | | | | | | | BSI | | 389 Chiswick High Road | | London | | W4 4AL | | | | | | | . BSI also holds the copyright. | | | Information on standards | | BSI provides a wide range of information on national. Fax: 020 8996 7001. recording or otherwise ± without prior written permission from BSI. If these | | details are to be used for any other purpose than implementation then the prior | written permission of BSI must be obtained. | | | BSI offers members an individual updating service called PLUS which ensures that | | subscribers automatically receive the latest editions of standards. | | Fax: 020 8996 7400. Designs and Patents Act 1988 no extract may be reproduced. Tel: 020 8996 9001. it is BSI policy to supply the BSI | | implementation of those that have been published as British Standards. in the UK. and size. | | | This does not preclude the free use. (c) BSI | | Buying standards | | Orders for all BSI. Various | | BSI electronic information services are also available which give details on all its | | products and services. Uncontrolled Copy. 30 September 2003. | | photocopying. Users of British Standards | | should make sure that they possess the latest amendments or editions. European and international | | standards through its Library and its Technical Help to Exporters Service. | Licensed Copy: Rupert Heygate-Browne. It | | presents the UK view on standards in Europe and at the international level. in the course of implementing the standard. BS 6079-3:2000 | | | | | | | | | BSI Ð British Standards Institution | | | | | | | BSI is the independent national body responsible for preparing British Standards.