AACE International Recommended Practice No.

63R-11

RISK TREATMENT
TCM Framework: 7.6 – Risk Management

Rev. August 23, 2012

Note: As AACE International Recommended Practices evolve over time, please refer to www.aacei.org for the latest revisions.

Contributors:
David C. Brady, P.Eng. (Author) Dennis R. Hanks, PE CCE
James E. Arrow John K. Hollmann, PE CCE CEP

Copyright © AACE® International AACE® International Recommended Practices

AACE® International Recommended Practice No. 63R-11
RISK TREATMENT
TCM Framework: 7.6 – Risk Management

August 23, 2012

INTRODUCTION

Scope

This recommended practice (RP) of AACE International defines the expectations, requirements, and practices for
risk treatment. This RP follows the steps identified in RP 62R-11, Risk Assessment Identification and Qualitative
Analysis. In this process, an action owner is assigned who, working with the risk team, is responsible for devising
and implementing risk response plans for those risks that were not deem acceptable in the qualitative analysis
screening step. It expands on TCM Framework section 7.6.2.3 Risk Treatment and leads into 7.6.2.4 Risk Control.

In TCM, the risk management process is applied in the strategic asset management, as defined in RP 10S-90, Cost
Engineering Terminology and project control processes. In the strategic arena, the project has not yet been
selected, so the treatment focus tends to be on devising alternative asset or project solutions that mitigate the
risks while meeting business objectives and requirements. In project control, the risk treatment focus is more on
tactical refinements (per TCM 3.3.1.4 - identify creative alternative solutions, leveraging value engineering for
example, and, through a formal quantitative analysis process) of project scope, conditions, plans and deliverables
as well as developing contingency plans. This RP is intended to be generic to either focus area or any project scope.

Purpose

This RP is intended to provide guidelines, not a standard, for including risk management during the planning of a
project or asset management that most practitioners would consider to be good practices that can be relied on,
and would recommend for use. It will provide a foundation for risk control.

This RP will outline the processes and practices but is not a detailed “how-to”. In that respect it will most benefit
those that are new to risk management or decision and risk management professionals who want to refresh their
knowledge of recommended practices.

Background

This RP is intended to elaborate on the required skills and knowledge of decision and risk management
professionals as identified by AACE International. It summarizes and clarifies the practices in the context of the
TCM process.

Prior to treating risks, they must first be identified and qualitatively analyzed or screened. Once the unacceptable
risks (a risk not identified for the "accept" treatment as described in TCM 7.6.5.3, Risk Treatment) have been
passed on for treatment, the treatment planning process should begin as soon as practical to ensure the
treatments are properly implemented.

This RP is consistent with TCM Framework Section 7.6 Risk Management which identifies the key actions to be
performed during risk treatment:
• Evaluating all appropriate response strategies.
• Selecting an appropriate risk response plan strategy (or combination of strategies).
• Developing action items in support of the selected response.
• Validating proposed actions with assigned actions, including dates for implementation.
• Ascertaining post-response targets and gains.

Copyright © AACE® International AACE® International Recommended Practices

63R-11: Risk Treatment 2 of 11

August 23, 2012

• Ascertaining response plan resource requirements.

• Updating project schedule and/or budget if the treatment results pass decision making and change
management criteria.
• Identifying any secondary threats or opportunities that may arise from the response.

The treatment process is interactive with the project control change management process because proposed
treatment actions or risk responses are potential changes to the project plan. In some cases, treatment may be a
planning process because it does not actually implement or control the response work and therefore should be
developed in conjunction with project controls. This RP includes a discussion of the linkage of treatment planning
and change management; however, it is not the primary reference for change management practices.

RECOMMENDED PRACTICE

The risk treatment process follows risk identification and qualitative analysis. In this process, an action owner is
assigned to work with the team and is responsible for devising and implementing risk response plans for those
risks that were not deemed to be accepted requirements in the qualitative analysis screening step. The action
owner and subsequent response plans should be identified in the risk register.

Rather than have the action owner immediately start devising risk response plans, an initial explicit step is added
to evaluate the current risk profile (i.e. the inherent risk). This step determines if a risk safeguard, control or
containment process, procedure, work instruction, facilities or other company asset or project features exist or are
available to manage existing threats or opportunities. An advantage to doing this is that the project manager and
other stakeholders will better understand these safeguards and determine if they are likely to be effective.

Identify Action Owner

As shown in Figure 1, the first step in the treatment planning process is to identify action owners. The action
owner should be the person most affected by the risk or in the best position to implement the action plan. The
action owner is responsible for devising and implementing the risk response plan(s) on behalf of the project and
monitoring and reporting on the status of the response plan and actions. The action owner can be from any level
of the project or enterprise and ensures the treatment planning and actions get completed.

Each risk response may require review and support from project controls as part of the "plans for treatment
option(s)" box in Figure 1. As such, the roles and responsibilities of the action owner must be documented and
agreed upon in integration with the overall project team. The risk response plan may contain many actions or
tasks. The action owner may assign those actions to other individuals. Having a single point of responsibility aids
effective communication and helps maintain accountability. The action owner needs to be identified by the team
analyzing the risk as the team in the best position to identify which group may be most affected by the risk and
which team member is the best candidate to own it. It is highly advantageous that the action owner attended the
risk identification and qualitative analysis workshops.

Over the life of the risk management process the action owner may change. For example, the owner may
recommend that a risk be transferred to another party. Upon implementing that response, the other party must
then assign an action owner under their process. If a third party accepts a risk, the original risk owner needs to
ensure that it is not ignored.

Copyright © AACE® International AACE® International Recommended Practices

63R-11: Risk Treatment 3 of 11

August 23, 2012

Qualitative Recommendations
Analysis Identify Assess Safeguards Assess
for Treatment
Action Owner and Containments Treatment Options
Planning

ELIMINATE / TRANSFER / REDUCE /

NO NO NO ACCEPT
EXPLOIT? SHARE? ENHANCE?

YES YES YES

Who is to eliminate Who is it Who is doing the Why is it being

the risk? transferred to? mitigation? accepted?

How is the risk Why is it being How is it Other Significant

to be eliminated? transferred? to be done? Consequences

Instructions on what What deliverables Who approves

to do are there? accepting the risk?

Mitigation Plan Notes or special

Written things to do

Mitigation Plan
signed off by Action
Owner

Plans for Treatment

YES
Option(s)

Secondary Risks?

NO
Integrate With
Decision Analysis/ Project Control
Selection

Residual Risk?

NO

Contingency
Planning

Report Approval

Figure 1 – Example Treatment Planning Process Flow Chart

Copyright © AACE® International AACE® International Recommended Practices

63R-11: Risk Treatment 4 of 11

August 23, 2012

Make Recommendations for Treatment Planning

In addition to identifying, defining the attributes of, and rating the risks, the risk identification and qualitative
analysis process may surface many ideas for risk responses. Given this information, specific recommendations for
the treatment planning steps should be developed at this point of the process, i.e. update the risk register for
treatment planning. Any suggested recommendations are not considered to be binding on the action owner at this
time in the development of the final treatment plan. All risks that have not been "accepted" must have an action
owner identified, as well as a due date as to when the treatment plan must be completed, approved, and in place.

Assess Existing Safeguards, Controls or Containments

The action owner should identify all consequences for the identified risk plans. This includes review of all the
existing safeguards, controls or containment features in place or in progress (e.g., containment volumes,
procedure titles, state safety limits, etc.). The list should be specific with as much detail as practical. This should be
done in a group session (coordinated with identification and risk analysis) to get team input and gain common
understanding.

It is important to depend on only those safeguards, controls, or containments that currently exist. Those that may
be in progress and expected to be in place prior to the phase of work in question must not be considered as they
may not be completed in time. As an example, ensure that a new safety procedure is written and is in place, along
with necessary training, prior to construction. For physical containments (e.g., a retaining wall or dyke), this may
require conducting physical inspections or tests.

The risk likelihood and potential impact for existing safeguards should be assessed to ensure their effectiveness. It
may be possible to reduce the risk likelihood, but generally not the consequence as that would change the risk
description and the inherent prior analysis.

An effective safeguard may be able to reduce the qualitative risk analysis ranking by 1; for instance, if the original
likelihood was 5 on a scale of 1 to 5, a good safeguard can make it a 4, a second good safeguard can make it 3. Not
all suggested safeguards, controls or containments should be considered effective. However, the risk owner should
challenge any assessment that results in a risk being accepted as-is.

Re-assessment of the safeguard qualitative scores should include consideration of the estimated cost and schedule
to implement the safeguards. The cost or schedule impact of treatment will have to be considered a consequence
of risk if it is not already accounted for in the project plans.

Assess Treatment or Response Options

A treatment plan should be developed for every unaccepted risk after assessing existing safeguards and
containments. It is often prudent to prioritize this effort based on the severity or qualitative ranking of the risks.
This needs to be determined based on the organization’s risk tolerance. Bear in mind that any risk that are not
treated becomes a “residual” accepted risk with the same risk rating determined during qualitative analysis.

The action owner needs to determine the best risk response action to apply. The response may be one or a
combination of any of the basic actions shown in Table 1 (they are listed in order of preferred treatment).

Copyright © AACE® International AACE® International Recommended Practices

63R-11: Risk Treatment 5 of 11

August 23, 2012

Threat Opportunity
Avoid Exploit
Reduce Share
Transfer Enhance
Accept Accept
Table 1 – Typical Response Strategies

Several optional responses to a risk may be identified and defined by the action owner for additional study and
decision analyses. These additional studies may require assistance of other team members (e.g., estimating,
scheduling, procurement, etc).

It is critical to keep in mind that late changes are among the most significant causes of poor project outcomes.
Action owners are often likely to be over-optimistic that their response plan will add value. Risk responses may be
potential risks themselves if the response detracts from the efficient flow of work or induces unfavorable
performance. This principle becomes especially true with opportunities as the cost of change must be considered.
This cost typically increases with the progress of scope development and with a greater number of changes.

Risk Responses for Threats

Common questions and responses are listed in this section. The following discussions are focused on risks
identified during front-end project planning. If the risk analysis and treatment are applied during execution, the
response planning may be dealing with a risk that has already occurred or is imminent. Given this urgency,
“contingency planning” is a practice that puts in place response plans to be used if and when a risk occurs. This
should be considered for any threat that cannot be eliminated and is discussed later under the heading, Develop
and Implement Treatment or Response Plans. The risk responses for threats, listed in order of preference, and the
minimum information required to realize them are described as follows:

Avoid

This treatment option eliminates the risk threat by deciding not to start or continue with the activity that gives rise to
the risk (e.g. redesign to remove the risk driver, cause or source; change the execution methodology and strategy to
avoid a risky route; or choose alternatives to eliminate risk triggers or root causes). Avoidance is usually the optimal
solution but is often not a viable option when identified late in project development. As an example, if a piece of
equipment is noted as a safety risk during the conceptual design phases, it may be practical to replace it. If the threat is
not identified until construction, when the equipment is about to be installed, less beneficial options such as “reduce”
the risk may be the only practical choice. If risk avoidance is chosen, the following questions should be addressed in the
treatment plan:
• Who is to avoid the risk (e.g. the project team, operations, business, or a contractor)?
• How can the risk be avoided? Explain what actions need to be done to eliminate the threat entirely.
Prepare recommendations of what should be done, who is doing it, what documents are needed to
initiate or finalize it.

Reduce

This treatment option changes the likelihood and/or the impacts. This is the most common treatment used. Typically,
there is some opportunity available to lessen the likelihood or its impact. It is not common to find ways to reduce both
likelihood and impact. Example of reduction responses may include making appropriate plans to contain a risk threat
exposure; taking actions to reduce the probability of occurrence; or taking measures to lessen the severity of impact if

Copyright © AACE® International AACE® International Recommended Practices

63R-11: Risk Treatment 6 of 11

August 23, 2012

or when the risks occurs. If risk reduction is chosen, the following questions should be addressed in the treatment
plan:
• Who is doing the work? This is the resource performing the risk threat reduction effort, drafting the
procedure, etc., under the responsibility and accountability of the action owner.
• How is it to be done? An explanation of how and when the response is to be implemented.
• What deliverables are needed (e.g., a new procedure, a new process, added or changed drawings)?

Transfer

This treatment option passes or shares the risk threat to another party or parties. For example:
• Transferring responsibility for the risk to the owner’s operations and/or maintenance group.
• Transferring it to third parties by changing the execution strategy (e.g. a lump sum contract).
• Transferring the risk to insurance firms.

Note that transferring does not remove the threat from the project. If the risk occurs the project will still likely suffer a
loss of some sort, but may be able to recover some costs (this is particularly damaging to profitability with anything
that delays the start of the revenue stream). If the risk threat is being transferred, the following questions must be
answered in the treatment plan:
• Who is the risk being transferred to? The risk owner must be responsible for arranging to implement the
treatment plan that actually transfers the risk (e.g. initiate insurance, advise new owner of asset, etc.).
• Why is it being transferred? Explain why the risk is being transferred and with whose approval/acceptance.
• What instructions need to be included on what to do? Prepare instructions of what is being done, who is
accepting it, what they should do once it is turned over to them, etc.

Accept

This treatment option retains the risk threat in its original form following an informed decision, and accepts the status
quo. Monitor the situation closely and ensure there is an adequate provision in the budget to protect the project
objectives if the possibility of a contingent response should be warranted. The following questions should be answered
by the treatment plan:
• Why is it being accepted? Provide a justification for accepting the threat and the process used to reach this
decision.
• Are there other significant consequences? Look at other potential consequences even though the financial
impact may be the most significant. For example, is there an associated health and safety or environmental
consequence that may not be acceptable? In such a case, the newly identified consequence may need to be
re-evaluated as a new risk.
• Who approves accepting the risk? Before finalizing the treatment plan, project decision-makers must be
made aware that the risk is being accepted. Once signed off, affected leaders should be made aware of the
risk so they can notify involved parties and follow established procedures and operational controls.
• Make notes of issues and concerns to monitor throughout the project. Unique aspects of the risk should be
highlighted and noted in the risk register.

Risk Responses for Opportunities

Opportunities for value improvement may be identified at various project phases of execution. They are often
identified as part of value improving practice (VIP) sessions. In TCM, value management and risk management are
integrated processes to ensure that all ways to better achieve objectives are considered. In some practices, risk
and value processes are combined. Keep in mind that during later phases of scope definition, risk responses and

Copyright © AACE® International AACE® International Recommended Practices

63R-11: Risk Treatment 7 of 11

August 23, 2012

cost of change from opportunity responses must considered. Response strategies for opportunities, listed in order
of preference are:

Exploit

This treatment option takes steps that promotes that the risk opportunity will arise and the potential value is captured
(e.g. changing a specification, a scope item or supplier). If the opportunity is being exploited, the following questions
must be answered in the treatment plan:
• Who is to exploit the opportunity (e.g. the project, the owner, or a contractor)?
• How is the opportunity to be exploited? Explain what actions need to be done to exploit it.
• Are there any recommendations? Prepare recommendations of what should be done, who is doing it, what
documents are needed to initiate or finalize it, etc.

Share

This treatment option shares the opportunity with a third party when joint ownership is more likely to capture the
value (perhaps by applying a pain/gain formula). If it is being shared, the following questions must be answered in the
treatment plan:
• Why is it being shared? Explain why the opportunity is being shared and with whose approval/acceptance.
• Who is arranging the sharing process? The risk owner needs to be responsible for arranging to implement the
treatment plan that actually shares the opportunity (e.g. initiate a project change notice with a contractor,
and advise the owner).
• What instructions need to be included? Prepare instructions for what is being done, who is accepting it, what
each party should do, etc. (the implication of sharing is that there is some joint or coordinated effort).

Enhance

This treatment option increases the probability and/or impact of risk opportunities that may add value. For example,
modifying the execution strategy to capitalize on capabilities of a technically advanced piece of construction equipment
or changing the execution strategy to avoid a risky transport route. If the opportunity is being enhanced, the following
questions must be answered in the treatment plan:
• Who is to lead enhancing the opportunity (e.g. the project, the owner, or a contractor)?
• How is the opportunity to be enhanced? Explain what actions need to be done to improve the likelihood or
consequence.
• Are there any recommendations? Prepare recommendations of what should be done, who is doing it, what
documents are needed to initiate or finalize, etc.

Accept

This treatment option ignores the opportunity and accepts the status quo because costs or iatrogenic risks outweigh
the benefits for all impacts. During later execution, this is often the default policy (e.g., under a “no change policy”)
unless the value proposition is overwhelming. In this case the following questions should be answered in the treatment
plan:
• Why is the status quo being accepted? Provide a justification for accepting the opportunity and process used
to reach this decision.
• Are there other significant consequences? When deciding to ignore a risk opportunity based on cost alone,
look at other consequences. Is there still an opportunity to improve safety or environmental consequences?

Copyright © AACE® International AACE® International Recommended Practices

63R-11: Risk Treatment 8 of 11

August 23, 2012

• Make notes of issues and concerns to monitor throughout the project. Unique aspects of the risk opportunity
should be highlighted and noted in the risk register (there may be openings later to take advantage of the
opportunity).

Develop and Implement Treatment or Response Plans

During initial response planning, several optional responses to a risk may be identified and defined by the action
owner for follow-up study and decision analysis to select the best approach. The most obvious choice should not
be assumed to be the best; an option with greater initial cost may result in less residual and/or secondary risks.
The steps listed below are taken to further define the options and make decisions.

If risk treatment planning is taking place during execution, known risks should be periodically re-examined to
determine whether or not their rating/rankings have changed. If circumstances have changed then the likelihood
and/or impact of a risk may also have changed. Both active and closed risks should be regularly reviewed as part of the
risk management plan or re-assessed when necessary (e.g. if noted trigger events arise).

Evaluate the Scope and Cost (including Schedule and Resources) of Treatments

Clarify the scope of the response strategy and actions, and then prepare plans and estimates as would be done for
any project scope item at the current stage of project definition. If the cost of a response is greater than the
residual cost impact of the risk, ask if the action plan is required or if the untreated risk is acceptable.

Address Secondary Risks

Initiating a response will change the nature of the risk which may introduce a different risk, called a secondary risk.
Secondary risks need to be identified and treated like any other risk. Review all tasks related to the treatment plan to
ensure that no additional risks are generated by these new actions and the potential impact of a secondary risk is
considered in any cost benefit analysis prior to approval and treatment implementation.

Apply Decision Analysis

With alternate plans and costs in hand, use an appropriate decision-making method to select a recommended option.
This may be done by the action owner, but may be a team collaboration (particularly if decisions are made by
judgment; it is best to get multiple opinions in that case).

Assess the Residual Risks

If not eliminated, the risk that remains after making the recommended risk response needs to be qualitatively re-
assessed for likelihood and impact. The results are then entered into the risk register as the residual risk. At project
approval, the impact of residual risks will be part of the quantitative analysis used for budgeting and incorporated into
baseline plans in the form of contingency or reserves.

Contingency Planning

The treatment plan sometimes assumes that the residual risk is accepted post-response in its modified or current
profile and does not address the team’s response if the residual risk occurs. In some cases, a contingency plan (or

Copyright © AACE® International AACE® International Recommended Practices

63R-11: Risk Treatment 9 of 11

August 23, 2012

contingent response) may be required to reduce the impact of residual risk upon occurrence. Without explicit
consideration of the need for a contingent response, the overall treatment plan is not complete and should not be
approved. The contingency plan (as with baseline plans) must address the project objectives. For example, if the
project is schedule-driven, a very costly contingency plan may be selected because it salvages the schedule completion
date. Later quantitative risk analysis methods for contingency determination must quantify the residual risk impacts
and the response (or range of possible responses) that the team may make.

Coordinate with Project Control (Change Management)

Once a baseline project control plan is in place, the action owner should not make changes to the plan. The proposed
treatment plans must be channelled through the change management/control process. The forecast at completion
should consider each risk and include the estimated cost of risk treatment, possible contingent response, and expected
residual impact. The risk management and change management processes should be closely integrated. Another
reason for integration is that trends and variances identified by the change management process are often the trigger
for a risk occurrence. Change notices are a key source in the risk treatment process.

Obtain Approvals

Once the treatment plan has been developed, the action owner needs to sign-off on the plan and residual risk
qualitative analysis rating. Once a baseline plan is in place, management approval occurs through the change
management process in addition to any approval processes described in the risk management plan. If the residual risks
are still rated as unacceptable (i.e. exceeds thresholds) senior management may be required to approve the residual
risk with the understanding of its rating and treatment plan. When residual risks have been properly approved, risk
treatment can proceed and the residual risk rating can be reported.

Outputs

At the end of a formal risk session (or series of sessions that include risk identification, qualitative analysis and risk
treatment planning) a report should be written that includes the completed risk register. This report is a key basis
document that will support estimate and schedule planning, including quantitative risk analysis. It also may be a
key document supporting project control (e.g. it documents some contingency plans), forensic analyses (e.g. claims
and dispute resolution), or the owner of the facility and its ongoing operations. For this major deliverable the
following is a typical list of risk register contents:
• Risk Title or Name: What is uncertain? (avoid general issues and concerns)
• Cause: What condition or event results in the uncertainty?
• Trigger: Event, condition or flag(s) that says, for example, “this risk is imminent”.
• Source: Internal or external (e.g. environment, regulatory, engineering, market, etc.).
• Other Attribute Types: Other risk characterizations, breakdowns and attributes.
• Likelihood or Probability of Occurrence: Qualitative ratings.
• Impact or Consequence: Qualitative ratings.
• Overall Rating or Score: Heuristic that combines probability and impact.
• Action Owner.
• Treatment or Response Plan: Summary statement of how this risk is treated or responded to.
• Treatment Status: How are treatment or response actions going (is risk changing)?
• Residual Risk: The preceding entries may all be repeated for the remaining post-response risks.
• Contingency Plan: Summary statement of how residual risk will be responded to if it happens.
• Cost of Treatment: Order of magnitude estimate that includes all costs such as the costs to implement the
treatment, costs associated with the residual risk, and costs for a potential contingency plan.

Copyright © AACE® International AACE® International Recommended Practices

63R-11: Risk Treatment 10 of 11

August 23, 2012

When the document is finally saved at the end of a session, there should be no deletions of any risk item. If a risk is
determined to not be a risk or a duplicate of another risk, state this and then change the status of the risk item to
“deleted” or something similar. If gaps show up in the numbering system, this may raise questions as to the
integrity of the register. If the identification numbers are automatically being adjusted then it will become
extremely difficult to reference and track specific risk items.

For major projects, a formal report beyond just the risk register is recommended. Stakeholders who read the
report should clearly see what threats and opportunities were considered, the rationale for recommended responses
and decisions where no action is to be taken. The report should include:
• A descriptive title of the review.
• The date that the review was performed.
• A list of all participants.
• A general summary including:
• An outline of the terms of reference and scope of the review.
• A brief description of the project or phase which was reviewed.
• A description of the methodology, procedures, and protocols employed.
• General comments.
• Assumptions.
• Exclusions: Identify and explain unavailability of certain documents, list of items not reviewed, and
standard procedures and protocols not followed.
• A summary of analysis results: Key performance indicators (KPIs), number of recommended actions, any
special actions or activities to be undertaken, and the potential costs or savings to be gained by
implementing the recommended risk treatments.
• A detailed record of the review proceedings, i.e. the risk register.
• The report could also include an appendix containing:
• Master copies of the key drawings and documents used in the review.
• Copies of any additional technical data used.
• Relevant correspondence between departments, from contractor to vendor or client to contractor,
etc.
The report (risk register or formal report) is a project deliverable and should be maintained in the project file
system and become part of the turnover or closeout process to the client. TCM includes knowledge management
processes (i.e. historical project data, key risk indictors (KRIs), KPIs and lessons learned) as the foundation for all
asset and project planning. This report is a historical baseline for later analysis of the effectiveness of the risk
management process.

REFERENCES

1. AACE International, Recommended Practice No. 10S-90 “Cost Engineering Terminology”, AACE International,
Morgantown, WV, (latest revision)
2. Hollmann, John K., Editor. Total Cost Management Framework: An Integrated Approach to Portfolio, Program
and Project Management, Morgantown, WV: AACE International. (latest revision)
3. Mulcahy, Rita, Risk Management; Tricks of the Trade for Project Managers, RMC Publications, 2003.

CONTRIBUTORS

David C. Brady, P.Eng. (Author)

James E. Arrow
Dennis R. Hanks, PE CCE

Copyright © AACE® International AACE® International Recommended Practices

63R-11: Risk Treatment 11 of 11

August 23, 2012

John K. Hollmann, PE CCE CEP

Copyright © AACE® International AACE® International Recommended Practices