Professional Documents
Culture Documents
RISK MANAGEMENT
Table of Contents
4 RISK MANAGEMENT........................................................................................................ 4-1
4.1 Background ..................................................................................................................... 4-1
4.2 Risk Management Planning ............................................................................................ 4-2
4.2.1 Planning Inputs ....................................................................................................... 4-2
4.2.2 Planning Outputs..................................................................................................... 4-3
4.3 Risk Identification ........................................................................................................... 4-4
4.3.1 Means of Risk Identification................................................................................... 4-4
4.3.2 Risk Identification Outputs ..................................................................................... 4-5
4.4 Qualitative Risk Analysis ................................................................................................ 4-5
4.4.1 Inputs....................................................................................................................... 4-6
4.4.2 Analysis................................................................................................................... 4-6
4.4.3 Outputs .................................................................................................................... 4-7
4.5 Quantitative Risk Analysis .............................................................................................. 4-8
4.5.1 Inputs....................................................................................................................... 4-8
4.5.2 Analysis................................................................................................................... 4-8
4.5.3 Outputs .................................................................................................................. 4-10
4.6 Risk Response Planning ................................................................................................ 4-11
4.6.1 Inputs..................................................................................................................... 4-12
4.6.2 Planning ................................................................................................................ 4-12
4.6.3 Outputs .................................................................................................................. 4-13
4.7 Risk Monitoring and Control ........................................................................................ 4-13
4.7.1 Inputs..................................................................................................................... 4-14
4.7.2 Monitoring and Control......................................................................................... 4-14
4.7.3 Outputs .................................................................................................................. 4-14
APPENDICES
4 RISK MANAGEMENT
RISK MANAGEMENT
4.1 Background
The goals of risk management are to decrease the probability and impact of adverse events and to
increase the probability and impact of events beneficial to a project.
These processes interact with one another and each can require input from one or more people or
groups, depending upon the needs of the project.
Project risk is an uncertain event or condition that may have a positive or negative effect on one or
more project objective. Project objectives include:
A risk might be a delay in giving possession of site to a contractor. An event that might give rise to
that risk is commencing acquisition and compensation procedures too late. This has identified a
risk and a possible causal event.
Experience shows that the probability of this risk occurring is high and that it can have a high
detrimental impact upon both time and cost. Thus the risk analysis shows that this risk has a high
probability and a high impact.
This means that steps to mitigate this risk should be taken urgently. This requires that a response is
planned. In this case a response would be to commence land acquisition and compensation
procedures in time to complete them before awarding the contract.
Risk monitoring and control would require that the project management team monitors the factors
influencing the granting of possession of site. This would ensure that procedures are in place to
manage events having an impact upon the possession of site and that these procedures are being
implemented. In the case of land acquisition and compensation it would be necessary to confirm
that the process has commenced at the appropriate time and to monitor the activity to ensure that it
is proceeding on schedule.
There are many other risks that can affect a project. The purpose of risk management is to identify
as many risks as possible, to determine a strategy to analyse and assess them and to develop a
response to them. Ongoing management of risks is necessary to revisit previously identified risks
and to identify any new ones. On a subsequent analysis, the probability or impact of a previously
identified risk may be found to have changed thus requiring a reassessment of mitigation activities.
Insofar as claims on a contract are concerned, the risks to be identified are those of events
occurring that might result in claims. However, it is important that risk identification is also used
to recognise events that might offset claims or have other positive impacts upon a project. For
example, a new product or technique might reduce the time taken to carry out an activity.
Claims and Dispute Resolution Manual Final August 2007 Section 4 4-1
Ethiopian Roads Authority
It should also be considered that contributory factors can lie within the organisations of the
employer, engineer or contractor. Contractors are often accused of and are sometimes guilty of
having a lack of resources or using them inefficiently. This can also be true of employers and
engineers.
Part of the planning process is to ensure that all those involved with the project are aware of the
risks that might affect it and of the planning process so that they may contribute to it. The process
also should ensure that the risk management is appropriate for the importance of the project and the
impact that adverse outcomes might have upon the organisation.
Thus an internal matter of changing the bank used by a company might be a matter for financial
staff and the financial director. The anticipated benefits may be that banking and finance charges
will be lower and that banking activities will be performed more quickly and with greater
efficiency. The risks might be that the expected benefits do not eventuate, that debtors are not
advised of the change in bank accounts for making payments or that staff salaries are not credited
to staff accounts on the dates required. The potential impacts upon the organisation may not be
great as they are largely internal and are more likely to create frustration and easily resolved
problems than to result in serious financial loss or to affect the ability of the company to perform.
However, if risks eventuate on a major construction contract, the cost in time or money can be
significant to any of the parties involved. If the employer is unable to give possession of site when
required, it will be exposed to claims for extension of time and compensation. The same applies if
there are changes to the design during construction. The engineer and contractor also face the
possibility of significant losses or damage to their reputation if they do not recognise and manage
the risks that might impact upon them.
Greater effort tends to be put into managing risks that have an adverse outcome than those that
have a positive outcome. The reason for this is that, if the adverse outcomes happen, a loss will
result and the success of the project will be less than anticipated, possibly to the extent of failure.
If a risk, or opportunity, with a positive outcome eventuates, the return to the parties concerned will
be greater than anticipated, in effect a windfall profit. This benefit may not be monetary; it may be
the enhancement of the parties’ reputation, making them more competitive for future projects.
It is preferable to put as much effort into pursuing opportunities as into mitigating threats. The
input into either should always be proportional to the impact it might have upon the project.
The risk management planning exercise should be carried out early, as analysis of the risks
associated with various project options is likely to influence the way in which the project is
executed. In the worst case, such an analysis may demonstrate that the project should not be
pursued in the format currently under consideration.
A risk assessment should be carried out at the beginning of each stage of the project and be
repeated at regular internals to determine any changes in the exposure to threats or opportunities,
whether from risks already recognised or from newly developed ones.
Individuals involved in a project will also have different views of risks and what is acceptable.
These singular outlooks are often constrained by an organisation’s policy statements and
procedural manuals. These will allocate authorities at different levels of responsibility and will
also specify the approval processes through which a risk management plan must pass before it can
be adopted.
The scope of work defines the deliverables of the project and the work that is required to generate
them. A properly defined scope of work provides all stakeholders with a common understanding of
a project’s objectives. It should define not only what is included in the project, but also what is
excluded. This can be of great importance in preventing incorrect assumptions becoming articles
of faith. For example, a contract may include the manufacture and delivery to site of an item of
equipment but exclude its installation and commissioning.
A risk management plan is usually a subsidiary component of the project management plan, not a
stand alone document. Its development requires reference to the project management plan to assist
in the identification of risks and the resources that might be available to help in their mitigation.
It will specify the composition of the risk management team and allocate roles and responsibilities
to its members and ensure that all activities required by the plan have an owner. The reporting of
risks and the implementation of the plan will also be defined. Risk management may be structured
in a way similar to quality assurance (QA) where the person with responsibility for implementing
QA is a member of the project management team and works with the project manager but is
independent and reports to a QA director or senior manager away from the site of the project. The
intention is to ensure that risk management, and QA, are recognised as important parts of the day to
day management of the project but that the person with immediate responsibility for the function is
independent of the manager of the project. In this way the risk manager should not be unduly
influenced by a project manager who is likely to have different priorities with an emphasis on
commercial and programme requirements.
Included in the development of a management plan will be an estimate of the resources and budget
necessary to develop and implement the plan so that these costs can be incorporated into the overall
project budget. This will contain a programme that shows when the risk management process will
be repeated and the associated activities, which should be written into the project programme.
The risk management plan will provide categories of risks and definitions of the probability and
impact of the risks that have been identified.
A Risk Breakdown Structure (RBS) be created to assist in the identification of risks. An RBS is an
hierarchical structure which divides a project into broad categories from which risks might arise. It
then subdivides these categories further to facilitate the identification of risks.
Evaluating the probability of a risk occurring and its potential impact are an essential part of risk
analysis. The probability of a risk event happening can be described as not at all likely through to
extremely likely. Various steps between these two extremes can be assigned numerical values.
The potential impact of a risk event can be classified in the same way. These values can be used to
create a matrix that presents risks in an order of priority.
Often material from a previous, similar project can be used as a basis for plan outputs. These
references should have been updated during the currency of the project from which they are
derived in order to ensure that they are more relevant and to make good any shortcomings.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-3
Ethiopian Roads Authority
Depending upon the complexity and value of the project, a risk management specialist team may be
appointed from inside or outside the organisation to coordinate the risk management process.
Other personnel would contribute at different stages of risk management.
Risk identification is an area, which benefits from input from a wide range of viewpoints. People
involved should include the project manager and senior discipline managers and client
representatives. Other contributors could include industry representatives and other stakeholders
such as end users. All project and organisation staff should be encouraged to consider risks and to
submit any they identify.
External inputs that may assist with risk identification include technical references, databases,
studies, analyses of previous projects carried out by others and material from risk consultants.
Internal inputs can be derived from records of previous projects, which can offer actual data and
the benefit of hindsight.
The scope of work can be a rich source of risks. The scope makes a number of assumptions, which
can be tested for uncertainty, itself a harbinger of risk.
The allocation of roles and responsibilities within the project team, the provision for risk
management in the budget and resource schedule and other outputs of the planning process all
provide material for review in risk identification.
Other components of the project management plan should also be reviewed to reveal risks. The
programme, budget and QA plan should all be assessed for potential risks.
This illustrates why it is important that the people having input to risk identification should have a
wide range of interests and expertise; it ensures a range of different viewpoints and discourages
consideration from only a purely technical aspect, or that of any other single interest group.
Brainstorming has already been mentioned as a means of identifying risks. This is usually
managed by a facilitator. Participants include the project team, discipline managers, stakeholders
and external experts. An RBS can be used as a framework for consideration.
A SWOT analysis is also a popular tool for this purpose. It evaluates the strengths, weaknesses,
opportunities and threats for a project.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-4
Ethiopian Roads Authority
Checklists can be based upon available historical data, including records from earlier projects. A
checklist can be a useful tool, but it is important to recognise that it is not comprehensive and
efforts must be made to identify unlisted risks. Checklists should be updated during a project to
increase its value for future works.
Projects are inevitably based upon a number of assumptions. Some of these assumptions may be
grounded in investigations and surveys, but the interpretation of the data is affected by
generalisations. The more detailed a survey or investigation is, the more weight it provides to
assumptions based upon it. However, an investigation or survey prior to project design cannot be
exhaustive for reasons of cost and time. This means that the design work has to be based on
assumptions used when analysing the data. Assumptions are also used when evaluating the returns
from a project, its economic benefit.
Analysis of the assumptions used when developing, designing and documenting a project is of
great value in assessing risks to a project from inconsistent or unfounded assumptions.
A number of diagram techniques can be used to assist in risk identification. These include flow
charts, influence diagrams, fishbone diagrams, histograms, Pareto charts and others.
The first column in the logframe contains the identified risks. Each row shows the probability,
impact, priority, mitigation activities or responses and the responsible party. The risks are usually
grouped into categories, and sub categories if appropriate.
The logframe is updated at specified intervals, possibly quarterly, when a new or changed risk is
recognised, when a significant event occurs or when a project enters a new phase.
The performance of a project can be improved by addressing high priority risks in the first instance.
Qualitative risk analysis is an objective means of assigning priority to an identified risk. It assesses
and allocates a numerical value to the probability of a risk occurring and does the same for the
impact the risk may have upon the project. The impact is evaluated in terms of the effect upon the
project constraints of cost, programme, scope and quality.
The risk identification process is vital in ensuring that the data used to establish the probability and
impact of a risk is soundly based. As with other parts of the risk management process, risk analysis
should be repeated when new information becomes available, which affects the status of an
identified risk or reveals a new risk. For example, a revised long range weather forecast may
increase the probability that unseasonal inclement weather will occur. This will change the priority
of that risk and may require that anticipatory mitigation activities should be undertaken.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-5
Ethiopian Roads Authority
4.4.1 Inputs
Records from previous projects can be used to indicate the probability of a risk occurring and its
impact.
If the scope of a project shows that it is of a type that is frequently carried out and is well
understood, the risks will tend to be well documented. Consideration should then be given to
project specific risks, which might include those relevant to the project’s location, the climate,
availability of resources, the stability of the country in which the work is to be executed and the
economic status and financial regulations that apply.
However, because a project is of a common type and the recurring risks are well known, they
should not be treated with familiarity but should be assessed critically with due consideration for
project specific factors that may influence the probability of their occurrence or their impact and
thus their priority. The fact that the risks are well known should ensure that there is enough
historical data to assess their priorities with some confidence.
Projects that are at the cutting edge, use state of the art technology or are complex will offer more
opportunity for new risks to occur and so will require greater effort to be applied to their
assessment.
The risk management plan will provide information relating to the roles and responsibilities
allocated to staff managing risk and the project. It will also give details of the budget and
programme for risk management activities and show the tolerance of the project or stakeholders to
general or specific risks.
The risk logframe is an important input as it lists the risks that have been identified and require
analysis.
4.4.2 Analysis
During analysis risks are assessed to establish the probability that they will occur and the impact
that they might have upon the project constraints. This analysis is carried out for both threats and
opportunities.
The processes followed in risk identification are valuable in assessing these properties of risks.
Historical data is very helpful where there is a database of information from similar projects.
Where there is little information about identified risks, knowledgeable and logical assessment is
essential. This can be helped by input from people consulted during the risk identification process.
The available information is used to assign a probability to each risk and its impact upon each of
the project’s objectives. The analysis should also record reasons for the values that are selected
and any assumptions that have been made.
A risk priority rating matrix is generated to provide a risk priority rating. A matrix can use either
numeric values or descriptive terms. In the latter case, a risk with both high probability and high
impact would be rated as a high priority but one with high probability and medium impact may be
more difficult to label. The use of numerical values allows a little more precision, although
interpretation of the results is likely to be subjective.
The probability of a risk event occurring is assigned a value between 0 (never happen) and 1
(definitely will happen). Usually the numbers used range from 0.1 to 0.9 in intervals of 0.2. The
impact of an event may be valued the same way or the size of the increments can change. Thus an
impact could be valued at 0.05, 0.10, 0.20, 0.40, and 0.80. The product of the two values for a risk
is entered into a chart to form a matrix. Risks with a priority rating greater than 0.2 might be
considered as high priority, those with a rating of 0.05 or less as low priority and those in between
as medium priority. An example of a risk matrix is shown in Figure 4-1.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-6
Ethiopian Roads Authority
In this matrix the cells shaded in dark grey have a high priority for action, either to reduce the
probability or impact of the threats or to pursue the opportunities. The unshaded cells have a
medium priority and should be dealt with if possible. The cells with light grey shading have a low
priority and could be placed on a list to be monitored.
Some of the risks may have readily identified and easily implemented responses. These responses
should be implemented regardless of the priority while responses to other risks are planned and put
into action.
A risk priority matrix can be prepared for each of the primary project constraints and the results
combined to provide an overall priority rating for each risk. Depending upon an organisation’s
policies, the weighting for each constraint may differ. This could mean that a risk evaluated as a
high priority on a matrix for effects upon the programme carries more urgency than a similar risk
on a matrix for costs.
The data on which assessment of a risk is based must be accurate and unbiased. It should be
reviewed to ensure that it is adequate for its purpose. It is also necessary to ensure that the risk is
understood fully.
Risks can be put into categories dependent upon their source, the aspect of the works or the phase
of the project they affect in order to determine where the project is most sensitive to risk. This also
assists in formulating responses as one response may be effective in mitigating a number of risks.
An important factor to consider in setting a priority for responding to risks is the lead time required.
Thus a risk with a lower priority rating may have to be attended to before one with a higher rating
because its impact may be felt more immediately.
4.4.3 Outputs
The risk logframe is updated from the results of the analysis. The logframe is used as an input to
provide a list of identified risks.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-7
Ethiopian Roads Authority
The analysis may also add actions to be taken to respond to risks where a response is readily
evident.
The process is applied to risks to evaluate how their occurrence will affect the project as a whole.
The outcome of the analysis is to:
• Quantify how risk scenarios will affect the project constraints and the probability of those
outcomes happening;
• Assess the probability of reaching project objectives;
• Identify risks in most urgent need of attention by assessing their effect upon the overall
project;
• Determine realistic project targets considering the project risk; and
• Provide assistance in decision making, particularly when there is uncertainty.
4.5.1 Inputs
The inputs for quantitative analysis are similar to those for qualitative analysis. Of particular
relevance are the project programme and cost estimates. The analysis uses these to quantify the
effects of risks on the time and cost constraints of the project.
4.5.2 Analysis
Analysis is achieved using various techniques to quantify the outcomes of risk events on project
objectives.
Interviews and discussion can be used to gather information, which will vary depending upon the
distribution of probabilities that is to be used. Information might be gathered on low, most
probable and high scenarios or upon mean and standard deviation. An example of a three point
range for a project is given in the following table, Figure 4-2.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-8
Ethiopian Roads Authority
Investigation 2 4 8
Design 3 5 10
Construction 30 38 58
Total Project 35 47 76
Figure 4-2
It is important to record the reason for the choice of probability distribution so that this information
is available when the analysis is reviewed at a later date.
Continuous probability distributions are used to represent uncertainty in the duration or cost of an
activity or project.
Figure 4-3
Threats push the value to the higher value or pessimistic side of the distribution, whereas
opportunities tend towards the optimistic side. Considering the range of project values in the
previous table, the value 35 would occur where the Y and X axes cross, the value 47 where the
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-9
Ethiopian Roads Authority
distribution peaks and the value 76 where the line meets the X axis at the right. It must be
remembered that the most likely value is that arrived at after considering the quantitative effect of
the risk events. It is not the project estimate or the budget, but the cost in time or value that is
shown to be the most likely outcome after consideration of the effect of the identified risks.
A Monte Carlo simulation is a method frequently used to determine the most likely duration for a
project. It is used in a number of software packages and uses repeated computations or iterations of
the project model.
Each iteration selects a value for each of the risk activities from the ranges and probability curves
established in the earlier stages of the analysis. The total project results are calculated to arrive at
completion dates for the project and milestones. These are only possible dates and are not
representative of all possible solutions.
The iteration is repeated many times using random values for each of the risk activities. For each
iteration, the completion dates for the project and important milestones are recorded as are the
activities on the critical path for that iteration.
At the end of the simulation the dates calculated are tabulated to show the probability distribution
or relative frequency of all possible dates. It is frequently the case that the completion date
estimated as the most likely using a conventional CPM diagram will be shown to have a low
probability of being achieved; figures of 15% and less are common.
This occurs because the duration of each activity used to create the critical path tends towards the
optimistic values. This is reflected in the asymmetric distributions derived from the three point
estimates.
Similar results are found when the cost of risk activities and the complete project are modelled.
If an employer requires a 75% probability of completing a project on time and budget, simulations
such as this reveal that contingencies of 20% or more are necessary above the figures resulting
from more traditional methods.
4.5.3 Outputs
The risk logframe is updated after completion of the quantitative risk analysis. Estimates are added
of project programme and cost outcomes. These list the possible completion dates and costs and
give the levels of confidence associated with them. These figures are commonly expressed in a
cumulative chart of the outcomes against percentage probabilities. An example is shown in Figure
4-4.
This Probability Distribution Curve is based on the values from Figure 4-2 and the triangular
distribution in Figure 4-3.
The columns show the probability of a particular outcome for the cost of the project and the graph
displays the cumulative probability of a particular cost being achievable.
The figure demonstrates that there is only an 18% probability of achieving a cost outcome of
$47 million, the figure selected as the most likely outcome from the triangular distribution. If an
Employer wishes to know the cost outcome with a 75% likelihood of being achieved, the value will
be $58 million. This means that he would have to have access to additional funding of $11 million
to be confident that he had sufficient funds to meet this cost outcome.
This does not mean that the cost outcome will not be $47 million but that there is an 82%
probability that this figure will be exceeded.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-10
Ethiopian Roads Authority
30 100
25
75
20
Cumulative Probability %
75% Probability
$58 million
Probability %
15 50
10
18% Probability
$47 million 25
0 0
30 35 40 45 50 55 60 65 70 75
Cost $ Million
Figure 4-4
The charts can be used by stakeholders and particularly by employers or clients to show what
contingencies may be necessary to have a 75% probability of meeting the cost and programme
outcomes.
The charts will also provide the probability of achieving the project programme and cost objectives
that were originally set.
The output will identify the threats and opportunities, which have the greatest impact upon the
completion and cost of the project.
Response planning addresses the risks in order of priority and allocates resources and activities.
These have to be included in the budget and programme for risk management and for the project as
a whole. The risk manager will be given the responsibility of overseeing the response to each of
the risks that are included in the approved response plan.
The party funding the project may determine that the costs of providing resources and time to
counter a risk are too high and that it prefers to accept the risk. This will depend upon the impact
of the risk on the project objectives and the contingencies that are required to accommodate its
effects should the risk occur.
Risk responses must be matched to the potential impact of the risk; they must be cost effective and
realistic in relation to the project; they should be agreed to by all parties; and they must be the
responsibility of the risk manager or a person who is able to assume ownership of the response.
The person responsible for managing the response to a risk must have the authority necessary to
ensure that the activities forming the agreed response are undertaken.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-11
Ethiopian Roads Authority
4.6.1 Inputs
The logframe, modified by the outputs from the qualitative and quantitative risk analyses, is an
important input to response planning. It provides a list of risks and their priority rating; it indicates
those risks that have to be addressed in a short time; it suggests possible responses to risks; and it
lists risks that should be monitored.
The constraints upon responses are also necessary when formulating ways of reducing threats and
enhancing opportunities. These should be available from the risk management plan and include the
personnel that will be available, their roles and responsibilities and the resources available to them;
the time that will be available within the project programme; and the budget available for managing
risks and responding to them.
4.6.2 Planning
There are three strategies typically used for addressing negative risks or threats.
Risk avoidance involves changing the way the project is to be executed in order to eliminate an
adverse risk; isolating the project’s objectives from impact by the risk; or modifying the objective
that is affected by the risk. The last might be achieved by extending the time for completion,
increasing the budget, changing the scope or relaxing the specified quality.
Risk transfer shifts the impact of a threat and ownership of the response to another party. This does
not eliminate or reduce the risk; it simply transfers it to another party and gives them responsibility
for managing it. This type of response is generally most appropriate for financial risks and usually
involves the payment of a premium to the party that assumes the risk. Instruments through which
this transfer can be achieved include insurance, performance bonds, warranties and the like.
Contracts are used to allocate risks between parties. Ideally risks will be allocated to the party most
able to manage them. The more risk that is allocated to a contractor through a contract, the greater
will be the price requested to carry out the work. This is effectively the charging of a premium in
exchange for assuming the risk.
Risk mitigation reduces the probability or impact of a threat to a level that is acceptable to the
stakeholders. It is preferable to act early to achieve these ends rather than to counter the effects of
a risk after it has happened. Mitigation might include reducing complexity, increasing the
frequency of testing, or obtaining plant from a local supplier rather than from overseas.
If the probability of a threat occurring cannot be reduced, it may be possible to reduce its impact by
using a parallel process. This would provide a degree of redundancy. An example would be to use
two smaller excavators rather than one large one. If one excavator broke down, work could
continue with the second. It might well be less efficient to use two smaller units than one larger
one, but this would be the premium paid to reduce the impact of a breakdown.
There are also three strategies commonly used for dealing with positive risks or opportunities.
Risk exploitation can be used to make sure that an opportunity occurs. This requires that any
uncertainty over whether the event will occur is removed; the probability is increased to 100%.
Exploitative responses include assigning more or better resources to a project to achieve earlier
completion or to improve another project objective.
Risk sharing an opportunity has some similarities to transferring a threat. It involves allocating the
opportunity to another party who is better able to ensure that the opportunity eventuates.
Obviously, benefit must still accrue to the project otherwise there would be no incentive to share
the opportunity. Examples of opportunity sharing include forming teams or joint ventures. It
might be advantageous to form a joint venture with a local organisation in order to benefit from
concessions available to national companies.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-12
Ethiopian Roads Authority
Risk enhancement modifies an opportunity by increasing the probability that it will occur or by
increasing its impact. This can be done by identifying the cause of the opportunity and actively
targeting the conditions that trigger the event.
Risk acceptance is a response that is appropriate for both threats and opportunities. It occurs when
a different response strategy cannot be identified or is too costly. The risk is known but it is left to
the project management team to deal with if it occurs. Provision can be made for assistance to be
made available when required through the establishment of a contingency. This is a form of
mitigation in that resources are held in reserve and can be used for both known and unforeseen
risks.
A contingent response is one that is triggered only if certain events occur. For example, if there is
high rainfall in the catchment feeding a drainage structure, predetermined actions can be taken in
anticipation of flooding. The actions are not initiated until they are triggered by high rainfall
upstream. However, the plan of action has already been decided and has only to be implemented.
The actions required might be as simple as removing personnel and equipment from the water
course or they might include the construction of cofferdams to divert floodwaters from work in
progress.
4.6.3 Outputs
The primary output is updating of the risk logframe or register. In addition to the updates from the
previously performed components of risk management, response planning will add:
• Response strategies;
• Actions to implement the strategies;
• Budget and programme changes necessary for the responses;
• Contingency plans and their trigger events;
• Accepted risks and residual risks remaining after planned responses; and
• Contingency reserves necessary to meet the organisation’s required probability of success.
Updates will also be required to the project management plan to ensure that necessary amendments
are made to the budget and programme.
Contracts should reflect the allocation of risk required by the responses that have been selected.
This is particularly relevant for responses requiring risk transfer or risk sharing. Special Conditions
of Contract or Conditions of Particular Application will have to be reviewed, and amended if
necessary, to ensure that they accommodate the responses that have been agreed to.
Risk monitoring is also required to keep track of recognised risk events; to watch for those that
have been listed for monitoring; to monitor trigger events; and to record the effectiveness of risk
responses.
Risk monitoring should also flag events that require one or more aspects of risk management to be
carried out. The monitoring process will, at the least, identify risks that require attention. This
would then trigger qualitative and quantitative analysis and response planning as required. The
loop would then continue with monitoring and feedback followed by iterative assessment.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-13
Ethiopian Roads Authority
The process will also show whether assumptions that have been used in the project or in risk
assessment are valid; whether a risk has changed; and whether cost or programme contingencies
should be revised.
Monitoring is also an audit process which shows if the agreed risk management procedures and
responses are being complied with.
Another important aspect of risk monitoring is to ensure that actual events are recorded so that data
about the risk management procedures used and their effectiveness are available for use in future
projects.
4.7.1 Inputs
The risk management plan provides information about the assignment of personnel, risk managers,
time, budget and other resources.
The risk logframe or register is a compilation of all the data relating to risks for the project. It
includes details of all identified risks, responses and their implementation and requirements for
monitoring the project risks.
Various project documents and reports should also be made available to the monitoring process.
These would include variation orders as they change the scope and thus the exposure to risks;
quality control reports as they are indicative of whether the specified quality objectives are being
met and how much rework and corrective action is being carried out; performance and progress
reports show problems that arise and progress against the programme; and payment certificates
record cash flow against anticipated expenditure as well as revealing areas of over expenditure.
Audits of the risk management process monitor compliance with it and the procedures it contains.
They also review the effectiveness of the process and indicate whether it requires revision.
Analysis of variance and trends are reviewed using project performance reports relevant to all the
project objectives. This will reveal divergences from the original schedules, which may indicate
the impact of risks.
Risks occur during a project, which have an impact upon cost or programme contingencies.
Reserve analysis compares the amount of risk contingencies required against the actual
contingency remaining in the project. This determines whether reassessment of the contingency is
necessary.
4.7.3 Outputs
Risk monitoring results in the updating of the risk logframe or register. It shows whether the
preceding procedures have been effective in managing risks; it identifies new risks and changed
risks; and it identifies risks that are no longer relevant and can be closed off.
It also provides the actual outcomes of the risk management activities and responses that have been
implemented. This record is of assistance in planning future projects and to concurrent projects.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-14
Ethiopian Roads Authority
The project completion report should contain a summary of the findings of the risk monitoring and
control process for the whole of the project.
The impact of approved variation orders is reviewed in the monitoring process. In fact, risk
assessment should be a step in the consideration of a variation.
The auditing component of monitoring risks results in nonconformance reports and corrective
action requests, which lead to more effective implementation of risk management. Corrective
action reports also list preventative actions that should be taken to correct the implementation of
the project.
Any approved changes to the risk management process necessitate corresponding changes to the
affected components of the project management schedules.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-15
Ethiopian Roads Authority
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-16
Ethiopian Roads Authority
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-17
Ethiopian Roads Authority
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-18
Ethiopian Roads Authority
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-19
Ethiopian Roads Authority
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-20
Ethiopian Roads Authority
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-21
Ethiopian Roads Authority
of works.
• Delays mobilisation of • Provide for both principal and contractor Contract
Force Majeure event L M
construction equipment and to share time and cost risks.
construction of works. • Reprioritise and reschedule airport PMC
• Delays construction activities works.
and increases costs.
• Delays construction activities • Provide for both principal and contractor Contract
Latent conditions L L
and increase construction costs to share time and cost risks.
• Delays during dispute. • Prequalification screening of ICB PMC
Contractor fails to perform in M M
accordance with contract. • Delays to site activities. contractors.
• Delays to other contracts. • Preselect LCB Tenderers. PMC
• Additional remedial works • Minimise concurrent work by specialist PMC
required. contractors at different airports.
• Replacement of contractor. • Transfer quality assurance including Contract
• Potential follow-on security quality assurance reporting to contractor.
problems for principal’s • Maintain direct communications with PMC
representatives. contractors senior management.
Resources
• Personnel conflicts between • CAA secondees employed full time on CAA
Insecurity of employment for H M
CAA staff undermine team AMP.
seconded CAA staff
approach to planning and • CAA secondees accountable for CAA
implementing the project. performing allocated tasks.
• Loss of experience through • Balance distribution of workload between PMC
resignations. internal and external resources by
• Increases CAA’s exposure to enabling CAA staff to participate in
scrutiny by AusAID. contractors design and construction
management activities
• Employment contracts for CAA staff. CAA
• Require contractors to provide training in Contract
airport maintenance documentation for
staff.
• Increases uncertainty of • Provide training program for all staff in PMC
Lack of relevant experience of H M
contents of tender documents documentation and administration of
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-22
Ethiopian Roads Authority
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-23
Ethiopian Roads Authority
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-24
Ethiopian Roads Authority
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-25
Ethiopian Roads Authority
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-26