Ethiopian Roads Authority

RISK MANAGEMENT
Table of Contents
4 RISK MANAGEMENT........................................................................................................ 4-1
4.1 Background ..................................................................................................................... 4-1
4.2 Risk Management Planning ............................................................................................ 4-2
4.2.1 Planning Inputs ....................................................................................................... 4-2
4.2.2 Planning Outputs..................................................................................................... 4-3
4.3 Risk Identification ........................................................................................................... 4-4
4.3.1 Means of Risk Identification................................................................................... 4-4
4.3.2 Risk Identification Outputs ..................................................................................... 4-5
4.4 Qualitative Risk Analysis ................................................................................................ 4-5
4.4.1 Inputs....................................................................................................................... 4-6
4.4.2 Analysis................................................................................................................... 4-6
4.4.3 Outputs .................................................................................................................... 4-7
4.5 Quantitative Risk Analysis .............................................................................................. 4-8
4.5.1 Inputs....................................................................................................................... 4-8
4.5.2 Analysis................................................................................................................... 4-8
4.5.3 Outputs .................................................................................................................. 4-10
4.6 Risk Response Planning ................................................................................................ 4-11
4.6.1 Inputs..................................................................................................................... 4-12
4.6.2 Planning ................................................................................................................ 4-12
4.6.3 Outputs .................................................................................................................. 4-13
4.7 Risk Monitoring and Control ........................................................................................ 4-13
4.7.1 Inputs..................................................................................................................... 4-14
4.7.2 Monitoring and Control......................................................................................... 4-14
4.7.3 Outputs .................................................................................................................. 4-14

APPENDICES

Appendix 4-1 Example of Risk Management Matrix.......................................................... 4-16

Claims and Dispute Resolution Manual Final August 2008 Section 4 i

 Ethiopian Roads Authority

4 RISK MANAGEMENT

RISK MANAGEMENT
4.1 Background
The goals of risk management are to decrease the probability and impact of adverse events and to
increase the probability and impact of events beneficial to a project.

Risk management includes:

• Risk Management Planning;

• Risk Identification;
• Risk Analysis;
• Response Planning; and
• Risk Monitoring and Control.

These processes interact with one another and each can require input from one or more people or
groups, depending upon the needs of the project.

Project risk is an uncertain event or condition that may have a positive or negative effect on one or
more project objective. Project objectives include:

• Completion within the time scheduled for completion;

• Completion within the agreed budget or contract price;
• Completion of the specified scope; and
• Completion to the specified standards.

A risk might be a delay in giving possession of site to a contractor. An event that might give rise to
that risk is commencing acquisition and compensation procedures too late. This has identified a
risk and a possible causal event.

Experience shows that the probability of this risk occurring is high and that it can have a high
detrimental impact upon both time and cost. Thus the risk analysis shows that this risk has a high
probability and a high impact.

This means that steps to mitigate this risk should be taken urgently. This requires that a response is
planned. In this case a response would be to commence land acquisition and compensation
procedures in time to complete them before awarding the contract.

Risk monitoring and control would require that the project management team monitors the factors
influencing the granting of possession of site. This would ensure that procedures are in place to
manage events having an impact upon the possession of site and that these procedures are being
implemented. In the case of land acquisition and compensation it would be necessary to confirm
that the process has commenced at the appropriate time and to monitor the activity to ensure that it
is proceeding on schedule.

There are many other risks that can affect a project. The purpose of risk management is to identify
as many risks as possible, to determine a strategy to analyse and assess them and to develop a
response to them. Ongoing management of risks is necessary to revisit previously identified risks
and to identify any new ones. On a subsequent analysis, the probability or impact of a previously
identified risk may be found to have changed thus requiring a reassessment of mitigation activities.

Insofar as claims on a contract are concerned, the risks to be identified are those of events
occurring that might result in claims. However, it is important that risk identification is also used
to recognise events that might offset claims or have other positive impacts upon a project. For
example, a new product or technique might reduce the time taken to carry out an activity.
Claims and Dispute Resolution Manual Final August 2007 Section 4 4-1
 Ethiopian Roads Authority

It should also be considered that contributory factors can lie within the organisations of the
employer, engineer or contractor. Contractors are often accused of and are sometimes guilty of
having a lack of resources or using them inefficiently. This can also be true of employers and
engineers.

4.2 Risk Management Planning

Proper planning is essential to the success of the overall risk management process. It is the
determination of how to conduct the management of risk for a project.

Part of the planning process is to ensure that all those involved with the project are aware of the
risks that might affect it and of the planning process so that they may contribute to it. The process
also should ensure that the risk management is appropriate for the importance of the project and the
impact that adverse outcomes might have upon the organisation.

Thus an internal matter of changing the bank used by a company might be a matter for financial
staff and the financial director. The anticipated benefits may be that banking and finance charges
will be lower and that banking activities will be performed more quickly and with greater
efficiency. The risks might be that the expected benefits do not eventuate, that debtors are not
advised of the change in bank accounts for making payments or that staff salaries are not credited
to staff accounts on the dates required. The potential impacts upon the organisation may not be
great as they are largely internal and are more likely to create frustration and easily resolved
problems than to result in serious financial loss or to affect the ability of the company to perform.

However, if risks eventuate on a major construction contract, the cost in time or money can be
significant to any of the parties involved. If the employer is unable to give possession of site when
required, it will be exposed to claims for extension of time and compensation. The same applies if
there are changes to the design during construction. The engineer and contractor also face the
possibility of significant losses or damage to their reputation if they do not recognise and manage
the risks that might impact upon them.

Greater effort tends to be put into managing risks that have an adverse outcome than those that
have a positive outcome. The reason for this is that, if the adverse outcomes happen, a loss will
result and the success of the project will be less than anticipated, possibly to the extent of failure.
If a risk, or opportunity, with a positive outcome eventuates, the return to the parties concerned will
be greater than anticipated, in effect a windfall profit. This benefit may not be monetary; it may be
the enhancement of the parties’ reputation, making them more competitive for future projects.

It is preferable to put as much effort into pursuing opportunities as into mitigating threats. The
input into either should always be proportional to the impact it might have upon the project.

The risk management planning exercise should be carried out early, as analysis of the risks
associated with various project options is likely to influence the way in which the project is
executed. In the worst case, such an analysis may demonstrate that the project should not be
pursued in the format currently under consideration.

A risk assessment should be carried out at the beginning of each stage of the project and be
repeated at regular internals to determine any changes in the exposure to threats or opportunities,
whether from risks already recognised or from newly developed ones.

4.2.1 Planning Inputs

Organisational factors will influence the development of the management plan. Chief among these
will be the organisation’s attitude towards risk; an entrepreneurial company may be more prepared
to accept risks than a more conservative, traditional organisation.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-2
 Ethiopian Roads Authority

Individuals involved in a project will also have different views of risks and what is acceptable.
These singular outlooks are often constrained by an organisation’s policy statements and
procedural manuals. These will allocate authorities at different levels of responsibility and will
also specify the approval processes through which a risk management plan must pass before it can
be adopted.

The scope of work defines the deliverables of the project and the work that is required to generate
them. A properly defined scope of work provides all stakeholders with a common understanding of
a project’s objectives. It should define not only what is included in the project, but also what is
excluded. This can be of great importance in preventing incorrect assumptions becoming articles
of faith. For example, a contract may include the manufacture and delivery to site of an item of
equipment but exclude its installation and commissioning.

A risk management plan is usually a subsidiary component of the project management plan, not a
stand alone document. Its development requires reference to the project management plan to assist
in the identification of risks and the resources that might be available to help in their mitigation.

4.2.2 Planning Outputs

A risk management plan will include the resources that will be used to manage the risk on a project
and the methodology to be followed.

It will specify the composition of the risk management team and allocate roles and responsibilities
to its members and ensure that all activities required by the plan have an owner. The reporting of
risks and the implementation of the plan will also be defined. Risk management may be structured
in a way similar to quality assurance (QA) where the person with responsibility for implementing
QA is a member of the project management team and works with the project manager but is
independent and reports to a QA director or senior manager away from the site of the project. The
intention is to ensure that risk management, and QA, are recognised as important parts of the day to
day management of the project but that the person with immediate responsibility for the function is
independent of the manager of the project. In this way the risk manager should not be unduly
influenced by a project manager who is likely to have different priorities with an emphasis on
commercial and programme requirements.

Included in the development of a management plan will be an estimate of the resources and budget
necessary to develop and implement the plan so that these costs can be incorporated into the overall
project budget. This will contain a programme that shows when the risk management process will
be repeated and the associated activities, which should be written into the project programme.

The risk management plan will provide categories of risks and definitions of the probability and
impact of the risks that have been identified.

A Risk Breakdown Structure (RBS) be created to assist in the identification of risks. An RBS is an
hierarchical structure which divides a project into broad categories from which risks might arise. It
then subdivides these categories further to facilitate the identification of risks.

Evaluating the probability of a risk occurring and its potential impact are an essential part of risk
analysis. The probability of a risk event happening can be described as not at all likely through to
extremely likely. Various steps between these two extremes can be assigned numerical values.
The potential impact of a risk event can be classified in the same way. These values can be used to
create a matrix that presents risks in an order of priority.

Often material from a previous, similar project can be used as a basis for plan outputs. These
references should have been updated during the currency of the project from which they are
derived in order to ensure that they are more relevant and to make good any shortcomings.

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-3
 Ethiopian Roads Authority

4.3 Risk Identification

This is the process of identifying what risks might affect a project and then determining their
characteristics. Data from previous projects can be used to assist the process; individual members
of the risk management team can be tasked with considering aspects of the project with which they
are familiar; and brainstorming is a useful technique for expanding upon these.

Depending upon the complexity and value of the project, a risk management specialist team may be
appointed from inside or outside the organisation to coordinate the risk management process.
Other personnel would contribute at different stages of risk management.

Risk identification is an area, which benefits from input from a wide range of viewpoints. People
involved should include the project manager and senior discipline managers and client
representatives. Other contributors could include industry representatives and other stakeholders
such as end users. All project and organisation staff should be encouraged to consider risks and to
submit any they identify.

Risk identification leads to qualitative analysis and subsequently to quantitative analysis.

External inputs that may assist with risk identification include technical references, databases,
studies, analyses of previous projects carried out by others and material from risk consultants.

Internal inputs can be derived from records of previous projects, which can offer actual data and
the benefit of hindsight.

The scope of work can be a rich source of risks. The scope makes a number of assumptions, which
can be tested for uncertainty, itself a harbinger of risk.

The allocation of roles and responsibilities within the project team, the provision for risk
management in the budget and resource schedule and other outputs of the planning process all
provide material for review in risk identification.

Other components of the project management plan should also be reviewed to reveal risks. The
programme, budget and QA plan should all be assessed for potential risks.

This illustrates why it is important that the people having input to risk identification should have a
wide range of interests and expertise; it ensures a range of different viewpoints and discourages
consideration from only a purely technical aspect, or that of any other single interest group.

4.3.1 Means of Risk Identification

Reviews of project documentation should be undertaken. Its quality, consistency and compliance
with the scope of work can indicate risks in the project. Records from previous projects will also
provide indicators of risk.

Brainstorming has already been mentioned as a means of identifying risks. This is usually
managed by a facilitator. Participants include the project team, discipline managers, stakeholders
and external experts. An RBS can be used as a framework for consideration.

Interviewing is recognised as a significant means of identifying risks. Experienced project team

members, experts in constituent parts of the project and stakeholders can be interviewed for this
purpose.

A SWOT analysis is also a popular tool for this purpose. It evaluates the strengths, weaknesses,
opportunities and threats for a project.

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-4
 Ethiopian Roads Authority

Checklists can be based upon available historical data, including records from earlier projects. A
checklist can be a useful tool, but it is important to recognise that it is not comprehensive and
efforts must be made to identify unlisted risks. Checklists should be updated during a project to
increase its value for future works.

Projects are inevitably based upon a number of assumptions. Some of these assumptions may be
grounded in investigations and surveys, but the interpretation of the data is affected by
generalisations. The more detailed a survey or investigation is, the more weight it provides to
assumptions based upon it. However, an investigation or survey prior to project design cannot be
exhaustive for reasons of cost and time. This means that the design work has to be based on
assumptions used when analysing the data. Assumptions are also used when evaluating the returns
from a project, its economic benefit.

Analysis of the assumptions used when developing, designing and documenting a project is of
great value in assessing risks to a project from inconsistent or unfounded assumptions.

A number of diagram techniques can be used to assist in risk identification. These include flow
charts, influence diagrams, fishbone diagrams, histograms, Pareto charts and others.

4.3.2 Risk Identification Outputs

The results of a risk identification exercise are typically recorded in a Risk Logical Framework or
Logframe. Such a document is also referred to as a risk register.

The first column in the logframe contains the identified risks. Each row shows the probability,
impact, priority, mitigation activities or responses and the responsible party. The risks are usually
grouped into categories, and sub categories if appropriate.

The logframe is updated at specified intervals, possibly quarterly, when a new or changed risk is
recognised, when a significant event occurs or when a project enters a new phase.

4.4 Qualitative Risk Analysis

Once a risk has been identified, it has then to be assessed. Qualitative risk analysis is a means of
establishing the priority that a risk carries. Following the setting of priorities, quantitative risk
analysis or response planning can be undertaken.

The performance of a project can be improved by addressing high priority risks in the first instance.
Qualitative risk analysis is an objective means of assigning priority to an identified risk. It assesses
and allocates a numerical value to the probability of a risk occurring and does the same for the
impact the risk may have upon the project. The impact is evaluated in terms of the effect upon the
project constraints of cost, programme, scope and quality.

The risk identification process is vital in ensuring that the data used to establish the probability and
impact of a risk is soundly based. As with other parts of the risk management process, risk analysis
should be repeated when new information becomes available, which affects the status of an
identified risk or reveals a new risk. For example, a revised long range weather forecast may
increase the probability that unseasonal inclement weather will occur. This will change the priority
of that risk and may require that anticipatory mitigation activities should be undertaken.

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-5
 Ethiopian Roads Authority

4.4.1 Inputs
Records from previous projects can be used to indicate the probability of a risk occurring and its
impact.

If the scope of a project shows that it is of a type that is frequently carried out and is well
understood, the risks will tend to be well documented. Consideration should then be given to
project specific risks, which might include those relevant to the project’s location, the climate,
availability of resources, the stability of the country in which the work is to be executed and the
economic status and financial regulations that apply.

However, because a project is of a common type and the recurring risks are well known, they
should not be treated with familiarity but should be assessed critically with due consideration for
project specific factors that may influence the probability of their occurrence or their impact and
thus their priority. The fact that the risks are well known should ensure that there is enough
historical data to assess their priorities with some confidence.

Projects that are at the cutting edge, use state of the art technology or are complex will offer more
opportunity for new risks to occur and so will require greater effort to be applied to their
assessment.

The risk management plan will provide information relating to the roles and responsibilities
allocated to staff managing risk and the project. It will also give details of the budget and
programme for risk management activities and show the tolerance of the project or stakeholders to
general or specific risks.

The risk logframe is an important input as it lists the risks that have been identified and require
analysis.

4.4.2 Analysis
During analysis risks are assessed to establish the probability that they will occur and the impact
that they might have upon the project constraints. This analysis is carried out for both threats and
opportunities.

The processes followed in risk identification are valuable in assessing these properties of risks.
Historical data is very helpful where there is a database of information from similar projects.
Where there is little information about identified risks, knowledgeable and logical assessment is
essential. This can be helped by input from people consulted during the risk identification process.

The available information is used to assign a probability to each risk and its impact upon each of
the project’s objectives. The analysis should also record reasons for the values that are selected
and any assumptions that have been made.

A risk priority rating matrix is generated to provide a risk priority rating. A matrix can use either
numeric values or descriptive terms. In the latter case, a risk with both high probability and high
impact would be rated as a high priority but one with high probability and medium impact may be
more difficult to label. The use of numerical values allows a little more precision, although
interpretation of the results is likely to be subjective.

The probability of a risk event occurring is assigned a value between 0 (never happen) and 1
(definitely will happen). Usually the numbers used range from 0.1 to 0.9 in intervals of 0.2. The
impact of an event may be valued the same way or the size of the increments can change. Thus an
impact could be valued at 0.05, 0.10, 0.20, 0.40, and 0.80. The product of the two values for a risk
is entered into a chart to form a matrix. Risks with a priority rating greater than 0.2 might be
considered as high priority, those with a rating of 0.05 or less as low priority and those in between
as medium priority. An example of a risk matrix is shown in Figure 4-1.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-6
 Ethiopian Roads Authority

CL3 - Risk Priority Rating Matrix

Probability Threats Opportunities
0.90 0.05 0.09 0.18 0.36 0.72 0.72 0.36 0.18 0.09 0.05
0.70 0.04 0.07 0.14 0.28 0.56 0.56 0.28 0.14 0.07 0.04
0.50 0.03 0.05 0.10 0.20 0.40 0.40 0.20 0.10 0.05 0.03
0.30 0.02 0.03 0.06 0.12 0.24 0.24 0.12 0.06 0.03 0.02
0.10 0.01 0.01 0.02 0.04 0.08 0.08 0.04 0.02 0.01 0.01
0.05 0.10 0.20 0.40 0.80 0.80 0.40 0.20 0.10 0.05
Impact
Figure 4-1

In this matrix the cells shaded in dark grey have a high priority for action, either to reduce the
probability or impact of the threats or to pursue the opportunities. The unshaded cells have a
medium priority and should be dealt with if possible. The cells with light grey shading have a low
priority and could be placed on a list to be monitored.

Some of the risks may have readily identified and easily implemented responses. These responses
should be implemented regardless of the priority while responses to other risks are planned and put
into action.

A risk priority matrix can be prepared for each of the primary project constraints and the results
combined to provide an overall priority rating for each risk. Depending upon an organisation’s
policies, the weighting for each constraint may differ. This could mean that a risk evaluated as a
high priority on a matrix for effects upon the programme carries more urgency than a similar risk
on a matrix for costs.

The data on which assessment of a risk is based must be accurate and unbiased. It should be
reviewed to ensure that it is adequate for its purpose. It is also necessary to ensure that the risk is
understood fully.

Risks can be put into categories dependent upon their source, the aspect of the works or the phase
of the project they affect in order to determine where the project is most sensitive to risk. This also
assists in formulating responses as one response may be effective in mitigating a number of risks.

An important factor to consider in setting a priority for responding to risks is the lead time required.
Thus a risk with a lower priority rating may have to be attended to before one with a higher rating
because its impact may be felt more immediately.

4.4.3 Outputs
The risk logframe is updated from the results of the analysis. The logframe is used as an input to
provide a list of identified risks.

The output from the analysis adds to the logframe:

• The severity of a risk;

• An order of priority;
• Grouping of risks;
• Risks requiring urgent responses;
• A list of low priority risks to be monitored; and
• Risks that require further assessment.

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-7
 Ethiopian Roads Authority

The analysis may also add actions to be taken to respond to risks where a response is readily
evident.

4.5 Quantitative Risk Analysis

Quantitative risk analysis is carried out on risks that have been identified in the preceding
qualitative analysis as requiring further assessment. The process analyses the effect of those risk
events and allocates a value to them. It also assists in making decisions where uncertainty exists.

The process is applied to risks to evaluate how their occurrence will affect the project as a whole.
The outcome of the analysis is to:

• Quantify how risk scenarios will affect the project constraints and the probability of those
outcomes happening;
• Assess the probability of reaching project objectives;
• Identify risks in most urgent need of attention by assessing their effect upon the overall
project;
• Determine realistic project targets considering the project risk; and
• Provide assistance in decision making, particularly when there is uncertainty.

4.5.1 Inputs
The inputs for quantitative analysis are similar to those for qualitative analysis. Of particular
relevance are the project programme and cost estimates. The analysis uses these to quantify the
effects of risks on the time and cost constraints of the project.

4.5.2 Analysis
Analysis is achieved using various techniques to quantify the outcomes of risk events on project
objectives.

Interviews and discussion can be used to gather information, which will vary depending upon the
distribution of probabilities that is to be used. Information might be gathered on low, most
probable and high scenarios or upon mean and standard deviation. An example of a three point
range for a project is given in the following table, Figure 4-2.

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-8
 Ethiopian Roads Authority

Range of Project Estimates

Project Phase Low Most Likely High

Investigation 2 4 8

Design 3 5 10

Construction 30 38 58

Total Project 35 47 76

Figure 4-2

It is important to record the reason for the choice of probability distribution so that this information
is available when the analysis is reviewed at a later date.

Continuous probability distributions are used to represent uncertainty in the duration or cost of an
activity or project.

Figure 4-3

This asymmetric triangular distribution is an example of a continuous probability distribution that

is used in this type of analysis. Probability is charted on the Y axis and value on the X axis. It is
noticeable that the peak value occurs closer to the zero value on the X axis than to the maximum
value. This is because the low range of values is considered to be the optimistic range. The peak is
the most likely value and the highest value is the most pessimistic outcome.

Threats push the value to the higher value or pessimistic side of the distribution, whereas
opportunities tend towards the optimistic side. Considering the range of project values in the
previous table, the value 35 would occur where the Y and X axes cross, the value 47 where the
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-9
 Ethiopian Roads Authority

distribution peaks and the value 76 where the line meets the X axis at the right. It must be
remembered that the most likely value is that arrived at after considering the quantitative effect of
the risk events. It is not the project estimate or the budget, but the cost in time or value that is
shown to be the most likely outcome after consideration of the effect of the identified risks.

A Monte Carlo simulation is a method frequently used to determine the most likely duration for a
project. It is used in a number of software packages and uses repeated computations or iterations of
the project model.

Each iteration selects a value for each of the risk activities from the ranges and probability curves
established in the earlier stages of the analysis. The total project results are calculated to arrive at
completion dates for the project and milestones. These are only possible dates and are not
representative of all possible solutions.

The iteration is repeated many times using random values for each of the risk activities. For each
iteration, the completion dates for the project and important milestones are recorded as are the
activities on the critical path for that iteration.

At the end of the simulation the dates calculated are tabulated to show the probability distribution
or relative frequency of all possible dates. It is frequently the case that the completion date
estimated as the most likely using a conventional CPM diagram will be shown to have a low
probability of being achieved; figures of 15% and less are common.

This occurs because the duration of each activity used to create the critical path tends towards the
optimistic values. This is reflected in the asymmetric distributions derived from the three point
estimates.

Similar results are found when the cost of risk activities and the complete project are modelled.

If an employer requires a 75% probability of completing a project on time and budget, simulations
such as this reveal that contingencies of 20% or more are necessary above the figures resulting
from more traditional methods.

4.5.3 Outputs
The risk logframe is updated after completion of the quantitative risk analysis. Estimates are added
of project programme and cost outcomes. These list the possible completion dates and costs and
give the levels of confidence associated with them. These figures are commonly expressed in a
cumulative chart of the outcomes against percentage probabilities. An example is shown in Figure
4-4.

This Probability Distribution Curve is based on the values from Figure 4-2 and the triangular
distribution in Figure 4-3.

The columns show the probability of a particular outcome for the cost of the project and the graph
displays the cumulative probability of a particular cost being achievable.

The figure demonstrates that there is only an 18% probability of achieving a cost outcome of
$47 million, the figure selected as the most likely outcome from the triangular distribution. If an
Employer wishes to know the cost outcome with a 75% likelihood of being achieved, the value will
be $58 million. This means that he would have to have access to additional funding of $11 million
to be confident that he had sufficient funds to meet this cost outcome.

This does not mean that the cost outcome will not be $47 million but that there is an 82%
probability that this figure will be exceeded.

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-10
 Ethiopian Roads Authority

30 100

25

75

20

Cumulative Probability %
75% Probability
$58 million
Probability %

15 50

10
18% Probability
$47 million 25

0 0
30 35 40 45 50 55 60 65 70 75
Cost $ Million

Figure 4-4

The charts can be used by stakeholders and particularly by employers or clients to show what
contingencies may be necessary to have a 75% probability of meeting the cost and programme
outcomes.

The charts will also provide the probability of achieving the project programme and cost objectives
that were originally set.

The output will identify the threats and opportunities, which have the greatest impact upon the
completion and cost of the project.

4.6 Risk Response Planning

This is the process of planning actions and developing options to reduce threats to meeting the
objectives of the project and to enhance opportunities that will assist in meeting them.

Response planning addresses the risks in order of priority and allocates resources and activities.
These have to be included in the budget and programme for risk management and for the project as
a whole. The risk manager will be given the responsibility of overseeing the response to each of
the risks that are included in the approved response plan.

The party funding the project may determine that the costs of providing resources and time to
counter a risk are too high and that it prefers to accept the risk. This will depend upon the impact
of the risk on the project objectives and the contingencies that are required to accommodate its
effects should the risk occur.

Risk responses must be matched to the potential impact of the risk; they must be cost effective and
realistic in relation to the project; they should be agreed to by all parties; and they must be the
responsibility of the risk manager or a person who is able to assume ownership of the response.
The person responsible for managing the response to a risk must have the authority necessary to
ensure that the activities forming the agreed response are undertaken.

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-11
 Ethiopian Roads Authority

4.6.1 Inputs
The logframe, modified by the outputs from the qualitative and quantitative risk analyses, is an
important input to response planning. It provides a list of risks and their priority rating; it indicates
those risks that have to be addressed in a short time; it suggests possible responses to risks; and it
lists risks that should be monitored.

The constraints upon responses are also necessary when formulating ways of reducing threats and
enhancing opportunities. These should be available from the risk management plan and include the
personnel that will be available, their roles and responsibilities and the resources available to them;
the time that will be available within the project programme; and the budget available for managing
risks and responding to them.

4.6.2 Planning
There are three strategies typically used for addressing negative risks or threats.

Risk avoidance involves changing the way the project is to be executed in order to eliminate an
adverse risk; isolating the project’s objectives from impact by the risk; or modifying the objective
that is affected by the risk. The last might be achieved by extending the time for completion,
increasing the budget, changing the scope or relaxing the specified quality.

Risk transfer shifts the impact of a threat and ownership of the response to another party. This does
not eliminate or reduce the risk; it simply transfers it to another party and gives them responsibility
for managing it. This type of response is generally most appropriate for financial risks and usually
involves the payment of a premium to the party that assumes the risk. Instruments through which
this transfer can be achieved include insurance, performance bonds, warranties and the like.

Contracts are used to allocate risks between parties. Ideally risks will be allocated to the party most
able to manage them. The more risk that is allocated to a contractor through a contract, the greater
will be the price requested to carry out the work. This is effectively the charging of a premium in
exchange for assuming the risk.

Risk mitigation reduces the probability or impact of a threat to a level that is acceptable to the
stakeholders. It is preferable to act early to achieve these ends rather than to counter the effects of
a risk after it has happened. Mitigation might include reducing complexity, increasing the
frequency of testing, or obtaining plant from a local supplier rather than from overseas.

If the probability of a threat occurring cannot be reduced, it may be possible to reduce its impact by
using a parallel process. This would provide a degree of redundancy. An example would be to use
two smaller excavators rather than one large one. If one excavator broke down, work could
continue with the second. It might well be less efficient to use two smaller units than one larger
one, but this would be the premium paid to reduce the impact of a breakdown.

There are also three strategies commonly used for dealing with positive risks or opportunities.

Risk exploitation can be used to make sure that an opportunity occurs. This requires that any
uncertainty over whether the event will occur is removed; the probability is increased to 100%.
Exploitative responses include assigning more or better resources to a project to achieve earlier
completion or to improve another project objective.

Risk sharing an opportunity has some similarities to transferring a threat. It involves allocating the
opportunity to another party who is better able to ensure that the opportunity eventuates.
Obviously, benefit must still accrue to the project otherwise there would be no incentive to share
the opportunity. Examples of opportunity sharing include forming teams or joint ventures. It
might be advantageous to form a joint venture with a local organisation in order to benefit from
concessions available to national companies.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-12
 Ethiopian Roads Authority

Risk enhancement modifies an opportunity by increasing the probability that it will occur or by
increasing its impact. This can be done by identifying the cause of the opportunity and actively
targeting the conditions that trigger the event.

Risk acceptance is a response that is appropriate for both threats and opportunities. It occurs when
a different response strategy cannot be identified or is too costly. The risk is known but it is left to
the project management team to deal with if it occurs. Provision can be made for assistance to be
made available when required through the establishment of a contingency. This is a form of
mitigation in that resources are held in reserve and can be used for both known and unforeseen
risks.

A contingent response is one that is triggered only if certain events occur. For example, if there is
high rainfall in the catchment feeding a drainage structure, predetermined actions can be taken in
anticipation of flooding. The actions are not initiated until they are triggered by high rainfall
upstream. However, the plan of action has already been decided and has only to be implemented.
The actions required might be as simple as removing personnel and equipment from the water
course or they might include the construction of cofferdams to divert floodwaters from work in
progress.

4.6.3 Outputs
The primary output is updating of the risk logframe or register. In addition to the updates from the
previously performed components of risk management, response planning will add:

• Response strategies;
• Actions to implement the strategies;
• Budget and programme changes necessary for the responses;
• Contingency plans and their trigger events;
• Accepted risks and residual risks remaining after planned responses; and
• Contingency reserves necessary to meet the organisation’s required probability of success.

Updates will also be required to the project management plan to ensure that necessary amendments
are made to the budget and programme.

Contracts should reflect the allocation of risk required by the responses that have been selected.
This is particularly relevant for responses requiring risk transfer or risk sharing. Special Conditions
of Contract or Conditions of Particular Application will have to be reviewed, and amended if
necessary, to ensure that they accommodate the responses that have been agreed to.

4.7 Risk Monitoring and Control

Planned responses are carried out as required by their implementation plan during the life of the
project. However, continuous monitoring is needed to identify new and changing risks. It is also
necessary to monitor the results of implementation of planned responses to ensure that they have
the desired results and do not have undesirable side effects.

Risk monitoring is also required to keep track of recognised risk events; to watch for those that
have been listed for monitoring; to monitor trigger events; and to record the effectiveness of risk
responses.

Risk monitoring should also flag events that require one or more aspects of risk management to be
carried out. The monitoring process will, at the least, identify risks that require attention. This
would then trigger qualitative and quantitative analysis and response planning as required. The
loop would then continue with monitoring and feedback followed by iterative assessment.
Claims and Dispute Resolution Manual Final August 2008 Section 4 4-13
 Ethiopian Roads Authority

The process will also show whether assumptions that have been used in the project or in risk
assessment are valid; whether a risk has changed; and whether cost or programme contingencies
should be revised.

Monitoring is also an audit process which shows if the agreed risk management procedures and
responses are being complied with.

Another important aspect of risk monitoring is to ensure that actual events are recorded so that data
about the risk management procedures used and their effectiveness are available for use in future
projects.

4.7.1 Inputs
The risk management plan provides information about the assignment of personnel, risk managers,
time, budget and other resources.

The risk logframe or register is a compilation of all the data relating to risks for the project. It
includes details of all identified risks, responses and their implementation and requirements for
monitoring the project risks.

Various project documents and reports should also be made available to the monitoring process.
These would include variation orders as they change the scope and thus the exposure to risks;
quality control reports as they are indicative of whether the specified quality objectives are being
met and how much rework and corrective action is being carried out; performance and progress
reports show problems that arise and progress against the programme; and payment certificates
record cash flow against anticipated expenditure as well as revealing areas of over expenditure.

4.7.2 Monitoring and Control

Risk monitoring and control requires the recognition of new risks and their assessment as well as
the reassessment of known risks. Reassessments should be a regular occurrence and risk
management should be on the agenda of project status meetings.

Audits of the risk management process monitor compliance with it and the procedures it contains.
They also review the effectiveness of the process and indicate whether it requires revision.

Analysis of variance and trends are reviewed using project performance reports relevant to all the
project objectives. This will reveal divergences from the original schedules, which may indicate
the impact of risks.

Risks occur during a project, which have an impact upon cost or programme contingencies.
Reserve analysis compares the amount of risk contingencies required against the actual
contingency remaining in the project. This determines whether reassessment of the contingency is
necessary.

4.7.3 Outputs
Risk monitoring results in the updating of the risk logframe or register. It shows whether the
preceding procedures have been effective in managing risks; it identifies new risks and changed
risks; and it identifies risks that are no longer relevant and can be closed off.

It also provides the actual outcomes of the risk management activities and responses that have been
implemented. This record is of assistance in planning future projects and to concurrent projects.

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-14
 Ethiopian Roads Authority

The project completion report should contain a summary of the findings of the risk monitoring and
control process for the whole of the project.

The impact of approved variation orders is reviewed in the monitoring process. In fact, risk
assessment should be a step in the consideration of a variation.

The auditing component of monitoring risks results in nonconformance reports and corrective
action requests, which lead to more effective implementation of risk management. Corrective
action reports also list preventative actions that should be taken to correct the implementation of
the project.

Any approved changes to the risk management process necessitate corresponding changes to the
affected components of the project management schedules.

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-15
 Ethiopian Roads Authority

Appendix 4-1 Example of Risk Management Matrix

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-16

APPENDIX 4-1: CONTRACTING STRATEGY – RISK MANAGEMENT MATRIX
Risk Damage to AMP
Safety During Construction
• Increases potential for major
Non-compliance with safety
airside accident.
standards within airport airside
area. • Increases principal’s exposure
to potential compensation
claims.
• Intensifies public focus on
Major accident at a PNG airport
airport airside safety.
• Subjects AMP to adverse
publicity.
• Airport Safety Officers impose
excessive regulatory
constraints on contractors.
• Delays to construction
Airport safety officers impose
excessive regulatory constraints • Substantial increase in claims
on contractors. for cost of delays
Claims and Dispute Resolution Manual Final August 2008
Ethiopian Roads Authority
Probability Impact Treatment Action
• Transfer compliance with airport safety Contract
L X
standards risks to contractors.
• Require contractors to prepare method of Contract
work plans (MOWP) and procedures for
compliance with airport safety standards
and obtain approval from CAA prior to
commencing work on the site.
• Require contractors to instruct Contract
employees and subcontractors and
service providers on compliance with
airport safety standards. Verify transfer of
knowledge by induction testing through
CAA Safety Regulations Group (SRG)
workshops
• Transfer airside safety risks to contractor Contract
L H
during construction.
• Require contractor to coordinate site Contract
activities with airport operations.
• Provide training for Airport Safety CAA SRG
Officers and contractors in airside safety
regulations.
• Principal accepts impact of changes to AusAID &
regulations after award of contract. CAA
• Provide training and briefings for airport CAA
H H
safety officers.
• Transfer cost of delays resulting from Contract
airport safety officers’ directions to
contractors.
Section 4 4-17

Risk
Fitness for Purpose
Insufficient development of
conceptual design and design
brief
Incorrect topographic
information
Inaccurate information provided
in tender documents
Inadequate subsurface
investigations prior to contract
award
Claims and Dispute Resolution Manual Final August 2008
Ethiopian Roads Authority
Damage to AMP Probability Impact Treatment Action
• Increases principal’s exposure • Perform supplementary site PMC
L M
to additional compensation investigations at selected airports prior to
claims by contractor. design brief.
• Increases CAA’s exposure to • Provide provisional quantities and rates PMC
scrutiny by AusAID. for subgrade treatment in tender
documents.
• Require contractor to review conceptual Contract
design and design brief, and advise
principal of deficiencies, prior to PMC
proceeding with investigations and
detailed design.
• Design brief subject to peer review.
• Increases principal’s exposure • Transfer topographic information risk to Contract
M M
to additional compensation contractor.
claims by contractor. • Require contractor to verify and correct Contract
• Increases CAA’s exposure to topographic information provided by the
scrutiny by AusAID. principal.
• Include requirement for contractor to Contract
provide runoff and drainage plan.
• Increases principal’s exposure • Transfer information access and Contract
M M
to claims for compensation by verification risk to contractor.
contractors. • Avoid provision of unreliable information. PMC
• Increases CAA’s exposure to
scrutiny by AusAID.
• Delays caused by disputes.
• Increases uncertainty provision • Identify high risk airports, perform PMC
M M
in tenders. selected subsurface tests at these high
• Increases possibility of delays risk airports, and include test information
and cost increases during in tender documents.
contract. • Transfer subsurface risk to contractors. Contract
• Minimise cost of contractors risk by PMC
including provisional items/rates for
Section 4 4-18
 Ethiopian Roads Authority

Risk Damage to AMP Probability Impact Treatment Action

alternative subgrade conditions in

contract.
• Early pavement failure during • Establish contract as early as possible. PMC
Inadequate subgrade L L
preparation
maintenance period, requiring • Allow contractor adequate time to Contract
further remedial works. determine subgrade requirements and
construct subgrade.
• Transfer risk of subgrade preparation to Contract
contractor.
• Delays caused by disputes over • Establish contracts as early as possible. PMC
Inappropriate specifications for M L
local materials
inflexible specifications • Allow contractors adequate time to Contract
• Delays caused by constraints investigate and obtain access to local
on access to suitable sources construction materials.
of construction materials. • Transfer materials specification and Contract
selection risks to contractors.
• Delays caused by quality • Transfer quality assurance risk to Contract
Inadequate quality assurance L M
disputes. contractor. Contract
program
• Delays caused by • Transfer specification risk to contractor.
reconstruction.
• Delays to construction • Transfer integration of design and Contract
Incomplete detailed design L M
progress. construction risk to contractor.
• Increases principal’s exposure • Set design output targets. Contract
to claims for compensation by • Require design verification by contractor
contractor. and permission to use (PTU) by PMC. Contract
• Delays caused by slow • Transfer construction method risks to Contract
Inappropriate construction L M
progress, poor quality and need contractors.
methods
to reconstruct. • Transfer quality assurance risk to Contract
• Remedial works required during contractors.
defects liability period. • Require contractors to perform periodic Contract
audit inspections and reports for CAA.
Flexibility
• Changes to tender and contract • Proceed to contract as early as possible. PMC
CAA Board and executive H L
decisions result in changes in
documentation. • Minimise principal imposed changes after AusAID

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-19
 Ethiopian Roads Authority

Risk Damage to AMP Probability Impact Treatment Action

policies & directives. • Changes in priorities. contract award.

• Changes in scope of work
• Change in scope.
Political interference
• Change in selection of airports.
• Change in priorities.
• Change in funding allocation.
• Changes to airport pavements.
Air Niugini fleet change
• Changes to scope of work
• Changes to airport priorities
• Changes in funding allocation.
• Failure to maintain focus on
Changes in perception of
project objectives
sustainable development
objectives of the project.
• Exposure to additional funding
requests.
• Evaluate cost impact of changes and PMC
obtain CAA approval prior to
implementing.
• Accept as principal’s risk. AusAID
H M
• Comply with PDD. CAA
• Establish contract as early as possible. PMC
• Obtain CAA and AusAID directions prior
to considering effect of fleet changes on PMC
tender and contract documentation.
• Provide estimates of cost and time PMC
impact when requested by AusAID.
• Accept as principal’s risk. AusAID
H M
• Comply with PDD CAA
• Establish contract as early as possible. PMC
• Obtain CAA and AusAID directions prior PMC
to considering effect of fleet changes on
tender and contract documentation.
• Provide estimates of cost and time PMC
impact when requested by AusAID.
• Confirm details of fleet changes prior to PMC
contracting/proceeding with design.
• Comply with PDD objectives. CAA
L L
• Ensure requests for scope changes CAA
comply with PDD objectives.
• Emphasise the sustainable development PMC
objectives through training programs.
• Facilitate implementation of training Contract
programs by contractors.

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-20
 Ethiopian Roads Authority

Risk Damage to AMP Probability Impact Treatment Action

• Claims for additional • Focus on developing concept definition PMC

Inadequate definition of scope L M
compensation by contractor. skills within the AMP team.
of work at airports
• Changed scope of work. • Transfer design and construction Contract
integration risk to contractor.
Cost & Time
• Reduced scope of work • Provide for cost reduction options in PMC
Tender prices exceed estimates M M
• Reduced scope of work at other tender documents.
airports. • Revise and redistribute estimates. PMC
• Increases CAA’s exposure to • Revise priorities. CAA
scrutiny by AusAID. • Package airports into single contracts. AusAID
• Delay to construction. • Accept time and cost risk. AusAID
Delayed access to site M M
• Principal directly exposed to • Identify cause of delay to access and PMC
additional compensation claims develop mitigation program.
by contractor. (prevention • Modify scope or schedules to minimise PMC
principle) access delay.
• Inappropriate distribution of • Comply with PDD definitions of scope of CAA
Inappropriate scope of works at L L
project funds. work and selection criteria.
selected major airports
• Reduced scope of work at other • Comply with CAA and AusAID guidelines PMC
airports. for airport selection and delivery
methods.
• Obtain CAA Board endorsement of PMC
scope.
• Changes cost of different • Establish contracts as early as possible. PMC
Changes to currency conversion H H
rate during contract.
currency components of the • Transfer general currency risk to Contract
contract. contractor.
• Exposes principal to claims by • Negotiate simple basis for compensating Contract
contractor for compensation to contractor for cost increases due to
cover cost changes. currency changes.
• Disputes over validity, • Minimise risks carried by principal Contract
Contract claims M M
justification and valuation of • Maximise risks carried by contractor. Contract
claims. • Implement effective dispute resolution Contract
• Potential delays to completion process.

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-21
 Ethiopian Roads Authority

Risk Damage to AMP Probability Impact Treatment Action

Force Majeure event
Latent conditions
Contractor fails to perform in
accordance with contract.
Resources
Insecurity of employment for
seconded CAA staff
Lack of relevant experience of
of works.
• Delays mobilisation of • Provide for both principal and contractor Contract
L M
construction equipment and to share time and cost risks.
construction of works. • Reprioritise and reschedule airport PMC
• Delays construction activities works.
and increases costs.
• Delays construction activities • Provide for both principal and contractor Contract
L L
and increase construction costs to share time and cost risks.
• Delays during dispute. • Prequalification screening of ICB PMC
M M
• Delays to site activities. contractors.
• Delays to other contracts. • Preselect LCB Tenderers. PMC
• Additional remedial works • Minimise concurrent work by specialist PMC
required. contractors at different airports.
• Replacement of contractor. • Transfer quality assurance including Contract
• Potential follow-on security quality assurance reporting to contractor.
problems for principal’s • Maintain direct communications with PMC
representatives. contractors senior management.
• Personnel conflicts between • CAA secondees employed full time on CAA
H M
CAA staff undermine team AMP.
approach to planning and • CAA secondees accountable for CAA
implementing the project. performing allocated tasks.
• Loss of experience through • Balance distribution of workload between PMC
resignations. internal and external resources by
• Increases CAA’s exposure to enabling CAA staff to participate in
scrutiny by AusAID. contractors design and construction
management activities
• Employment contracts for CAA staff. CAA
• Require contractors to provide training in Contract
airport maintenance documentation for
staff.
• Increases uncertainty of • Provide training program for all staff in PMC
H M
contents of tender documents documentation and administration of

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-22

Risk
AMP team members in
developing and administering
selected delivery methods for
major contracts.
Lack of resources with airport
maintenance experience.
Lack of experience of CAA staff
in developing and administering
LCB contracts.
Lack of suitable CAA field staff
Non–payment by OCA for
overtime incurred by CAA staff
on AMUP. [Current AMP CAA
seconded staff and field staff
Claims and Dispute Resolution Manual Final August 2008
Damage to AMP Probability
• Likely increases in substantial
delay and compensation claims
by contractors.
• Inadequate appreciation of
H L
risks of working in an airport
airside environment.
• Increase in risk of accidents.
• Inappropriate documentation.
• Deficient LCB documents
H L
Likely increases in delay and
compensation claims.
• Inadequate quality assurance
H H
• Poor coordination between
contractor and CAA operations
personnel.
• Increase in risk of accidents.
• Potential for delays to AMP
H L
tender documentation.
• Potential for loss of OCA/CAA
expertise.
Ethiopian Roads Authority
Impact Treatment Action
selected delivery methods.
• Implement peer review within AMP PMC
Team.
• Provide for review of tender documents PMC
by expert prior to release.
• Obtain expert advice during contract PMC
formation phase.
• Develop relevant guidelines for contract PMC
administration.
• Transfer resources risk to contractors. Contract
• Facilitate training of contractors’ Contract
resources by including training as a
contract requirement, including
engagement of specialists as advisers in
airport maintenance practices.
• Provide support for CAA secondees PMC
preparing and administering contracts.
• Implement team approach to review of PMC
documentation and administration.
• Transfer quality assurance risk to Contract
contractor.
• Transfer safety coordination risk to Contract
contractor.
• Transfer resources risk to contractor. Contract
• Facilitate training of contractors’ quality Contract
assurance and safety coordination
resources by including training as
contract requirement.
• CAA to resolve compensation issue with CAA
CAA secondees by 31 March 2001.
• CAA to resolve compensation issue with CAA
CAA field personnel prior to
commencement of construction activities.
Section 4 4-23
 Ethiopian Roads Authority

Risk Damage to AMP Probability Impact Treatment Action

have outstanding unsettled • Establish contracts as early as possible. PMC

claims against OCA/CAA for • Request CAA Board to resolve the PMC
non-payment of overtime issue.
incurred whilst engaged on the
AMUP].
• Loss of experience. • Maintain up to date project records. PMC
Loss of PMC resource L L
• Delay in obtaining suitable • Review AMP Team activities frequently. PMC
replacement. • Maximise participation by CAA PMC
secondees in decision processes of AMP
Team.
• Maintain advisory communications with PMC
offshore design and contract expertise.
• Proactive identification and review of PMC
likely changes.
Environment
• Stops construction activity. • Transfer general security risk to Contract
Security incident during M M
construction • Increases principal’s exposure contractor.
to claims for additional • Require contractor to prepare security Contract
compensation by contractor. contingency plan.
• Force majeure event if extended delay. Contract
• Changes scope of work.. • Issue referred to AusAID and CAA for AusAID &
Landowners constraints M H
• Prevents access to site resolution with Provincial government CAA
• Delays construction activities and landowners.
and increases construction
costs
• Delay in access to the works • Facilitate participation by local PMC
Unexpected constraints L M
area. communities by briefing local authorities.
imposed by local communities
• Interruption to construction • Require contractors to engage local Contract
activities. labour.
• Transfer community participation risk to Contract
contractors.
• Issue referred to AusAID and CAA for CAA,

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-24
 Ethiopian Roads Authority

Risk Damage to AMP Probability Impact Treatment Action

resolution with Provincial government AusAID

Handover of Completed Works
Failure of maintenance work
within liability period
Non-compliance with safety
regulations
Non-acceptance after expiry of
liability period
and landowners.
• Additional maintenance works • Transfer liability for remedial work to Contract
required prior to handover to CAA. contractor.
L M
• CAA refuses to accept completion • Transfer accountability for maintaining usage Contract
of works. records of restored facilities during liability
period to contractor.
• CAA refuses to accept handover of • Transfer compliance with safety regulations Contract
works. risk to contractor.
L L
• Failure to maintain may lead to • Transfer risk of developing and obtaining CAA Contract
rapid deterioration. approval of handover procedures to
L L
• Disputes on responsibility for contractors.
further remedial works.

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-25
 Ethiopian Roads Authority

Claims and Dispute Resolution Manual Final August 2008 Section 4 4-26