Professional Documents
Culture Documents
Ecpmi Ecpmms: 2019: Ethiopian Construction Project Management Manuals Series
Ecpmi Ecpmms: 2019: Ethiopian Construction Project Management Manuals Series
MAY,2019
WM - 05
Tadesse Ayalew
Bekele Jebessa
Geremew Tarekegn
Bekele Jebessa
TABLE OF CONTENT
TABLE OF CONTENT................................................................................................................................ v
LIST OF FIGURES ..................................................................................................................................... vii
LIST OF TABLES....................................................................................................................................... vii
ABBREVIATIONS AND ACRONYMS .................................................................................................. viii
NATIONAL FOREWORD......................................................................................................................... xi
PREAMBLE ............................................................................................................................................... xv
SECTION 1: GENERAL ............................................................................................................................ 1
1.1. Introduction.......................................................................................................................................... 1
1.2. Document information ........................................................................................................................ 2
1.3. Scope and Application ......................................................................................................................... 3
1.4. Normative References.......................................................................................................................... 4
1.5. Purposes / Objectives .......................................................................................................................... 5
1.6. Policies, Principles and Considerations ............................................................................................. 6
1.7. Terms and Definitions ......................................................................................................................... 8
1.8. CPRMM Overview..............................................................................................................................10
1.9. CPRMM High Level Process Map .....................................................................................................13
SECTION 2: PROCESS GROUPS ...........................................................................................................14
2.1. Process group one: Plan Construction Project risk Management...................................................16
2.1.1. Plan construction Project risk management: Inputs ...................................................................20
2.1.2. Plan construction Project risk management: Mechanisms .........................................................20
2.1.3. Plan construction Project risk management: Constraints ...........................................................21
2.1.4. Plan construction Project risk management: Outputs ................................................................21
2.1.5. Risk Management Activities .........................................................................................................21
2.2. Process group Two: Identify CP Risk ...............................................................................................23
2.2.1. Identify CP Risk: Inputs ................................................................................................................24
2.2.2. Identify CP Risks: Mechanisms ....................................................................................................25
2.2.3. Identify CP Risk: Constraints .......................................................................................................27
2.2.4. Identify CP risk: Outputs ..............................................................................................................28
2.2.5. Activities of CP risk Identification ...............................................................................................28
2.3. Process Three: Qualitative Risk Analysis ..........................................................................................29
2.3.1. Perform CP Qualitative Risk Analysis: Inputs ............................................................................31
2.3.2. Perform CP Qualitative Risk Analysis: Mechanisms ..................................................................32
2.3.3. Perform CP Qualitative Risk Analysis: Constraints ...................................................................33
LIST OF FIGURES
Figure 1.1: Construction Project Risk Management Overview ......................................................... 11
Figure 1. 2:CPRM High Level Process Map ........................................................................................ 13
Figure 2.1: IMCO or Modified IDEFo Elements ................................................................................. 15
Figure 2.2: IMCO for plan CP Risk Management Process ................................................................. 19
Figure 2.3 : IMCO for Identify CP risk ................................................................................................ 23
Figure 2.4: Typical Risk breakdown structure (RBS).......................................................................... 24
Figure 2.5: IMCO for Perform CP Qualitative Risk Analysis Process ............................................... 31
Figure 2.6: IMCO for Perform CP Quantitative Risk Analysis Process ............................................ 36
Figure 2.7: Example cost risk Simulation Results [3] .......................................................................... 38
Figure 2.8 : Elements of quantitative risk analysis ............................................................................. 40
Figure 2.9 : IMCO for CP Risk Response Process ............................................................................... 43
Figure 2.10: IMCO for CP Risk Monitoring and Control ................................................................... 51
LIST OF TABLES
Table 1.1: CPRMM Policy Document .................................................................................................... 6
Table 1.2 : CPRM Principles ................................................................................................................... 7
Table 1.3: CPRM - PMPG relationships, their functions and outcomes............................................ 12
Table 2.1: Risk management sub processes............................................................................................. 17
Table 2.2: Relationship between Risk and Objectives ........................................................................ 18
Table 2.3: Typical Characteristics of CRA and CEVP ......................................................................... 19
Table 2.4: Types and Hierarchies of Qualitative risk analysis ........................................................... 30
Table 2. 5: Actions in response to construction risk ........................................................................... 42
Table 2. 6: Simple response matrix ...................................................................................................... 46
NATIONAL FOREWORD
The proclamation to define the powers and duties of the executive organs of the Federal
Democratic Republic of Ethiopia Proclamation No 1097/2018 empowers the Ministry of Urban
Development and Construction (MUDC) to prepare and issue Standards for design and
construction works, and follow up and supervise their implementation.
This document forms a part of the CPMM Package that enlists Nineteen Manuals of which
Sixteen of them are Construction Project Management Manuals, two of them are general guides
(CPMM Organization and Setup and User Guide), and one of them is operational (Construction
Project Design Services) Manual. The CPMM package was developed with a clear view of the
integration of both the Project Management processes and knowledge areas so as to manage the
project as a holistic single entity. It is thus believed that the package will be instrumental in
creating modern and unified construction project management system in Ethiopian Construction
Industry.
The Ethiopian Construction Project Management Institute (ECPMI) has initiated and led the
overall development of the CPMM Package. The Ministry of Urban Development and
Construction would like to extend its appreciation to Construction Solutions PLC (Consol), and
Ethiopian Institute of Architecture, Building Construction and City Development (EiABC) who
contractually worked with ECPMI in the preparation of the original version of CPMM Package,
while the latter has validated and assured the quality of the original ones and produced the
released version the CPMM Package.
As the CPMM Package constitutes working manuals that are technical documents which, by their
nature, require periodic updating; revised editions will be issued by the Ministry from time to
time as appropriate. MUDC will establish Manuals Preparation and Revision Standing
Committee which collects feedbacks during the manual's three years operation period and makes
the required amendments and revisions accordingly.
The Ministry of Urban Development and Construction as mandated acknowledges this document
as a national resource tool and can serve as an acceptable working manual which comprises a
front cover, an inside front cover, a title page, National Foreword, Preamble, Table of contents,
pages 1 to 57 and a back cover.
PREAMBLE
Whereas; Ethiopia Construction Project Management Institute (ECPMI), to partially cater for the
deficiencies of Project Management practices in the Construction Industry; has envisioned the
development of Construction Project Management Manuals (CPMMs) which are Critically
Adapted, Practice Oriented, User Friendly and Responsive to Continuous Improvement that:
1. describe Specific, Supplemental and Standardized Knowledge and Practices that are
generally accepted as "good industry practices" on most construction projects most of the
time,
2. define the Conceptual, Applicable and Technological contents, processes and their What
and How elements sufficiently,
3. reflect the peculiar features of the Construction Industry in Ethiopia and can be
implemented by the resources in practice currently,
4. lay down the policies, principles, processes and procedures in order to effectively
discharge duties and responsibilities, and
5. can be applied to any project nationwide with minor and moderate modifications.
Whereas; ECPMI identifies and enlist Nineteen Manuals of which Sixteen of them are
Construction Project Management Manuals, two of them are general guides (CPMM
Organization and Setup and User Guide), and one of them is operational (Construction Project
Design Services) Manual.
Whereas; ECPMI as the mandated body, to foster the development of Proactive and System based
CPMMs policies and principles and application of modern Construction Project Management in
Ethiopia governed by fundamental and best practices, envisions to cause the applications of these
CPMMs in order to improve the performances of Construction Projects;
Whereas; CPMMs are one among the critical bases for Initiating, Planning, Implementation
including Changes Administration, Monitoring & Evaluation, and Closing of Construction
Projects along the Business ↔ Project ↔ Product Management linkages with respect to their (1)
General Requirements, (2) Process Groups, (3) High Level Process Map (4) Detail Processes, (5)
Procedures or Instructions, and (6) Auxiliary or Annex Documents;
ECPMI has therefore caused the development of one of these CPPMs; namely: “Construction
Project Risk Management Manual (CPRMM)” as a framework to guide and govern
Construction Projects Implementation or Operations in line with the expected level of
Construction Projects Performances Worldwide with respect to developing, authorizing,
directing, managing or validating, and controlling the CP Services and / or Works to ensure the
harmonization, consolidation, communication and interrelationship of the various CPM BoKs
through CPRMM to make choices with respect to Resources Allocations, Balancing or Prioritizing
Competing Demands, Tailoring for specific situations, and Managing the relationships and
interdependencies.
1. SECTION 1: GENERAL
1.1. Introduction
The CPMMs are one among the focus areas and the cause for deficiencies in the expected
contributions of the Construction Industry in Ethiopia. ECPMI in collaboration with Construction
Solutions Plc. and the Construction Technology and Management Competence Unit of the EIABC
/ AAU identified and developed the following nineteen CPM manuals under three categories:
This Manual is prepared in order to develop standardized CPRM manual that guides the
implementation framework for one among the necessary CPMMs and apply them as a basis to
plan and collect requirements; use CP risk as a tool in order to Develop and Authorize CPRM
Documents; Direct, Manage, CP Services and / or Works; and Monitor and Control CP
Performances to successfully complete CPs.
www.ecpmi.gov.et
The following principles constitute the CPRMM principles and are described below (Table
1.2).
Assumptions log : Assumption Log is a document which the project manager and
team use to capture, document, and track assumptions throughout
a project’s lifecycle.
Decision : (1) The act or process of deciding (2) A position arrived at after
consideration
Decision Tree A diagram that describes a decision under consideration and the
Analysis implications of choosing one or another of the available
alternatives. It is used when some future scenarios or outcomes of
actions are uncertain.
Fallback plan : A fallback plan is implemented when the contingency plan fails or
is not fully effective. In other words, you can say that the fallback
plan is generally made for residual risks. It is a backup plan for the
contingency plan.
Overall Project Risk : It represents the effects of uncertainty on the project as a whole.
Residual risks : the amount of risk left over after natural or inherent risks have
been reduced by risk controls. Residual risk = Inherent Risk –
Impact of Risk Controls.
Risk register: : a risk management tool used as a repository for all risks identified
and includes additional information about each risk, e.g. nature of
the risk, reference and owner, mitigation measures.
Construction projects are exposed to several uncertain situations due to factors common to the
construction industry, such as:
Positive risks are opportunities, with some chance of occurrence, to meet project objectives and
negative risks are threats against meeting the project objectives. Positive risks are exploited to
enhance value of the project while negative risks, beyond the limits of tolerance, are to be:
avoided; transferred; or mitigated.
The response to risks is influenced by attitudes towards risks. Respecting peculiarities in each
project, the approach to risks needs to be consistent. Proactively and promptly addressing risk
management is very essential for successful performance of a company.
Risk may be looked into at two levels, individual risks and overall risk.
o Individual risks, the list of individual risks of a project dealt one by one during the risk
identification stage, are different from overall project risk.
o Overall project risk represents the effect of uncertainties on the project as a whole. It is
more than the sum of the individual risks within a project, as it includes all sources of
project uncertainty. It represents the exposure of stakeholders to the implications of
variations in project outcome, both positive and negative.
Organizations and stakeholders are willing to accept varying degrees of risk depending on their
risk attitude.
Risk Attitudes
The risk attitudes of organizations and the stakeholders may be influenced by a number of
factors, which are broadly classified as follow.
The Construction Project risk Management Manual (CPRMM) describes mainly the processes in
order to guide practitioners how to:
a. Plan CPRM
b. Identify CPR
c. CPRM Qualitative risk analysis
d. CPRM quantitative risk analysis for CP Services and / or Works
e. Response to CPRs
f. Control and Monitor risk finalizing or completing all activities of a Construction
Project, or a Construction Contract, or a Construction Project Phase.
The Five Generic Project Management Process Groups are (1) Initiating, (2) Planning, (3)
Executing, (4) Controlling, and (5) Closing Process Groups (PMBOK, 2016).
The Five Generic Project Management Process Groups are (1) Initiating, (2) Planning, (3)
Executing, (4) Controlling, and (5) Closing Process Groups (PMBOK, 2016).
The CPRM Manual functions and outcomes along the Five Generic Project Management
Process Groups are as shown in Table 1.3 below.
1. Pre CP Design Services to ensure intended purpose (Business Case, Feasibility and
Design Brief) is clearly established;
2. During CP Design Services to realize the intended purpose on plan (Conceptual,
Preliminary and Final or Working Designs) ;
3. During CP Works or Executions (Sub Structure, Super Structure, Finishing,
Necessary Installations and Site Works) to efficiently realize the plan;
4. CP Completions to allow use of the product; and
5. Post CP Completion Services to ensure design life time is respected.
Start
Respond to CP Risk
END
Construction Project Risk Management estimates should include the following two components:
The base cost component: The base cost represents the cost that can reasonably be
expected if the project materializes as planned. The base cost does not include
contingencies; and
The risk (or uncertainty) component: Once the base cost is established, a list of risks is
created of opportunities and threats, called a “risk register.” The risk assessment replaces
general and vaguely defined contingency with explicitly defined risk events. Risk events
are characterized in terms of probability of occurrence and the consequences of each
potential risk event.
The project manager and project team are required to have the expected skills and competency
levels to execute the risk management processes. The purpose of the competencies is to frame
expectation within project management professionals and help identify skills, development
opportunities and career paths. The two major competencies required from Risk Project
management professionals are Technical competence and Behavioural competence.
Technical Competence
Project management professionals involved in the preparation of risk management plan need to
have acquired knowledge on planning and appropriate analytical techniques, sufficient hands on
experience in preparation of risk management or related plans, and experience in projects of
similar nature. They also need to have the ability of strategic thinking, argument, structuring
information logically, and visualization.
Behavioural Competence
Behavioural competences expected from project manager include: good communication and
coordination capacity; listening; time management; team working, fairness; ability to motivate
colleagues, emotional strength, sharing values, and persuasiveness.
Ethiopian Construction Project Management Institute manuals are divided into seventeen
knowledge areas and one additional subject (Organizational set-up) is added to supplement the
construction project management. The knowledge areas consist of processes applicable to
construction projects. The Procurement management processes are defined in terms of purpose,
description and primary inputs, mechanisms, control/constraints and outputs in section herein
below, and are interdependent.
The risk management knowledge area includes the processes required to identify and manage
threats and opportunities. Table 2.1 depicts interaction of risk management process with process
groups / project development phases.
Table 2.1: Relationship between risk knowledge areas and process groups
Depending on the project phase, specified CP risk management tasks need to be carried out.
Table 2.1 above presents the summary of the main CP risk management tasks, the project
manager should concentrate on during the project life cycle:
These processes interact with each other and with the processes in other knowledge areas. The
relationship between each process is mapped, employing IMCOs diagram technique, in Figure
2.5
Constraints
Processes /
Inputs Out puts
Functions
Mechanism
s
Construction project risk management requires good planning. It is a good practice to begin with
established construction project management practices: review organizational policies and
guidance; initiate and align the project team; and follow the steps provided in this manual. Risk
management must commence early in project development and proceed as the project evolves
and project information increases in quantity and quality. Plan to:
The plan project risk management process is the process of defining how to conduct risk
management activities for a project. The risk management plan is vital to communicate with and
obtain agreement and support from all stakeholders to ensure the risk management process is
supported and performed effectively over the project life cycle [3].
The risk management planning process should begin when a project is conceived and should be
completed early during project planning [3].
Risk management planning is performed during project planning. If the project experiences a
significant change (e.g., scope, personnel, schedule) then the risk planning process would be re-
visited concurrently with any overall project re-planning. Figure 2.2 shows the IDEF0 diagram for
Planning Risk Management.
Planning risk management is the process of defining how to conduct risk management activities
for construction project [3].
2 Identify Risk Events Risk identification involves determining which risks might
affect the project and documenting their characteristics.
3 Qualitative Risk Analysis Qualitative risk analysis assesses the impact and likelihood of
the identified risks, and develops prioritized lists of these risks
for further analysis or direct mitigation. Project teams assess
each identified risk for its probability of occurrence and its
impact on project objectives. Teams may elicit assistance from
subject matter experts or functional units to assess the risks in
their respective fields.
6 Risk Monitoring & Control Risk monitoring and control tracks identified risks, monitors
residual risks, and identifies new risks—ensuring the
execution of risk plans and evaluating their effectiveness in
reducing risk. Risk monitoring and control is an ongoing
process for the life of the project.
Below Table 2.2 provides a supportive comparison between risk and objectives for various types
of risk management.
Typical length 1-2 days [define based on project 3-5 days [define based on project
nature] nature]
Timing Any time; typically updated It is best to start early in the process;
when design changes or other major projects are typically updated
changes to the project warrant an as needed.
updated CRA
Note: The project manager based on project complexity define the level of risk assessment and
submits a workshop request and works with the project team (internal and external) to ascertain or
define the type of workshop required and the candidate participants
Constraints
Mechanisms
Competencies
Risk categories;
Common definitions of concepts and terms;
Risk statement formats;
Standard templates;
Roles and responsibilities; and
Authority levels for decision making
.
2.1.2. Plan construction Project risk management: Mechanisms
Risk management plan describes how risk identification, qualitative and quantitative analysis,
response planning, monitoring, and control will be structured and performed during the project
life cycle. The risk management plan does not address responses to individual risks which would
be handled in the risk response plan.
A stakeholder risk profile analysis may be performed by employing appropriate toolkits. Based
on such assessments, the project team can allocate appropriate resources and focus on the risk
management activities.
PESTLE analysis (political, economic, social, technological, legal, and environmental analysis) is
a marketing tool that facilitates the tracking of the new project environment and by which these
factors are examined to determine specific risks associated with the project location [3/4].
PESTLE analysis and classification of stakeholder for simple project whilst for Medium and Large
projects it is advisable to carry out additional stakeholder analysis methods such as Project
Stakeholders Potential Matrix, Stakeholders Commitment Matrix, and Attitude Information Grid
… etc, as the success or failure of the project may depend on the way how the stakeholders are
handled.
To ensure a comprehensive establishment of the risk management plan, judgment, and expertise
should be considered from groups or experts, persons with specialized training or knowledge on
the subject area.
c). Meetings
Project teams hold meetings to develop the risk management plan. These meetings may include
the project manager, selected project team members and stakeholders, anyone in the organization
with responsibility to manage the risk planning and execution activities, and others, as needed.
Factors that constrain plan risk management process include: enterprise environmental factors;
attitude of stakeholders towards risk management; organizational process assets; the contract
document and procurement legislations; lack of experience in risk management; lack of relevant
input data. Other prevailing legislations may also be constraints in planning risk management.
The instructions below provide the activities that shall be carried out for risk management
planning:
Planning
Scoping
Design/Plans, Specifications, and Estimate (Engineer’s Estimate)
Construction
As projects evolve through project development, the risk profile (see Annex 2) evolves and
understanding grows. Therefore, previously identified risks may change and new risks may be
identified throughout the life of the project.
The inputs, tools and techniques, controls, constraints and the outputs for risk process are shown
in figure 2.3.
Constraints
Inputs
Outputs
CP risk management plan
CP cost management plan
CP risk register
Quality management plan
Identify CP risk
Human resource management plan
Scope baseline
Stakeholder register
Organizational process asset
Mechanisms
Competencies
context,
scope,
schedule, and
Estimate, commensurate with the level of project development at the time of risk analysis.
With scope creep. (Source: Project Management Book of Knowledge)
Key elements of the risk management plan that contribute to Identification of the Risk process are
the roles and responsibilities, provision for risk management activities in the budget and
schedule, and categories of risk, which are sometimes expressed as a risk breakdown structure.
Figure 8 shows risk breakdown structure (RBS) and Annex 2 provides samples for risk
breakdown structure.
Const. Project
CP
Technical External Organizational
Management
Sub
Project
requirements Contractors estimating
dependancies
and suppliers
Complexity
Market Fundings controlling
and interfaces
Performance Communicatio
Customer Prioritizatuion
and reliablity ns
Quality Weather
a.) CP Cost Management Plan: The cost management plan provides processes and controls
that can be used to help identify risks across the project.
b.) CP Schedule Management Plan: The schedule management plan provides insight to
project time/schedule objectives and expectations which may be impacted by risks
(known and unknown).
c.) Quality Management Plan: The quality management plan provides a baseline of quality
measures and metrics for use in identifying risks.
d.) CP Human Resource Management Plan: The human resource management plan provides
guidance on how project human resources should be defined, staffed, managed, and
eventually released. It can also contain roles and responsibilities, project organization
charts, and the staffing management plan, which form a key input to identify risk process.
e.) CP Scope Baseline: Project assumptions are found in the project scope statement.
Uncertainty in project assumptions should be evaluated as potential causes of project risk.
The work breakdown structure is a critical input to identifying risks as it facilitates an
understanding of the potential risks at both the micro and macro levels.
f.) Stakeholder Register: Information about the stakeholders is useful for soliciting inputs to
identify risks, as this will ensure that key stakeholders, especially the stakeholder,
sponsor, and customer are interviewed or otherwise participate during the Identify Risks
process.
g.) Organizational Process Assets: Of the organizational process assets, in the main, the
following influence risk identification process.
one of the best and most popular ways to identify both risks and key controls and is the
basis for most risk workshops [4].
Interviewing and focused group discussion. Interviewing experienced project
participants, stakeholders, and subject matter experts and organizing a focused group
discussion help to identify risks [4].
Work Breakdown Structure (WBS) Analysis. WBS analysis is used to pinpoint risk areas.
The deeper we go into work breakdown, the more detailed will be the risk areas.
Scenario Analysis. A scenario is a short story or description of a situation of how a future
event or events might turn out or look like. For each scenario, participants reflect and
analyze the potential consequences and potential causes when analyzing risk [4].
Checklist
Checklists are lists of hazards, risks or control failures that have been developed usually from
experience, either as a result of a previous risk assessment or as a result of past failures or
incidents. Checklists for construction projects include:
Type of contract
Unfavourable clauses
Site and area factors
Weather
Regulatory and labor factors
Knowledge of client
Construction equipment requirements
Method or techniques
Construction materials
A structured “What-if” Technique (SWIT)
This is a systematic, team based exercise, where the facilitator utilizes a set of ‘prompt’ words or
phrases to stimulate participants to identify risks [4].
This method is similar to a form of creative thinking called reverse brainstorming. This technique
is used for identifying and analyzing factors that can contribute to a specified undesired event
(called the “top event”). Causal factors are then identified and organized in a logical manner and
represented pictorially in a tree diagram [4].
Incident Analysis
Incidents are risks that have occurred. Recording incidents in a register, conducting root cause
analysis and periodically running some trend analysis reports to analyze incidents, can
potentially enable new risks to be identified. In addition, a high frequency of like incidents can be
a lead risk indicator to a potentially larger problem [4].
Diagramming Techniques
Cause and effect diagrams. These are also known as Ishikawa or fishbone diagrams and
are useful for identifying causes of risks.
System or process flow charts. These show how various elements of a system interrelate
and the mechanism of causation.
Influence diagrams. These are graphical representations of situations showing causal
influences, time ordering of events, and other relationships among variables and outcomes
3].
SWOT Analysis
This technique examines the project from the strengths, weaknesses, opportunities, and threats
(SWOT) perspectives to increase the breadth of identified risks by including internally generated
risks. The technique starts with identification of strengths and weaknesses of the organization
(strength and weakness are internal), focusing on either the project, organization, or the business
area in general. SWOT analysis then identifies any opportunities for the project that arise from
organizational strengths, and any threats arising from organizational weaknesses (opportunities
and threats are external). The analysis also examines the degree to which organizational strengths
offset threats, as well as identifying opportunities that may serve to overcome weaknesses [3].
Significant knowledge of similar projects and project environment can be acquired from experts.
Interviewing local experienced project managers, industry professionals, construction managers,
and subject matter experts can help identify specific local risks. The project manager should
identify local experienced experts and invite them for interviewing.
b.) Refer section 2.1.3 of risk management planning for control and contraints.
Identification # for each risk identified – Assign a unique number to each risk for tracking
purposes. If available, do this by utilizing an established Risk Breakdown Structure (refer Figure
2.4 for typical RBS);
Date and phase of project development when risk was identified – Document the date the risk
was identified and in which project development phase (initiating, planning,
execution/implementing, monitoring & control, close).
Name of risk (does the risk pose a threat or present an opportunity?) – Ensure each identified risk
has an appropriate name; for example, “ROW Delay” or “Unforeseen site condition”.
Detailed description of risk event – The detailed description of the identified risk must provide
information that is Specific, Measurable, Attributable (a cause is indicated), Relevant, and Time-
bound (SMART). Ensure the description is clear enough and thorough enough so that others
reading about the description of the risk will understand what it means
Risk trigger – Each identified risk must include the risk trigger(s). Risks rarely just suddenly
occur; usually there is some warning of imminent threat or opportunity. Clearly describe and
document these warning signs and information about the risk. For example, “ROW or Possession
of site Date” may be considered a risk trigger on a project that has a risk of a legal challenge.
Risk type – Does the identified risk affect project schedule, cost, or both?
Potential responses to identified risk – Document, if known, possible response actions to the
identified risk—can the identified threat be avoided, transferred, or mitigated, or is it to be
accepted? Can the identified opportunity be exploited, shared, or enhanced?
Comments about risk identification – Risk management are an iterative process, so regularly
review project risks. As new risks identified, document and assess them. Consider the resulting
risk register preliminary only until the completion of additional and appropriate activities.
The steps / instructions below provide the activities that shall be carried out for risk
identification:
a) Step 1: Determine risk thresholds for the project—establish a minimum estimate and time
duration considered significant for the project under evaluation.
b) Step 2: Focus on identifying large significant risks that affect project objectives.
c) Step 3: Carefully document and describe risks in a risk register.
d) Step 4. Characterize risks in terms of impact and probability. Note: High-impact risks
with low probabilities should be of particular interest to the Project Risk Manager.
General
The next process after risk identification is risk analysis. The processes present the two types of
risk analysis: qualitative and quantitative. This section deals with the qualitative risk analysis.
Risk analysis is a systematic use of available information to determine how often specified events
may occur and the magnitude of their consequences. Performing Qualitative Risk Analysis is the
process of prioritizing risks for further analysis or action by assessing and combining their
probability of occurrence and impact.
The key benefit of this process is that it enables project managers to focus on high-priority risks
and keep an eye on low-priority risks recoded under watch list.
Qualitative Risk Analysis assesses the impact and likelihood of the identified risks and develops
prioritized lists of these risks for further analysis or direct mitigation.
The project manager and the project team assess each identified risk for its probability of occurrence
and its impact on project objectives.
Qualitative risk analysis shall be used by project manager and project teams:
analysis may assume four levels. The levels, the characteristics of each level, and the additional
values of one over the other/s are depicted in Table 2.4.
1 Probability – Impact Identified risks are prioritized by It is easy to apply and effective for
Matrix placing the risk in to cells of a small projects and initial level
probability - impact matrix. Each assessment of all small medium and
identified risk is labelled by its large projects.
chance of occurrence and impact
on the project objectives. Prioritizing of risk using this method
may be challenged if the labelling made
by the team members is highly
scattered among the cells of the matrix
2 Risk significance index The qualitative evaluations (for The process is same as probability
both likelihood and impact) of impact matrix. It overcomes the
each respondent are converted to shortcomings of Probability – Impact
empirical (numerical) values and Matrix by attaching a significance index
the average of the products yields to each identified risk based on the
the risk significance index. The ranking points from members.
identified risks are then
prioritized as per their index.
3 Fuzzy DEMATEL The identified risks are prioritized The above two methods prioritize the
method (threshold based on the impact of one risk on identified risks based on their impact
determined by decision the others. only on the project objectives. This
makers) method considers the impact of one
risk on the others
The inputs, Tools and Techniques, controls, constraints and the outputs for qualitative risk
analysis process are shown in Figure 2.5.
Constraints
Enterprise Environmental Factors
attitude of stakeholders towards risk
management
Contract document and procurement
legislation
Lack of experience in Risk management
Lack of relevant input ideas
Inputs
Outputs
CP risk management plan
CP Scope baseline Perform CP
Organizational process asset Qualitative risk CP Document updates
CP Risk register updates
Assumption log updates
Mechanisms
Competencies
Projects of a common or recurrent type tend to have more well-understood risks. Projects using
state-of-the-art or first-of-its-kind technology, and highly complex projects, tend to have more
uncertainty. This can be evaluated by examining the scope baseline.
The risk register contains the information that will be used to assess and prioritize risks.
The organizational process assets that can influence the qualitative risk analysis process include
information on prior, similar completed projects.
Probability and Impact Matrix is a tool for the project team to aid in prioritizing risks. There may
be several risks in any project. Depending on the size and complexity of the project in hand, the
risks may vary in number and significance. Addressing all the identified risks is practically
impossible. So, it is necessary to find a way to identify those critical risks which needs prior
attention from the project team.
Probability and Impact Matrix uses the combination of probability and impact scores of
individual risks and ranks/ prioritizes them for easy handling of the risks. In other words, the
probability and impact matrix assist to determine which risks need detailed risk response plans. It
is vital to understand the priority for each risk as it allows the project team to appreciate the
relative importance of each risk.
The Probability Impact Matrix addresses the issue purely through qualitative feedbacks from
experienced team members. If there is no consensus among the team members as to where
(which cell) a potential risk should fall in the probability impact matrix, same potential risk may
fall under different cells by different evaluator. In such a case, it may be difficult to prioritize the
risks due to scattering of the potential risks into different cells. Risk Significance Score is more
robust when such a situation occurs. Annex 2 provides sample template for risk significant index.
In construction projects, risk factors arise from varying areas, such as political, economic, social,
technological and geographical environments, as well as from the project implementation. In
projects, risks, in addition to directly impacting the project objectives, indirectly impact the
project objectives through the influences among themselves.
If the interrelationships of risk are envisaged to be significant, and the analysis to be made is so
sensitive, there will be a need for a systematic integrated approach to risk assessment. This leads
us to the use of systematic group decision making methods, which produce systematic structures
of risks and their interrelationships.
Because of the fuzzy logic of the human way of thinking, which is to trade-off between
significance and precision, values presented in the procedure of risk assessment, by risk
management team members, are not absolute. Due to the recent discussion, fuzzy logic is
accepted as a governing theory over the systematic structure.
a.) Risk register updates. As new information becomes available through the qualitative risk
assessment, the risk register is updated. Updates to the risk register may include
assessments of probability and impacts for each risk, risk ranking or scores, risk urgency
information or risk categorization, and a watch list for low probability risks or risks
requiring further analysis.
b.) Assumptions log updates. As new information becomes available through the qualitative
risk assessment, assumptions could change. The assumptions log needs to be revisited to
accommodate this new information. Assumptions may be incorporated into the project
scope statement or in a separate assumptions log.
Once a risk is identified, including a thorough description of the risk and risk triggers, it can be
characterized in terms of probability of occurrence and the consequence if it does occur. The
steps/instructions below provide the activities that shall be carried out for qualitative risk
analysis:
a) Step 1. Gather the project team and appropriate persons to discuss project risk. Establish
which of the qualitative risk matrices you intend to use, and define the terms you plan to
use (Very High, High, Medium, Low, etc.).
b) Step 2. Review the risk information from the risk identification step.
c) Step 3. Discuss the risk with the group.
d) Step 4. Evaluate the likelihood of the risk occurring by asking the group, “How likely is it
that this risk will occur?” Record the result that the group agrees on.
e) Step 5. Evaluate the consequences if the risk does occur by asking the group, “What will
be the impacts if this risk does occur?” Record the result that the group agrees on.
f) Step 6. Prioritize the risks based on the results of the qualitative analysis. If it is desirable,
the risks can also be grouped by category (e.g., Environmental, Structures/
Geotechniques) and ranked within each category.
Steps for filling Probability-Impact Matrix (qualitative risk analysis)
Step 1: Form expertise group with experience on Project Management
Step 2: Brainstorm on (and prepare long list of) the potential Risks of the Project under
consideration
Step 3: Allow the expert group to rate each of the identified risks as per the ranking code
provided under Annex 2-14 or similar. The rating is made by consensus
Step 4: Place each identified risk in the cells of Figure (see Annex 2-16) according to the
consensus obtained under the third point (above).
The risks that fall in the red zone are top priorities and the risks that fall in the green zone are
least priorities.
General
Quantitative Risk Analysis numerically estimates the probability that a project will meet its cost
and time objectives. Quantitative analysis is based on a simultaneous evaluation of the impacts of
all identified and quantified risks.
This process highlights and offers several tools for quantitative analysis of risk.
Quantitative techniques, such as Monte Carlo simulation, can be a powerful tool for analysis of
project risk and uncertainty. This technique provides project forecasts with an overall outcome
variance for estimated project cost and schedule. Probability theory allows us to look into the
future and predict possible outcomes.
Performing Quantitative Risk Analysis is the process of quantitatively analyzing the effect of
identified potential risks on overall construction project objectives. The key benefit of this process
is that it produces figurative risk information to support decision making in order to reduce project
uncertainty.
Quantitative Risk Analysis is performed on risks that have been prioritized by employing
Qualitative Risk Analysis process as potentially and substantially impacting the project’s
competing demands. Performing Quantitative Risk Analysis process analyzes the effect of those
risks on project objectives. It is used mostly to evaluate the aggregate effect of all risks potentially
affecting the project. When the risks drive the quantitative analysis, the process may be used to
assign a numerical priority rating to those risks individually.
The project manager should exercise expert judgment to determine the need for and the viability of
quantitative risk analysis. The availability of time and budget, and the need for qualitative or
quantitative statements about risk and impacts, will determine which method(s) to use on any
particular project. [3].
The inputs, Tools and Techniques, controls, constraints and the outputs for quantitative risk
analysis process are shown in Figure 2.6.
Constraints
Enterprise Environmental Factors
attitude of stakeholders towards risk
management
Contract document and procurement
legislation
Lack of experience in Risk management
Lack of relevant input ideas
Inputs Outputs
Competencies
The risk management plan provides guidelines, methods, and tools to be used in quantitative risk
analysis.
The cost management plan provides guidelines on establishing and managing risk reserves.
The schedule management plan provides guidelines on establishing and managing risk reserves.
The risk register is used as a reference point for performing quantitative risk analysis
The organizational process assets that can influence the Perform Quantitative Risk Analysis
process include information from prior, similar completed projects.
The project team in order to fully understand the project, the team must determine what project
team know and what the team do not know about a project. In construction industry, Civil
Engineering, available resources to clearly explain what are known of a project such as:
aerial photography,
surveying,
site investigations,
bid histories,
real estate services,
right of way, utilities,
access management,
environmental, hydraulics, structures, geotechnical, railroad, tribal, security, planning and
programming, ad/bid/award, construction, tolling, economic, programming, external
resource agencies and stakeholders, public interest groups, and others.
Gather and Represent Data
Quantitative analysis is generally led by a cost risk expert from the Strategic Analysis and
Estimating Office, sometimes augmented by consultant staff and in collaboration with the
Project Manager.
Interviews: Can be formal or informal settings, such as smaller group meetings or larger
formal workshops.
Subject matter expert input: Participate collaboratively with the project team and cost-risk
team; you can also participate in interviews or contribute opinions in other ways such as
surveys (questionnaires).
Data: Represent data in terms of probability and impact; you can represent impacts using
discrete distributions or continuous distributions.
Modelling and Simulation. A project simulation uses a model that translates the specified
detailed uncertainties of the project into their potential impact on project objectives.
Simulations are typically performed using the Monte Carlo technique. In a simulation, the
project model is computed many times (iterated), with the input values (e.g., cost estimates
or activity durations) chosen at random for each iteration from the probability distributions
of these variables. A histogram (e.g., total cost or completion date) is calculated from the
iterations. For a cost risk analysis, a simulation uses cost estimates. For a schedule risk
analysis, the schedule network diagram and duration estimates are used. The output from
a cost risk simulation using the three-element model and risk ranges is shown in Annex 3.
It illustrates the respective probability of achieving specific cost targets. Similar curves can
be developed for other project objectives.
Expert judgment (ideally using experts with relevant, recent experience) is required to identify
potential cost and schedule impacts, to evaluate probability, and to define inputs such as
probability distributions into the tools. Expert judgment also comes into play in the interpretation
of the data. Experts should be able to identify the weaknesses of the tools as well as their
strengths. Experts may determine when a specific tool may or may not be more appropriate.
Enterprise environmental factors may provide insight and context to the risk analysis, such as:
Probabilistic analysis of the project. Estimates are made of potential project schedule and
cost outcomes listing the possible completion dates and costs with their associated
confidence levels. This output, often expressed as a cumulative frequency distribution, is
used with stakeholder risk tolerances to permit quantification of the cost and time
contingency reserves. Such contingency reserves are needed to bring the risk of
overrunning stated project objectives to a level acceptable to the organization.
Probability of achieving cost and time objectives. With the risks facing the project, the
probability of achieving project objectives under the current plan can be estimated using
quantitative risk analysis results.
Prioritized list of quantified risks. This list includes those risks that pose the greatest
threat or present the greatest opportunity to the project. These include the risks that may
have the greatest effect on cost contingency and those that are most likely to influence the
critical path. These risks may be evaluated, in some cases, through a tornado diagram
generated as a result of the simulation analysis.
Trends in quantitative risk analysis results. As the analysis is repeated, a trend may
become apparent that leads to conclusions affecting risk responses. Organizational
historical information on project schedule, cost, quality, and performance should reflect
new insights gained through the Perform Quantitative Risk Analysis process. Such history
may take the form of a quantitative risk analysis report. This report may be separate from,
or linked to, the risk register.
Below Figure illustrates and depicts the elements of the quantitative risk analysis.
The Perform Quantitative Risk Analysis seeks to determine the overall risks to project objectives
when all risks potentially operate simultaneously on the project.
Quantitative Risk Analysis provides answers to several questions regarding the project. The key
elements are as follows:
The instructions below provide the activities that shall be carried out for quantitative risk
analysis:
a) Steps to run Monte Carlo Analysis
Step 1: Identify the key project risk variables.
Step 2: Identify the range limits for these project variables.
Step 3: Specify probability weights for this range of values.
Step 4: Establish the relationships for the correlated variables.
Step 5: Perform simulation runs based on the identified variables and the correlations.
Step 6: Statistically analyze the results of the simulation run.
General
Planning risk responses is the process of developing options and actions to enhance opportunities
and to reduce threats to project objectives. The key benefit of this process is that it addresses the
risks by their priority, inserting resources and activities into the budget, schedule and project
management plan as needed.
Each risk response requires an understanding of the mechanism by which it will address the risk.
This is the mechanism used to analyze if the risk response plan is having the desired effect. It
includes the identification and assignment of one person (an owner for risk response) to take
responsibility for each agreed-to and funded risk response. Risk responses should be appropriate
for the significance of the risk, cost-effective in meeting the challenge, realistic within the project
context, agreed upon by all parties involved, and owned by a responsible person. Selecting the
optimum risk response from several options is often required. The process of planning risk
responses presents commonly used approaches to planning responses to the risks. Risks include
threats and opportunities that can affect project success, and responses are discussed for each.
Risk response requires effort to develop and implement response actions; the project manager
must plan for expending this effort following the results of the risk analysis. To this end, the
project manager has a number of tools readily available; including the Risk Management
Planning spreadsheet the Project Risk Manager should pay special attention to high impact, low-
probability risks. Team awareness and conscious monitoring of these risks can be accomplished
through team meetings, informing upper management, and seeking counsel from appropriate
experts.
Threats Opportunities
1-Avoid 1-Exploit
2-Transfer 2-Share
3-Mitigate 3-Enhance
4-Accept 4-Accept
The inputs, Tools and Techniques, controls, constraints and the outputs for risk response process
are shown in Figure 2.9.
Constraints
Enterprise Environmental Factors
attitude of stakeholders towards risk
management
Contract document and procurement
legislation
Lack of experience in Risk management
Lack of relevant input ideas
Inputs Outputs
CP management plan
CP risk register CP risk response
CP Document updates
CP management plan updates
Mechanisms
Competencies
Important components of the risk management plan include roles and responsibilities, risk
analysis definitions, timing for reviews (and for eliminating risks from review), and risk
thresholds for low, moderate, and high risks. Risks thresholds help identify those risks for which
specific responses are needed.
The risk register refers to identified risks, root causes of risks, lists of potential responses, risk
owners, symptoms and warning signs, the relative rating or priority list of project risks, risks
requiring responses in the near term, risks for additional analysis and response, trends in
qualitative analysis results, and a watch list, which is a list of low priority risks within the risk
register.
used to choose the most appropriate responses. Specific actions are developed to implement that
strategy, including primary and backup strategies, as necessary.
A fallback plan can be developed for implementation if the selected strategy turns out not to be
fully effective or if an accepted risk occurs. Secondary risks should also be reviewed. Secondary
risks are risks that arise as a direct result of implementing a risk response. A contingency reserve
is often allocated for time or cost. If developed, it may include identification of the conditions that
trigger its use.
Three strategies, which typically deal with threats or risks that may have negative impacts on
project objectives if they occur, are: avoid, transfer, and mitigate. The fourth strategy, accept, can be
used for negative risks or threats as well as positive risks or opportunities. Each of these risk
response strategies have varied and unique influence on the risk condition. These strategies
should be chosen to match the risk’s probability and impact on the project’s overall objectives.
Avoidance and mitigation strategies are usually good strategies for critical risks with high impact,
while transference and acceptance are usually good strategies for threats that are less critical and
with low overall impact. The four strategies for dealing with negative risks or threats are further
described as follows.
Avoid. Risk avoidance is a risk response strategy whereby the project team acts to
eliminate the threat or protect the project from its impact. It usually involves changing
the project management plan to eliminate the threat entirely. The project manager may
also isolate the project objectives from the risk’s impact or change the objective that is in
jeopardy. Examples of this include extending the schedule, changing the strategy, or
reducing scope. Some risks that arise early in the project can be avoided by clarifying
requirements, obtaining information, improving communication, or acquiring expertise.
Transfer. Risk transference is a risk response strategy whereby the project team shifts the
impact of a threat to a third party, together with ownership of the response. Transferring
the risk simply gives another party responsibility for its management—it does not
eliminate it. Transferring does not mean disowning the risk by transferring it to a later
project or another person without its knowledge or agreement. Risk transference nearly
always involves payment of a risk premium to the party taking on the risk. Transferring
liability for risk is most effective in dealing with financial risk exposure. Transference
tools can be quite diverse and include, but are not limited to, the use of insurance,
performance bonds, warranties, guarantees, etc. Contracts or agreements may be used to
transfer liability for specified risks to another party. For example, when a buyer has
capabilities that the seller does not possess, it may be prudent to transfer some work and
its concurrent risk contractually back to the buyer. In many cases, use of a cost-plus
contract may transfer the cost risk to the buyer, while a fixed-price contract may transfer
risk to the seller.
Mitigate. Risk mitigation is a risk response strategy whereby the project team acts to
reduce the probability of occurrence or impact of a risk. It implies a reduction in the
probability and/or impact of an adverse risk to be within acceptable threshold limits.
Taking early action to reduce the probability and/or impact of a risk occurring on the
project is often more effective than trying to repair the damage after the risk has
occurred. Adopting less complex processes, conducting more tests, or choosing a more
stable supplier are examples of mitigation actions.
Accept. Risk acceptance is a risk response strategy whereby the project team decides to
acknowledge the risk and not take any action unless the risk occurs. This strategy is
adopted where it is not possible or cost-effective to address a specific risk in any other
way. This strategy indicates that the project team has decided not to change the project
management plan to deal with a risk, or is unable to identify any other suitable response
strategy. This strategy can be either passive or active. Passive acceptance requires no
action except to document the strategy, leaving the project team to deal with the risks as
they occur, and to periodically review the threat to ensure that it does not change
significantly. The most common active acceptance strategy is to establish a contingency
reserve, including amounts of time, money, or resources to handle the risks.
Three of the four responses are suggested to deal with risks with potentially positive impacts on
project objectives, namely: exploit, enhance, and share. The fourth strategy, accept; can be used for
negative risks or threats as well as positive risks or opportunities. These strategies, described
below, are to exploit, share, enhance, and accept.
Exploit. The exploit strategy may be selected for risks with positive impacts where the
organization wishes to ensure that the opportunity is realized. This strategy seeks to
eliminate the uncertainty associated with a particular upside risk by ensuring the
opportunity definitely happens. Examples of directly exploiting responses include
assigning an organization’s most talented resources to the project to reduce the time to
completion or using new technologies or technology upgrades to reduce cost and duration
required to realize project objectives.
Enhance. The enhance strategy is used to increase the probability and/or the positive
impacts of an opportunity. Identifying and maximizing key drivers of these positive-
impact risks may increase the probability of their occurrence. Examples of enhancing
opportunities include adding more resources to an activity to finish early.
Share. Sharing a positive risk involves allocating some or all of the ownership of the
opportunity to a third party who is best able to capture the opportunity for the benefit of
the project. Examples of sharing actions include forming risk-sharing partnerships, teams,
special-purpose companies, or joint ventures, which can be established with the express
purpose of taking advantage of the opportunity so that all parties gain from their actions.
Accept. Accepting an opportunity is being willing to take advantage of the opportunity if
it arises, but not actively pursuing it.
Some responses are designed for use only if certain events occur. For some risks, it is appropriate
for the project team to make a response plan that will only be executed under certain predefined
conditions, if it is believed that there will be sufficient warning to implement the plan. Events that
trigger the contingency response, such as missing intermediate milestones or gaining higher
priority with a supplier, should be defined and tracked. Risk responses identified using this
technique are often called contingency plans or fallback plans and include identified triggering
events that set the plans in effect.
Document the response action by describing the action, which work activities it will affect, and
the cost of the response action. Identify the person(s) responsible for successful implementation of
the response action. Also, consider the time impacts of the response action and how the risk
response may affect the overall project and/or other risks.
Select a response action – The project manager determines how to respond to each risk. The
action selected is influenced by the level of the risk. Table 9 provides simple response matrix and
Annex 2 offers examples.
unexpected consequences
mitigate
Low
accept (enhance)
Impact
Expert Judgment
Expert judgment is input from knowledgeable parties pertaining to the actions to be taken on a
specific and defined risk. Expertise may be provided by any group or person with specialized
education, knowledge, skill, experience, or training in establishing risk responses.
Refer to section 2.1.3 and 2.2.3 for controls and contraints for qualitative risk analysis
process.
Schedule management plan. The schedule management plan is updated to reflect changes in
process and practice driven by the risk responses. This may include changes in tolerance or
behaviour related to resource loading and levelling, as well as updates to the schedule
strategy.
Cost management plan. The cost management plan is updated to reflect changes in process
and practice driven by the risk responses. This may include changes in tolerance or
behaviour related to cost accounting, tracking, and reports, as well as updates to the budget
strategy and how contingency reserves are consumed.
Quality management plan. The quality management plan is updated to reflect changes in
process and practice driven by the risk responses. This may include changes in tolerance or
behaviour related to requirements, quality assurance, or quality control, as well as updates
to the requirements documentation.
Human resource management plan. The staffing management plan, part of the human
resource management plan, is updated to reflect changes in project organizational structure
and resource applications driven by the risk responses. This may include changes in
tolerance or behaviour related to staff allocation, as well as updates to the resource loading.
Scope baseline. Because of new work generated (modified or omitted) by the risk
responses, the scope baseline may be updated to reflect those changes.
Schedule baseline. Because of new work generated (or omitted) by the risk responses, the
schedule baseline may be updated to reflect those changes.
Cost baseline. Because of new work generated (or omitted) by the risk responses, the cost
baseline may be updated to reflect those changes.
In the process of planning risk responses, several project documents are updated as needed. For
example, when appropriate risk responses are chosen and agreed upon, they are included in the
risk register. The risk register should be written to a level of detail that corresponds with the
priority ranking and the planned response. Often, the high and moderate risks are addressed in
detail. Risks judged to be of low priority are included in a watch list for periodic monitoring.
Updates to the risk register can include, but are not limited to:
Assumptions log updates. As new information becomes available through the application
of risk responses, assumptions could change. The assumptions log needs to be revisited to
accommodate this new information.
Change requests. Planning for possible risk responses can often result in recommendations
for changes to the resources, activities, cost estimates, and other items identified during the
planning processes. When such recommendations are identified, change requests are
generated and processed through the Perform Integrated Change Control process.
The instructions below provide the activities that shall be carried out for risk response:
General
The Project manager may have little or no control over the external environment, but the project
team do have control over how we interact with the situation. The Project manager and the team
have control over our state of readiness; the team can look ahead and improvise and adapt. The
team can actively monitor significant project risks, including high-impact, low-probability risks,
and control the robustness of our response to identified risk events and the quality of our
documentation. Very importantly, the project manager has control over how earnestly we integrate
risk management into Construction Project Management Plans.
Monitoring and Control Risk is the process of implementing risk response plans, tracking
identified risks, monitoring residual risks, identifying new risks, and evaluating risk process
effectiveness throughout the project. The key benefit of this process is that it improves efficiency
of the risk approach throughout the project life cycle to continuously optimize risk responses.
Planned risk responses that are included in the risk register are executed during the life cycle of
the project, but the project work should be continuously monitored for new, changing, and
outdated risks. The Monitoring and Control Risk process applies techniques, such as variance and
trend analysis, which require the use of performance information generated during project
execution. Other purposes of the Monitoring and Control Risk process are to determine if:
Monitoring and Control Risk can involve choosing alternative strategies, executing a contingency
or fallback plan, taking corrective action, and modifying the project management plan. The risk
response owner reports periodically to the project manager on: the effectiveness of the plan; any
unanticipated effects; and any correction needed to handle the risk appropriately. Monitoring and
Control Risk also includes updating the organizational process assets, including project lessons
learned databases and risk management templates, for the benefit of future projects.
Constraints
Enterprise Environmental Factors
attitude of stakeholders towards risk
management
Contract document and procurement
legislation
Lack of experience in Risk management
Lack of relevant input ideas
Inputs Outputs
CP management plan
CP risk management plan CP risk Monitoring
CP work performance
CP risk register and Control Information
CP management plan updates
Organizational process asset
updates
Mechanisms
Competencies
The project management plan, which includes the risk management plan, provides guidance for
risk monitoring and controlling.
The risk management plan has key inputs that include identified risks and response directions to
the identified risks.
The risk response plan contains the identified risks and the associated response which are vital
for controlling risk.
Monitoring and Control Risk often results in identification of new risks, reassessment of current
risks, and the closing of risks that are outdated. Project risk reassessments should be regularly
scheduled. The amount and detail of repetition that are appropriate depends on how the project
progresses relative to its objectives.
Risk audits examine and document the effectiveness of risk responses in dealing with identified
risks and their root causes, as well as the effectiveness of the risk management process. The
project manager is responsible for ensuring that risk audits are performed at an appropriate
frequency, as defined in the project’s risk management plan. Risk audits may be included during
routine project review meetings, or the team may choose to hold separate risk audit meetings.
The format for the audit and its objectives should be clearly defined before the audit is conducted.
Example is included in Annex 2.
Many Monitoring and Control Risk processes employ variance analysis to compare the planned
results to the actual results. For the purposes of controlling risks, trends in the project’s execution
should be reviewed using performance information. Earned value analysis and other methods of
project variance and trend analysis may be used for monitoring overall project performance.
Outcomes from these analyses may forecast potential deviation of the project at completion from
cost and schedule targets. Deviation from the baseline plan may indicate the potential impact of
threats or opportunities.
Throughout execution of the project, some risks may occur with positive or negative impacts on
budget or schedule contingency reserves. Reserve analysis compares the amount of the
contingency reserves remaining to the amount of risk remaining at any time in the project in
order to determine if the remaining reserve is adequate.
Project risk management should be an agenda item at periodic status meetings. The amount of
time required for that item will vary, depending upon the risks that have been identified, their
priority, and difficulty of response. The more often risk management is practiced, the easier it
becomes. Frequent discussions about risk make it more likely that people will identify risks and
opportunities.
The RMP spreadsheet can be used and it provides an effective way to summarize project risk
management activities for projects that have conducted a quantitative risk analysis. The sample
spreadsheet is typically used for the most significant risks as determined through the quantitative
risk analysis.
Recommended corrective actions. These are activities that realign the performance of the
project work with the project management plan. They include contingency plans and
workarounds. The latter are responses that were not initially planned, but are required to
deal with emerging risks that were previously unidentified or accepted passively.
Recommended preventive actions. These activities ensure that future performance of the
project work is aligned with the project management plan.
If the approved change requests have an effect on the risk management processes, the
corresponding component documents of the project management plan are revised and reissued to
reflect the approved changes. The elements of the project management plan that may be updated
are the same as those in the process of planning risk responses.
Project documents that may be updated as a result of the Control Risk process include, but are
not limited to the risk register. Risk register updates may include:
Outcomes of risk reassessments, risk audits, and periodic risk reviews. These
outcomes may include identification of new risks, updates to probability, impact,
priority, response plans, ownership, and other elements of the risk register. Outcomes
can also include closing risks that are no longer applicable and releasing their associated
reserves.
Actual outcomes of the project’s risks and of the risk responses. This information can
help project managers to plan for risk throughout their organizations, as well as on
future projects.
The risk management processes produce information that may be used for future projects, and
should be captured in the organizational process assets. The organizational process assets that
may be updated include, but are not limited to:
Templates for the risk management plan, including the probability and impact matrix and
risk register,
Risk breakdown structure, and
Lessons learned from the project risk management activities.
These documents should be updated as needed and at project closure. Final versions of the risk
register and the risk management plan templates, checklists, and risk breakdown structure are
also included.
3.1.Manual Adjustment
This CPRMM Manual shall be adjusted to confirm to specific requirements of projects in line with
their contractual obligations
3.2.Manual Amendment
The CPRM Manual may be amended for errata and similar circumstances as and when
recognized.
The correction/improvement of this CPRM Manual shall be initiated by Manuals Preparation and
Revision Standing Committee based on the feedbacks collected during the manual's three years
operation period and decision made by the ECPMI.
3.3.Manual Revision
This CPRM Manual shall be revised every three years unless otherwise required due to special
circumstances.
The revision of this CPRM Manual shall be initiated by Manuals Preparation and Revision
Standing Committee based on the feedbacks collected during the manual's three years operation
period and decision made by the ECPMI.
ANNEXES
Bibliography
[1.] Design – Build Institute of America (2015), choosing a project delivery method, A Design –
Build Institute of America Publication
[2.] Institute of Risk Management Registered in England and Wales Reg. No. 2009507
[3.] Project Management Institute (PMI).(2013). A Guide to the Project Management Body of
Knowledge (PMBOK) (5th edition). Newtown Square, PA, USA: Project Management
Institute(PMI)
[4.] Office of Systems Integration “SERVING CALIFORNIA”
[5.] Patrick. X.W. Zou, Guomin Zhang and Jia-Yuan Wang (2013) Identifying Key Risks in
Construction Projects: Life Cycle and Stakeholder Perspectives
[6.] Babak A. Samani, Fazad Shahbodaglou (2012), A Fuzzy Systematic Approach to
Construction Risk Analysis, Journal of Risk Analysis and Crisis Response, Vol. 2, N0. 4
(December 2012), 275-284
[7.] Li Chung-Wei, Tzeng Gwo-Hshiung, Identification of Threshold Value for the DEMATEL
method: Using the Maximum Mean De-Entropy Algorithm, Y. Shi et al. (Eds.): MCDM
2009, CCIS 35, pp. 789-796, 2009©Springer-Verlag Berlin Heidelberg 2009
[8.] ISO / IEC 31010:2009 Risk management – Risk assessment techniques
[9.] David T. Hulett Practical Schedule Risk Analysis (978-0-5660-8790-5) Example
[10.] Amin Vafadarnikjoo, Mahammadsadegh Mobin, Seyyed Mohammad Ali Khatami
Firouzabadi (2016) An Intiutionistic Fuzzy-Based DEMATEL to Rank Risks of
Construction Projects (Proceedings of the 2016 International conference on Industrial
Engineering and Operations management, Michigan, USA
[11.] Chris Chapman and Stephen Ward, (2002) Project Risk Management: Processes;
Techniques; and Insights, 2nd edition, John Wiley & Sons Ltd, School of Management,
University of Southampton, The Artium, Southern Gate, Chichester, England, UK.
[12.] Dale F. Cooper, Stephen Grey, Geoffrey Raymonf and Phil Walker (2005) Project Risk
Management Guideline: Managing Risk in Large Projects and Complex Procurements.
John Wiley & Sons Ltd, The Artium, Southern Gate, Chichester, England.
[13.] International Project Management Association (2015). Individual Competence Baseline for
Project, Program, and Portfolio Management. 4th version, International Project
Management Association.
[14.] Journal of the Applied Mathematics, Statistics and Informatics (JAMSI), 1 (2005), No. 1 1
[15.] Proceedings of the 2016 International Conference on Industrial Engineering and
Operations management, Detroit, Michigan, USA, September 23-25, 2016)