Project Risk Management

Lab Manajemen Konstruksi, FTSPK-ITS

2020
RISK MANAGEMENT

◼ Introduction to risk management

◼ Risk and Risk Management
Concept
◼ Risk Identification
◼ Risk Analysis
◼ Risk Response
Introduction to risk management
 Risk Management

• Risk management is seen as managing response rather

than responding to risk event after they happen.
• Risk management It is defined as the systematic
application of management policies, procedures and
practices to the tasks of communicating, establishing
the context, identifying, analysing, evaluating, treating,
monitoring and reviewing risk (AS/NZS 2004).
Proyek konstruksi terkenal dengan 3D
 Risk definition
• Uncertainty event or set of situation, if it

happen, will effect achievement of project goal

(APM, 1997).
• Project risk is the cumulative effect of the
chance of uncertain occurrence adversely
affecting project objectives.
 Risk vs Uncertainty
Risk
◼ Risk is measurable
uncertainty
◼ Unknown event drawn from
a known set of possible
outcomes
◼ repeatable events
◼ synonymous with threats
◼ unwelcome negative effects
Uncertainty
◼ Uncertainty is un-
measurable risk
◼ An unknown event from
unknown set of possible
outcomes
◼ non-repeatable events
 Three elements of risk
◼ the event itself : an incident or situation that
might occur at a particular time in a project
◼ its probability: the likelihood that a risk will
occur
◼ its impact: the consequence or effect on the
project if that risk does occur
 Risk Level Measurement
▪ Risk is analyzed based on its two components, namely likelihood and
consequence (impact).
▪ In a simple form can be expressed as below:

▪ If the level of risk is proportional to each of its two components

consequence or likelihood) the risk function is essentially a product.
This can be shown mathematically as:

▪ If consider complicating factor such as a non-linear relationship between

utility and the value of consequence, can be expressed as follow:
Risk Level Measurement (Cont’d)

◼ The level of the risk or expected value of the risk is

measured in terms of its probability and its impact
(ICE and FIA, 1998).
R = f (P, I)
◼ Example: If risk A occurs, there is a 5% probability of
losing £ 1,000,000, and if risk B occurs, there is a 5%
probability of losing £ 10,000.
◼ Thus, the level of risk A is £ 50,000; this is higher
than the level of risk B, which is £ 500.
 Types of risks
◼ Pure or speculative
•Pure risk, involves a situation that can only cause a loss, and it is
normally insurable. e.g.: accident, fire.
• Speculative risk describes a situation that involves a chance of loss
or gain. e.g.: business
◼ Static or dynamic
• Static risks, tend to occur regularly over time and are generally
predictable. e.g.: storm accident.
• Dynamic risks, on the other hand, are those that arise from the
external environment and the management’s. e.g.: environment
change, technology.
◼ Particular or fundamental
• Particular risks involve losses that arise out of individual events.
e.g.: a robbery at a bank.
• Fundamental risks involve losses that are caused by economic,
social and political aspects. e.g.: war, inflation and unemployment.
Risk Classification in Project (Tah and Carr 2001)
 Several Guidelines in
Risk management

• Australian and New Zealand Standard (AS/NZS ) (1999a): Risk

Management. Standards Association of Australia.
• Project Management Institute (PMI) (2000): A Guide to the Project
Management Body of Knowledge. Pennsylvania.
• APM (Association for Project Management) (1997): Project Risk
Analysis and Management. Norwich Norfolk: The APM group Ltd
• ICE and FIA (Institution of Civil Engineering and Faculty and Institute
of Actuaries) (1998) RAMP : Risk Analysis and Management for
Projects. London: Thomas Telford.
 Risk Management Framework/Process

• Risk management framework/process is also called as

risk management method.
• Generally, risk management framework consist of four
steps:
• Risk Identification
• Risk Assessment/Analysis
• Risk Response
• Risk Monitoring
Risk management framework (AS/NZS 2004)
Risk management framework (AS/NZS 2004)

1. Establish the Context →set the scope of analysis, structure of

the analysis and define criteria for risk evaluation.
2. Identify → where, when, why and how events could prevent
3. Analyze → determine consequence and likelihood and the level
of risk
4. Evaluate → compare estimate level of risk against pre-establish
criteria.
5. Treat Risk → develop and implement specific strategies and
action plan for increasing potential benefit and reducing
potential cost.
6. Communicate and Consult → to internal and external
stakeholders regarding to risk management process as whole.
7. Monitor and Review → for continues improvement
8. Record the Risk Management Process
 Risk Identification
◼ This is the first stage of the risk management process and this is an

important phase because if a risk is not identified, it might not be

analysed and managed in the next steps

◼ Risk identification aims to identify the important types and causes

of risk and uncertainty that may have a significant effect on the
project goals (ICE and FIA, 1998), whether they can be controlled
and also documenting their characteristics.

◼ PMBoK (2004) defines risk identification as “Determining which

risks might affect the project and documenting their characteristics”.

22
Approaches/Techniques for Identifying Risk

1. Documentation Reviews
2. Information Gathering Technique:
a. Brainstorming
b. Delphi Technique
c. Interviewing
3. Checklist Analysis
4. Diagramming Technique
23
 Risk Identification Output

The output of the risk identification process is

Risk register (see example), which consist of:
a. List of identified risks → including root causes and
uncertain project assumption.
b. List of potential responses → may be identified
during risk identification process.
c. Root causes of risks → fundamental condition or
event that may give rise to the identified risk
d. Updated risk categories → amendment based on
the risk identification process.
24
Risk Register Example

25
Risk Register Example
IDENTIFIKASI RISIKO

Penyebab Kejadian (√)

Kode Kegiatan/
Jenis Kejadian Faktor Eksternal
Kesalahan
Pekerjaan Faktor Internal
Manusia
Bencana Alam Non Alam

1
1.1
1.2
….
….
2

26
Risk Assessment /Risk Analysis
/Risk Estimation
 Definition

• Risk analysis is the process of evaluating identified

risks (and opportunity) to discover their magnitude,
whether they merit a response, and how responses
should be prioritised in the light of limited resources
(Loosemore at al. 2006).

• Risk analysis is about developing an understanding of

the risk. Risk is analysed by combining consequences
and their likelihood. (AS/NZS 2004).
 Risk Analysis Types

• Flanagan &Norman (1999) and PMBoK

(2004) classify the analysis as 2 types:
• Qualitative.
• Quantitative analysis.

• AS/NZS (2004) and Loosemore (2006)

classify the analysis as 3 types:
• Qualitative.
• Semi-quantitative.
• Quantitative.
 A. Qualitative Risk Analysis

• Qualitative analysis may be used as initial screening

activity to identify risks which require more detailed
analysis.
• Qualitative risk analysis includes methods for prioritizing
the identified risks for further action, such as quantitative
risk analysis or risk response planning (PMBoK ,2004).
• Qualitative analysis uses words to describe the magnitude
of potential consequences and the likelihood that those
consequences will occur (PMBoK, 2004)
• A qualitative analysis of risks and opportunities using
qualitative or descriptive scales such as high, medium, and
low (Loosemore et al. 2006).
Qualitative Risk Analysis Tools
(PMBoK , 2004)

• Probability and Impact matrix

• Risk Probability and Impact Assessment
• Risk Data Quality Assessment
• Risk Categorization
• Risk Urgency Assessment
 Conducting Risk Analysis using
Probability-Impact Matrix
◼ Common approach to determine the level of risk (PMI,
2000).
◼ Probability and impact of the risk are assessed and plotted
on a two-dimensional grid.
◼ The matrix specifies combinations of probability and
impact that lead to rating the risks as low, moderate, or
high priority.
◼ The organization should determine which combinations of
probability and impact result in a classification of high risk
('red condition'), moderate risk ('yellow condition'), and
low risk ('green condition').
 Risk Factors
◼ All project risk are characterized by the following
three risk factors:
Risk Event Level = Risk Probability X Risk Impact

◼ Risk Event
◼ Precisely what might happen to detriment of the project.
◼ Risk Probability
◼ How likely the event is to occur.
◼ Risk Impact
◼ The severity of the consequences.
 Steps in Analysing Risk Using Probability
Impact Matrix
◼ Step 1
◼ Set up a matrix to match a percentage (probability of risk) to a ranking
number. Department project managers often use the matrix shown
below, but they can set up a different matrix if it would better suit the
project.

Risk Probability Ranking

Ranking Probability of Risk Event
5 80–99%
4 60–79%
3 40–59%
2 20–39%
1 1–19%
◼ Step 2
◼ Set up a matrix to match the objective (time, cost, and scope) to a
defined impact. Department project managers often use the impact
numbers shown in the matrix below, but they can choose others if it
would better suit the project.

Evaluating Impact of a Risk on Major Project Objectives

Impact 1 2 4 8 16

Obj Time Insignificant Delivery plan Delivery plan Delivery plan Delivery plan
ecti schedule milestone delay milestone delay of milestone delay of milestone
ve slippage within quarter one quarter more than one quarter delay outside
fiscal year

Cost Insignificant <5% cost increase 5–10% cost increase 10–20% cost increase >20% cost
cost increase increase

Scope Scope decrease Changes in project Changes in project Sponsor does not Scope does not
is barely limits or features limits or features with agree that scope meet purpose
noticeable with <5% cost 5–10% cost increase meets the purpose and need
increase and need
 Probability & Consequences
What Is the Likelihood the Risk Will Happen?
Level Your Approach and Processes...
1 Not Likely: ...Will effectively avoid or mitigate this risk
Likelihood

based on standard practices

2 Low Likelihood:
3 Likely:
4 Highly Likely:
5 Near Certainty:
...Have usually mitigated this type of risk with
minimal oversight in similar cases
...May mitigate this risk, but workarounds will be
required
...Cannot mitigate this risk, but a different
approach might
...Cannot mitigate this type of risk; no known
processes or workarounds are available

Given the risk is realized, what would be the magnitude of the impact?
Level Technical Schedule Cost
1 Minimal or no impact Minimal or no impact Minimal or no impact
Consequence

2 Minor perf shortfall, Additional activities Budget increase or

same approach
retained
3 Mod perf shortfall,
but workarounds
available
4 Unacceptable,
but workarounds
available
5 Unacceptable; no
alternatives exist
required; able to meet
key dates
Minor schedule slip;
will miss need date
Program critical path
affected
Cannot achieve key
program milestone
unit production cost
increase <1%
Budget increase or
unit production cost
increase <5%
Budget increase or
unit production cost
increase <10%
Budget increase or
production cost
increase >10%
◼ Step 3
◼ Combine the data from the two previous steps. Each risk appears in its
own probability and impact (PxI) matrix.

Translate Score Time, Cost, and Scope Objectives

to Risk Rank
Large Aversion to High & Very High Impacts
Score Risk
Probability
1–6 Low
7 – 14 Moderate 5 5 10 20 40 80
15 – ++ High 4 4 8 16 32 64
3 3 6 12 24 48
2 2 4 8 16 32
1 1 2 4 8 16
1 2 4 8 16

Impact
 Summary Risk Analysis process
RISK RATING
5 L M H H H
Level Process Variance/ HIGH

LIKELIHOOD
Probability of Occurrence 4 L M M H H
1 Minimal/Remote
2 Small/Unlikely 3 L M M H H
3 Acceptable/Likely MODERATE
4 Large/Highly Likely
5 Significant/Near Certainty
2 L L L M M
1 L L L M M
LOW
1 2 3 4 5
CONSEQUENCE

Level Performance Schedule Cost

1 Minimal or No Impact Minimal or No Impact Minimal or No Impact

2 Acceptable with some Additional resources required; <5%

reduction in margin able to meet need dates
3 Acceptable with significant Minor slip in key milestone; not 5-7%
reduction in margin able to meet need dates
4 Acceptable, no remaining Major slip in key milestone or >7-10%
margin critical path impacted
5 Unacceptable Can’t achieve key team or major >10%
program milestone
Tools for Quantitative Risk Analysis
(PMBoK,2004)

• Expected Monetary Value (EMV)

Analysis
• Decision Tree Analysis
• Sensitivity Analysis
• Modeling and Simulation
 Risk Response
• This is a phase to develop several strategies to
minimize significant negative effects or maximize the
opportunities.
• It includes identifying alternative actions, assessing
those actions and applying them.
• the purpose of this stage is to enable the decision
maker to make considered responses in advance of
the risks occurring.
 Basic Approach to manage risk
◼ Risk Control
◼ Risk Avoidance
◼ Loss reduction prevention (mitigation)
◼ Risk Transferred
◼ Risk Finance
◼ Acceptance/Retention (self-insurance and
funding)
◼ Contractual transfer (not considered as
risk control device)
◼ Commercial insurance.
 Risk Avoidance
◼ Risks are usually avoided if the effects of the risks on the
project are very high, and to eliminate or minimize them
would be very difficult.
◼ For example, a contractor may decide not to bid because the
project involves very high risk.
◼ May be a result of corporate policy regarding type of work
(not their corporate business).
◼ In the case potential benefit is higher than potential loss,
risk exposure can be avoided by redesign, further site
investigation, alternative contract strategies, etc.)
◼ Avoiding one risk can create another risks with higher
potential losses.
◼ The contractor’s view on risk avoidance changes overtime.
 Loss reduction and risk prevention
(mitigation)
 Directed towards decreasing the contractor’s
exposure to potential risk by two ways:
 Reducing the probability of risk. Ex: installation
of anti-theft device on construction equipment
may reduce the chance of theft.
 Reducing the financial severity of risk. Ex:
Building sprinkler system may reduce the
financial severity caused by fire.
 Loss prevention programs are important as can
also effect on insurance premium.
 Risk Retention (Acceptance)
 Risks retention is a financial plan within the firm to meet
its loss exposure.
 Potential losses related to a risk are directly absorbed by
the firm.
 There are two type of risk retention:
 Planned: conscious and deliberate assumption of
recognised risks by the contractor (ex: funded self-
insurance program called reserve fund or contingency
cost).
 Unplanned: when a contractor does not recognise or
identify the existence of risk and unconsciously assumes
the loss that could occur
 Risk Transfer (Non insurance or
contractual transfer)
 It is useful and popular in construction.
 Risks can be transferred or shared to another
party, who will take responsibility for the
consequences of the risk that has been
transferred.
 It is possible whenever contractor enters into a
contractual arrangement with various parties such
as an owner, sub-contractors or material and
equipment suppliers.
 The risks are shared with or totally carried by a
party other than the contractors.
 Risk Transfer (con’t)

 But this method has some limitations:

• The contract may transfer only part of the risk that the
firm thought it had shifted to someone else.
• The contract language may be so complex that is
extremely difficult to understand.
• If the transferee is unable to pay the losses transferred,
the transferor must pay the loss it thought had shifted
to someone else.
 Insurance
◼ Protection against potential financial losses
provided by an insurer (insurance company).

◼ The difference between insurance and transfer

is that insurance only shifts the financial
potential consequences of the risk, whereas
transfer also involves shifting responsibility for
the risk.
 Risk Monitoring

◼ Risk monitoring, is used to ensure that the actions

implemented work properly.
◼ It is a system of keeping records of the identified risks,
monitoring the risks that occur and their effect on the
project, and then controlling the implemented actions and
evaluating their effectiveness in minimizing risk.
 Risk Monitoring (Con’t)

 The outcomes from risk monitoring include: an

update to the risk response plan and a risk
database.
 Whether risk has occurred or not, together with
any actions taken to deal with the risk should be
documented and evaluated and placed into the
risk database.
 This will help the project team in the learning
process about risk for future projects