Professional Documents
Culture Documents
Project Risk Management 1661018577
Project Risk Management 1661018577
Project Risk
Management
Leadership Series 9
kpmg.com/nz
Project risk management is frequently overlooked yet is one of the more critical elements
to successful project delivery. Generally, delivering a project’s defined scope on time and
within budget are characteristics of project success. Unfortunately, these success factors are
often not achieved, especially for large complex projects where both external influences and
internal project requirements may change significantly over time. Project risk management is
a continuous process of identifying, analysing, prioritising and mitigating risks that threaten
a projects likelihood of success in terms of cost, schedule, quality, safety and technical
performance. Organisations and owners often consider project risk management activities as
“nice to have” on a project rather than as a core component of project controls. Additionally
there is some confusion between organisations and project teams as to what exactly
constitutes risk management activities.
In this paper, we provide a standard
framework for risk management and
discuss implementation techniques for
projects of all types and sizes. This should
provide you with a better understanding
of how to address the following challenges:
Construction owners, project teams and 4. Response planning; and »» Assigning roles and responsibilities
contractors often define and apply risk 5. Monitoring and control. related to risk management activities;
management activities differently on a identifying and defining requirements
project. Owners may use informal or ad 1. Strategy and planning for project stakeholders regarding risk
hoc practices, such as stage gate approval, management activities;
Strategy and planning activities set
that they interpret as risk management »» Establishing common risk categories for
the foundation for a risk management
activities, contractors may define risk identified risks. Categories can wither
programme and ultimately determine
management as tracking potential be based on common industry risks
whether the initiative is successful.
change orders, and project teams may or on the organisations risk categories
During the strategy and planning phase
express the view that “everything we do (e.g. construction, financial, operations,
an organisation will define how risks are
is risk management”. While all of these governance etc); and
addressed and managed. Strategy and
activities help to identify and manage
planning should take into consideration: »» Developing a risk matrix and assigning
discrete elements of project risk, they
do not fully describe a comprehensive »» Corporate or enterprise-wide risk risk ratings to identify risks. The risk
approach to project risk management. A management guidelines (including matrix should define risk ratings based
comprehensive project risk management tolerance level for risk); on probability and impact by taking into
approach should have the following account the organisations risk tolerance.
2. Risk identification 3. Analysis 4. Response planning
Risk identification is the identification of all The analysis phase determines the Response planning is the phase where
possible risks that could either negatively or likelihood and impact of each identified the project team develops response
positively affect the project. It is important in risk and prioritises risks for management actions and alternative options to reduce
the risk identification process to solicit input attention. Successful risk analysis requires project risks. Project teams use response
from all project stakeholders including those objective thinking and input from those planning to decide ahead of time how they
outside of the core project team. Potential most familiar with the area affected by the will address possible risk occurrences and
contributors to risk identification include: possible risk. Analysis is typically a two- how they will avoid, transfer, mitigate or
step approach: accept project risks. Response planning
»» Project team members (planners,
must take into consideration available
engineers, architects, contractors etc);
Step 1 – Qualitative analysis resources and potential repercussions
»» Risk management team members; of the response plans. The goal of
For the qualitative analysis, the project
»» Subject matter professionals response planning is to align risks with
team assigns a priority level (e.g high,
(IT, Safety, Legal etc); an appropriate response based on the
medium, low) to each risk. The priority level
severity of the risk along with cost, tie and
»» Customers (internal and external); should be aligned with the organisations
feasibility considerations. Risk response
risk management plan, risk tolerance level
»» End users; and planning includes:
and other organisational objectives. The
»» Organisation management priority levels can be used to rack the risks »» Assigning responsibility for identified
and leadership. on the risk register and develop efficient risks to appropriate project team
response plans that focus attention on members or stakeholders. It is
Successfully capturing all project risks
items with a higher priority. It is important imperative that the assignment takes
increases with frequent communication
to identify all potential risks that will into consideration the individual’s
and feedback amongst team members
require follow up by the project team. capability to address specific risk areas.
and stakeholders. These discussions
Assigning a risk to someone who has
should attempt to identify inaccuracies,
Step 2 – Quantitative analysis little or no knowledge of a risk area is
inconsistencies and assumptions regarding
not an effective risk planning approach.
the project. The resulting product of these For the quantitative analysis, the project
working sessions should be the initial list of team assigns a most likely cost value to »» Developing a response plan to address
identified risks. each identified risk. This value takes into the identified risk. This process should
consideration both the probability and be iterative and include all stakeholders
From the initial list of identified risks, a risk
potential impact of the risk event occurring. affected by the risk. Common options for
register or log can be populated to ensure
Determining probability and impact can a response include:
that all risk items are analysed, prioritised
and monitored. Risk registers should typically result from a variety of exercise including: ÌÌ Avoidance – modifying the project plan
include the following fields: »» Interviews – gathering impact and to avoid the potential condition
probability data for a range of scenarios or occurrence
»» Risk type;
(e.g optimistic, most likely and ÌÌ Transference – shifting the
»» Description; pessimistic) consequences and responsibilities
»» Cost impact; »» Decision trees – comparing the associated with the risk to a third
»» Probability; probability of risks and rewards party (often accomplished by
between various decisions contractual agreement)
»» Risk level;
»» Model simulations – conducting a ÌÌ Mitigation – taking preventative
»» Possible responses; and project simulation in order to quantify action to reduce the probability of risk
»» Action owner. potential impacts to the project. occurrence or impact on the project
ÌÌ Acceptance – proceeding as planned
and accepting the outcome of a risk.
»» Finalising and documenting the various
risk responses identified by each
responsible party. The plan should
clearly define the agreed upon response
for a risk, the responsible party, results
from both the quantitative and qualitative
analysis and a budget and timeframe for
the risk response.
5. Monitoring and control
The final step of risk management is if monitoring and control reveals that an the project. However, without a risk
monitoring and control. This process should identified risk is unlikely to materialise, management diminished. The two case
be set up to track potential risks, oversee the the plan can be adjusted to re-prioritise studies below help demonstrate the
implementation of risk plans, and evaluate the risk to a lower level. value and benefit of a comprehensive
the effectiveness of risk management risk management process.
procedures. Monitoring and control should Potential benefits of risk management
occur throughout the project lifecycle and Embedding risk management into
Although a well designed and well executed
help improve and guide the overall risk day-to-day activities
risk management process can significantly
management process. This step should: reduce the risk of failure, the benefit of Effective risk management is typically
»» Equip management and the project team performing a comprehensive risk analysis achieved when an organisation undertakes
to make informed decisions regarding risk; may be costly and burdensome for smaller an active commitment to integrating risk
projects with limited complexity. As noted management into their project protocols
»» Evaluate the effectiveness of risk
earlier in this paper, risk management and controls. Primary considerations for
response actions; and
processes should be scalable to the size and an organisation to establish an effective
»» Identify risk characteristics that appear to complexity of an organisations programme plan include:
have changed from what was documented or project. To achieve this, an organisation
»» Allotting appropriate resources to
in earlier identification and analysis stages. should consider defining a baseline set of
perform risk management activities;
procedures to apply to all projects along
Monitoring and control is essential
with more rigorous set of procedures for »» Creating an environment that embraces
for maintaining effective and efficient
high-value, complex projects. and promotes risk management
risk management, it is a barometer for
and actively encourages and pursues
determining how well your risk management The value of risk management has
risk management at all levels of the
plan is designed. If monitoring and control traditionally been a difficult concept
organisation; and
reveals certain risks are not being mitigated to quantify. Many organisations and
or avoided as planned, then an adjustment project teams understand the risks as »» Clearly defining and training personnel
can be made to the response plan. Likewise, they impact their respective roles on on risk management controls.
Risk description: In order to commission the building at the completion of construction, the
utilities needed to be connected to the utility system (gas and electric). Throughout the project,
the team could not get a commitment from the utility company for when they would complete the
connection. This risk was never communicated beyond the project team and there was no analysis
of the impact for a delay or an alternative plan developed to address the risk.
Impact: The risk ultimately did occur and resulted in the need for temporary generators,
an increase in the contractor’s general conditions and several months delay to the
project completion.
Risk description: During the design and planning stages of the project, a decision was made to
rely on a geotechnical report that was 30+ years old and in a different location than the planned
bridge foundations. The engineers designing the bridge understood this as a risk; however there
was no process in place to capture this risk and quantify or communicate the risk to project
leadership or to the team responsible for managing the construction phase of the project.
Impact: The bedrock in the actual location of the bridge foundations was substantially different
than the geotechnical report indicated. This resulted in a complete redesign of the foundations
and several months delay on the project. The financial impacts were greater than $30 million.
ons
This In both case studies, the risks were well known by the project teams and could have been
specific avoided or mitigated if a risk management process would have been in place. Having a risk
cts. management process would have allowed the organisations to track, quantify, plan and
communicate the risks to individuals with the capability to help mitigate or avoid the risk.
Developing a risk management process
KPMG’s Project Advisory services are KPMG applies leading concepts Project Advisory Services can assist
objective, professional approaches to and practices, supported by: organisations to generate significant
managing the many risks associated › Experienced practitioners cost savings by minimising poor
with major change: risks that involve selection decisions, costly overruns,
› Recognised best practices
complexity, technology, governance, misalignment with business needs,
selection and management of vendors › Effective tools and templates poor quality deliverables and
and partners, implementation of › International standards failed projects.
solutions and acceptance of change › Built-in knowledge transfer
throughout the organisation.
Contact us
kpmg.com/nz
© 2014 KPMG, a New Zealand partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved. Printed in New Zealand. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely
information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without
appropriate professional advice after a thorough examination of the particular situation. 00403