You are on page 1of 9

International Journal of Project Management 20 (2002) 49±57

Managing project risks: a case study from the utilities sector

Paul Elkington, Clive Smallman *
University of Cambridge, Trumpington Street, Cambridge CB2 1AG, UK

Received 20 January 2000; received in revised form 19 June 2000; accepted 13 July 2000

We examine the project risk management practices in a British utility, which manages its information systems and business
change projects using the Prince2TM method. This method has greatly increased the success rate of projects run within the company,
but has little in the way of directing Project Managers in handling project risk. We review current project risk management litera-
ture. We then explore the current usage of risk management in the utility's projects, and determine the e€ect of risk management on
project success. We conclude by outlining recommendations for improving projects run in the utility and elsewhere. # 2001 Elsevier
Science Ltd and IPMA. All rights reserved.
Keywords: Project management; Risk management; Utilities; Case study

1. Introduction detailed knowledge of business processes, and it is likely

that many potential risks are not even noticed [2].
In the last decade, British utility (water, power, and We present a study of project risk management prac-
telecommunications) companies have seen an unprece- tice in a British utility (henceforth `the Utility').
dented change to their businesses, a direct result of their
shift from the public to the private sector. The manner
in which utilities manage such change is increasingly via 2. Project management practices in the Utility
change programmes. These are either a large set of
changes to just business processes and computer systems, Until privatisation, the Utility was the monopoly
or changes to company culture and the attitude of its supplier and distributor of a public good throughout a
sta€. The majority are a mix of both. With signi®cant large region of Britain. Since ¯otation and the dereg-
strategic change being implemented by these programmes, ulation of their businesses, the Utility has diversi®ed in
project and programme management is becoming an attempt to attract new customers, whilst retaining a
increasingly important to the companies' survival, and strong presence in its traditional markets.
much e€ort and resource are being put into ``professio- Immediately after privatisation, engineers, many of
nalising'' the project approach undertaken. whom had joined at sta€ level, dominated the Utility's
The ``less predictable'' nature of projects makes them senior management. This encouraged a culture in which
riskier than day to day business activities. Hence, risk small multi-skilled teams e€ected infrastructure main-
management is an integral part of project management tenance; that is through projects. These ran using the
and most large companies put substantial resources into knowledge and experience of the engineers, rather than
the management of business risk. However, there is evi- formal methods of project management. Risk (usually
dence that a culture of risk management may not ®lter only technical systems risk) was considered, but mainly
down into every level of a company [1]. Consequently, on an ad hoc basis. Risk management consisted of over-
companies do not capitalise upon operational sta€'s engineering the infrastructure (using high speci®cation
components where lesser ones would have suced) to
e€ectively build technical risk out, but at massively
* Corresponding author. Tel.: +44-1233-766592; fax: +44-1223- increased costs.
339701. The engineering side of the business utilised informal
E-mail address: (C. Smallman).
project management; the rest did not. There were no
0263-7863/01/$20.00 # 2001 Elsevier Science Ltd and IPMA. All rights reserved.
PII: S0263-7863(00)00034-X
50 P. Elkington, C. Smallman / International Journal of Project Management 20 (2002) 49±57

formal project teams and the deliverables from the work risk is acceptable, and if not, what actions can be
were not always clear. The direction of process work undertaken to make the risk acceptable.
was largely ad hoc, as the leader of the work usually had
to continue their other duties alongside the changed The options of which action can be taken to make the
work. Such `Project Managers' rarely had training or a risk acceptable are:
¯air for directing project work. Not surprisingly, many
`projects' that incorporated business change failed to . prevention, where countermeasures are put in
deliver the bene®ts that were expected. place to stop the threat or problem from arising,
or to prevent it from having any impact on the
2.1. The development of a project ethos project or business;
. reduction, where actions either reduce the like-
In the early 1990s, the Utility was advised to undertake lihood of the risk developing, or limit the impact
large business changes by using speci®c programmes, and to acceptable levels;
to use projects under that programme structure. This . transfer of the risk to a third party, for example by
improved the control and overall direction of the business taking out an insurance policy or a penalty clause;
changes, and more bene®ts were realised than was pre- and
viously the case. . contingency, where actions are planned and orga-
However, following the failure of a major business nised to come into force as and when the risk
programme failed in the mid-1990s, senior management occurs.
decided that programme management in the Utility
needed to be more `professional'. The aim was to ensure Risk management is the second phase of the Prince2
that future programmes had the best sta€ available and management of risk framework. Its objective is to inte-
that training in Programme Management for senior sta€ grate the risks identi®ed in the risk analysis stage into
was provided. As part of this training, it was realised that the project management. This is achieved through:
the Project Manager level of sta€ in the programmes planning the countermeasures identi®ed in the risk ana-
were key to the success of each project and therefore the lysis stage; identifying and allocating resources to carry
programme, and that this level of sta€ must also receive out the risk avoidance work; monitoring against the
formal training and quali®cations in Project Management. plans that the actions are having the desired e€ect on
The project management method, Projects in Con- the risks; and controlling to ensure that the planned
trolled Environments 2 (Prince2) [3] was chosen, as it was events actually happen.
a generic project management method. Nearly 100 sta€ Other methods identi®ed also seem to follow the same
were trained in the method, including members of the broad approach to risk management. Page [4] writes
Information Systems Division (ISD) Programme Services that risk management should be broken into four
section, which also recruited experienced programme stages, that of comprehensive risk identi®cation of all
managers. The section manages some business change sources of risk, objective analysis of their signi®cance,
programmes and o€ers advice to the rest of the company. planning appropriate responses and the management of
those responses.

3. Risk management in projects 3.1. Risk identi®cation

In Prince2, risk is categorised into two types. Project Risk identi®cation appears to be the least mentioned of
risk is de®ned as threats directly to the project, such as the risk techniques. It is, however, the most important
supplier issues, organisational issues and resource stage of risk analysis, as no work can be done on risks
issues. Business risks are those that may a€ect the that no one has discovered. Risk identi®cation requires
delivery of the bene®ts to be gained from the project, for divergent thinking on the part of the project manager, to
example the risk that the business case will become identify potential risks at each stage of the project, but
invalid due to changes in the market in which the com- this investigation is easier if guidelines are set.
pany operates. Chapman and Ward [5] state that risk identi®cation is
The process of managing risk begins with risk analy- both important and dicult, and that it calls for `some
sis, which is designed to pick up and gain detail on both creativity and imagination'. The identi®cation process
business and project risks, and consists of: can be made more ecient if the skills and experience of
others can be harnessed. They recommend directed
. risk identi®cation to determine potential risks; thinking approaches, such as interviews of individuals
. risk estimation to determine the importance of or groups, brainstorming or using checklists. Overall,
each risk, based on its likelihood and impact; and they attempt to put more detail into the method of
. risk evaluation, which decides whether the level of identifying risks. However, unless it is carefully examined
P. Elkington, C. Smallman / International Journal of Project Management 20 (2002) 49±57 51

and broken down as above, it appears complex, and this The CCTA [6] take the process further by recom-
is its main failing. mending that the estimation phase is an iterative one,
The CCTA's [6] approach is a more detailed version and that the estimates should be clari®ed and improved
of that in Prince2. However, the process is, again, very on an ongoing basis.
technical and structured: set the proper context and Again, Chapman and Ward [5] appear to have
perspective for the analysis; gather information on risks; thought through the mechanics of the assessment of the
classify risks based on their causes. likelihood of a risk occurring. However, as with risk
The CCTA [6] approach is procedurally precise, and identi®cation his process is highly technical. Chapman
answers the question `how do I identify risk?' However, it and Ward [5] suggest the use of incremental scenario
does not necessarily o€er users the right information or planning to determine both the likelihood and impact of
the whole picture, and does not mention the imagination a risk. This means determining the maximum and mini-
or creativity necessary for e€ective risk identi®cation. mum impacts of the risk, and then using incremental
The process directs the project manager to use product steps to decide the impact of scenarios between the
or activity-based planning, and then to look at the risk maximum and minimum impact. The same approach is
of each product. The weakness is that risks may not be then used to assign a probability to each scenario. The
based on products of the project. approach also encourages several passes of each stage,
Chapman and Ward [5] note that project managers to re®ne the thought process. Chapman and Ward [5]
should also be aware of `positive' risks. Most experienced describe methods of probability assessment that will
project managers focus on the risk of late delivery, improve the estimates made above, these include frac-
overspend and poor quality in the project products, but tile, relative likelihood and probability distribution
early delivery can also cause signi®cant problems. Even functions.
products that are not on the critical path for the project
can cause problems if they are delivered early. 3.3. Risk evaluation

3.2. Risk estimation The CCTA [6] take a three-step approach to the eva-
luation stage of the risk management process:
Risk estimation is the Prince2 term for determining
how important the risk is, (potential impact), and what 1. Assess the risks against risk indicators and deter-
the likelihood is of the risk occurring. The CCTA [6] mine the acceptability of each. This step, unlike
further de®ne the estimation process to be the like- Prince2, suggests that risks may be `grouped' and
lihood, consequence and timing of the risk. have their impact assessed together.
It appears that writers do not want to approach this part 2. Generate alternative paths of action for risks that
of risk management. Dembo and Freeman [7] discuss the do not meet the acceptability criteria. This step is
philosophy of risks and on how to decide if a risk is worth e€ectively the ®rst stage of the Prince2 method of
taking, but always seems to start by stating a probability determining what action to take with the risk. This
associated with a risk. They have the `luxury' of operating step also recommends that the project manager
in the world of ®nancial risk, where vast statistical should return to the classify risk and cause step if
databases instruct probability. Project managers operating necessary for further information.
outside of ®nance, facing operational risks, constantly try 3. Sort risks into ®nal order of priority and cross-
to decide the chances of an identi®ed risk occurring. Some reference to the identi®ed risk reduction options.
use historical project data, and others use unwritten The ®nal step sets the actions that the project
past experience, but in many cases, the likelihood of a manager will take to manage the risk.
risk occurring is derived by means of an educated guess.
Prince2 o€ers no advice to project managers on risk Chapman and Ward [5] view the evaluation stage as
estimation. However, it appears to recognise the di- central in the risk management process. Throughout,
culty project managers face, as it recommends that the they emphasise that the stages should be used, as
risk register only has the three bands of high, medium necessary, to improve the information on a risk and its
and low likelihood of occurrence, and does not expect management. Looping back into other phases of the
an accurate appraisal. The area of assessing the impact analysis will be necessary to clarify and reassess the
of the risk on the project has even less advice, but simply risks. This approach is more detailed than the Prince2
identi®es that some measure should be made. or the CCTA [6] methods, and identi®es four speci®c
The CCTA [6] advise that the project manager should steps to the evaluation process:
assess the qualitative likelihood of the risk occurring,
but does not o€er up any methods by which to do it. 1. Select an appropriate subset of risks. This is where
The `consequences' section does, however, introduce the risks are grouped into subsets that are appropriate
notions of time-delimited risks and time-expiring risks. to the project.
52 P. Elkington, C. Smallman / International Journal of Project Management 20 (2002) 49±57

2. Integrate the subset of risks. For each risk identi- that might explain project success based on the e€ects of
®ed in the subset, the probabilities and impacts are risk (see Fig. 1).
integrated. Depending on the risk type, the e€ects Every project has di€erent risks, and indeed di€erent
of the risks should be added, multiplied, sub- levels of risk, so to measure the amount of risk man-
tracted or divided, from which graphs of cumula- agement undertaken by a project manager without
tive probability against cumulative cost are ®rstly examining the project risk pro®le of the project
calculated. would compromise the integrity of the results. More
3. Portray the e€ect. This allows the project manager speci®cally we identify the following with the risk pro®le:
to show the combined e€ect of the risks under study.
4. Diagnose the implications. Look again at the 1. Business risk is a measure of the risk placed on the
accuracy and sensitivity of the risk to internal and project by the business section or sections to which
external in¯uences. the project was delivering.
2. Procurement risk determines the risk of the sup-
Chapman and Ward [5] again introduce a detailed pliers that are used in the project. A supplier that
and well thought out method for risk evaluation, they is new to the company, or one that has a variable
introduce the concept of evaluating and assessing the reputation about its delivery of projects will pre-
risk as groups, and then determining the impact on the sent more risk to the project.
project in a cumulative manner. 3. Management risk measures the level of support
What can Chapman and Ward [5], the CCTA [6] and given to the project by both the business manage-
others o€er the Utility? First we explore where the Uti- ment and the project board management. It also
lity is now. has a measure to determine the management
approach of the project manager. Higher risk
scores are given if the project is not using a formal
4. Implementation of current risk management procedures project management technique for example.
in the utility 4. Technical risk allows a measure of the technology
used in the project, and its complexity, it also
4.1. Study framework questions the project manager's level of experience
with the technology. Either a new technology or
Based on the Utility's approach to project management an inexperienced project manager will increase the
and on elements of the theory we derived a framework risk score.

Fig. 1. Risk related determinants of project success.

P. Elkington, C. Smallman / International Journal of Project Management 20 (2002) 49±57 53

Assessing how and when risk management was applied business environment. If the project timing was in¯u-
during the project helps determine items such as the enced by external factors, the project was deemed to
formality of the risk process, the frequency of the formal have more risk. If the project manager to the time scale
risk management processes being carried out and the set was constrained, the risk score was increased. An
monitoring and control applied to the risk process. unstable environment is likely to generate scope changes,
More speci®cally we identify: and therefore the risk score is increased. The procure-
ment issues section questions the project manager on the
1. Brief risk management, which measures the level of e€ectiveness of suppliers. The management issues section
risk management undertaken at the Project Brief draws out the relationship with the business and factors
stage. such as the project resources and the project approach.
2. Initiation risk management, which measures the Any sign of the business or the users not fully supporting
level of risk management undertaken at the Project the project increases the risk score. The ®nal section of
Initiation stage. the project risk pro®le determines if the technology used
3. Stage risk management, which measures the level in the project is new, or if it is well established. New
of risk management undertaken during the ongoing technology is deemed to increase the project risk.
project stages. The next section of the questionnaire evaluates how
4. General risk management, which questions the much risk management the project manager undertook.
project manger about their training in, and atti- The Prince2 method of project management has distinct
tude to risk management. stages that the project manager must undertake, for
each of those stages, the method recommends using
To determine if management of risk has an in¯uence on certain risk management activities. The amount of risk
the project outcome, each project must have its success level management used in this section is referred to as the
measured. The objective was to determine the success of the usage score. The higher the usage score that each pro-
project in measurable terms. The project success calculation ject attains, the more risk management was used. The
was devised by a small group of project managers, in an importance of using risk management throughout the
attempt to grade the importance of the delivery of the project life cycle varies, so throughout the questionnaire
project to time, on budget and delivering the agreed the maximum score available in each subsection varies, to
bene®ts: represent this importance. The project brief sub-section
®rstly determines if the project was initiated with a
…c:d† ‡ f project brief, and if this stage of the project was carried

t:b out at all. If the ``start up'' phase of the project was
used, the project manager then completes the next ®ve
where S is success (project delivering agreed bene®ts, on questions to determine how and to what extent risk
schedule and to budget), c is the status of project com- identi®cation and risk evaluation were used. It is
pletion, d represents level of bene®ts delivered, f is an important to understand the di€erence between identi-
estimate of the project manager's satisfaction with the ®cation and evaluation, risk identi®cation means cap-
conduct of the project, t represents performance against turing the possible risks and logging them, but no other
schedule, and b represents performance against budget. work is done on the risk. Risk evaluation means thinking
through the risk, and determining data such as the like-
4.2. The instrument lihood and impact of the risk occurring. To ensure that
the questionnaires were ®lled in correctly, each project
The overall aim of the questionnaire1 was to strike the manager was given a written de®nition of these terms,
balance between gaining the relevant information about and their understanding con®rmed. The next subsection
the project whilst not presenting the project manager concerns the Project Initiation Document. This contains
with too much work to do to complete the ques- the business case for the project, and de®nes the objec-
tionnaire. tives of the project (and how they will be achieved). In
The project risk pro®le was assessed using a simple the project initiation stage, the ®rst two questions check
weighted scoring method. The higher the total risks score the conformance to the project method. The next three
the higher the project risk. The risk pro®le questions questions again check the level at which risk identi®ca-
ensure that the main Prince2 method elements were in tion and evaluation were carried out.
place. If they were not, the amount of measured project The running of the project was examined in the next
risk was increased. The business issues section of the subsection. We sought to determine how and if risk
pro®le determined several aspects of the project life management was used in the project. The project man-
cycle relating to scheduling and the stability of the agers felt that this subsection was a complicated one to
grade. On one hand the risk identi®cation at this stage
Available from the authors. in the project life cycle was probably easier, as the risks
54 P. Elkington, C. Smallman / International Journal of Project Management 20 (2002) 49±57

were being highlighted by actually doing the project the ``gut feel'' of how successful a project would be seen
work. On the other hand though, the risk evaluation as under the current business climate.
was as important here as in the project initiation stage,
but the amount of time in which to react to the risk was 4.3. Sample and response
probably shorter than if the risk had been seen at an
earlier stage. This led the project managers to believe A questionnaire was sent to each of the 20 project
the evaluation and reaction to the risk was more managers throughout the company. From that 20, seven
important than at the Project Initiation Stage. project managers responded that they had not com-
The ®nal section of the questionnaire asks questions pleted a project through the entire project life cycle, and
to determine the project managers knowledge of risk were unable to complete the questionnaire, a further
management, and their attitude to it. After much dis- two stated that their projects had been service projects,
cussion, the project managers determined that the atti- and the bene®ts appraisal had not been carried out. One
tude of the project manager towards risk in¯uenced the project manager asked for a further questionnaire,
e€ective use of it. The ®rst two questions determine if therefore, 12 questionnaires were completed. Upon
the project manager is aware of any formal techniques examining the data, two questionnaires had to be dis-
of risk management other than those used in Prince2. carded, as they were not suciently complete. There-
These questions do not have high scores attached to fore, 10 completed questionnaires were analysed.
them, as the managers may try their best with risk
management despite not having formal training. The 4.4. Analysis
next ®ve questions go some way to determining the
project managers attitude to the area of project risk In orthodox academic research, working with so few
management. They highlight if the risk work done during observations can be dicult, although in essence each
the project was seen as useful or just as a part of the observation represents a mini-case study of project risk
method that should be used. management practice. However, traditional methods of
The ®nal section investigates if the project was a success. statistical analysis are largely in applicable to such small
It is rarely the case that projects are a complete success data sets. In particular, the application of multivariate
or failure, so this section asks the project manager to analysis is particularly dicult in these circumstances.
what extent the project succeeded. This information will Hence, we chose not to analyse the relationship between
be used in conjunction with the data from the previous success and risk types, and the level of risk management
two sections to discover if there is a link between the undertaken. Instead, our analysis is based on observa-
amount of risk management used and the success of the tion and discussion between colleagues and ourselves.
project. The ®rst question asks if the project was com- More data would allow the use of predictive methods.
pleted as planned. The next ®ve questions ask the project That said, we remind the reader that this work is pre-
manager to state how well the project did against its sented as a case study of one company's experiences. We
planned delivery. The measures here are the bene®ts, the regard this as a starting point for encouraging further
time and the cost. It is important to get all three mea- discussion on project risk management, and certainly
sures to determine the success, as it is possible to com- not ``de®nitive research''. Hence, we advise caution in
plete a project to time, and to budget, but not actually the interpretation of our ®ndings, but would also point
deliver any of the expected bene®ts for the business. The to the value of reporting what is essentially a feasibility
®nal question in the questionnaire asks the project study, which breaks ground for further work.
manager to summarise how they feel the project went,
this is a valuable question, as all the previous questions 4.5. Findings
determine what the results were by the end of the pro-
ject. Projects can sometimes run very badly, but in the Initial analysis of the overall results (see Table 1)
end they come together and the objectives are met, this revealed that one project is very di€erent from the oth-
®nal question allows scope for the project manager to ers: project questionnaire number nine has a project
summarise the feeling of the project throughout its life pro®le risk of 31, a level of risk management of 18, and
cycle. a project success score of 81. These numbers apparently
The overall success factor of the project was the most go against the trend presented by the other projects. It is
dicult to grade. The importance of the three factors of interesting that the project success score is ranked
delivered bene®ts, cost and time will be di€erent in fourth overall, with a relatively high score of 81, but the
every company, and to some extent also di€erent for project risk pro®le ranks the project as the second most
each project within that company. Many options to risky, and that the level of risk management applied is
determine the overall success of the project were dis- the lowest of all the projects measured. By far the most
cussed by the project managers, and some data were interesting fact is, that despite the success of the project
created to attempt to create a formula which represented as measured against bene®ts, time and cost, the manager
P. Elkington, C. Smallman / International Journal of Project Management 20 (2002) 49±57 55

of this project chose to state that only ``some parts also does not appear to have much of an in¯uence on
[were] successful'' in the project. It appears that project the outcome of the project, as medium and low risk
number nine was delivered successfully by the project projects vary in their positions of success.
manager, but it could have been more by luck than Technical risk however does present a small pattern,
judgement. Due to the nature of this project, the analy- with all of the low risk projects being more successful
sis was reworked, excluding the distortions introduced than either high or medium risk projects. The questions
by this project. asked in the technical risk section of the questionnaire
There is a weak relationship between the amount of determine how new the technology is, how complex the
project risk and the level of risk management (r=0.63). project technical architecture is, and how experienced
Comparison of risk management and project success the project manager is with that speci®c technology. It
shows a strong link (r=0.80 at the 95% con®dence appears that within the Utility projects, project man-
level). Hence, the more risk management undertaken in agers can manage business, procurement and manage-
a project, the higher the chance of project success. ment risk, but if they are not experienced in the
Comparing the amount of project risk and the level of technical elements of the project, the chance of the pro-
success shows a strong relationship (r=0.73), and this ject succeeding is reduced.
suggests that the riskier the project manager thought the The results from the questionnaire were broken into
project was at the start, the less the project succeeded. subsections for the level of risk management under-
Alternatively, due to the nature of the data gathering, taken. Table 3 shows the results, and again project nine
(all assessments were done after the completion of the has been excluded.
projects), it may be that if project managers felt they Managing risks in one stage of the project is likely to
had not done well in the project, they graded the project a€ect the management in the next stage. The amount of
riskier at inception. risk management undertaken in the Project Brief stage
Dividing the amount of project risk by level of risk of the project appears to be directly linked to the success
management corrects for any extra risk management the of the project. The order of the amount of e€ort put in
project manager put into the project, because they at this stage matches the order of the project success
thought the project was risky from the outset. Compar- score. During the initiation stage of the project, the ®ve
ing this ratio with the success rate for a project gives a
more accurate picture of the risk:success relationship.
Table 2
The result from this analysis must be approached with Risk type and project success
caution. The two measures of level of risk management
and amount of project risk are not ``scaled'' (the max- Project Business Procurement Management Technical Success
number risk risk risk risk score
imum scores are not the same, and the amount of
activity needed for a high or low score for each is likely
to be di€erent). That said there is a strong link between 3 High Medium Low Low 105
risk and the level of success (r=0.80). Hence, riskier 1 High Medium Medium Low 100
7 Medium Low Low Low 92
projects seem to do less well, even if more risk manage- 4 Medium Medium Low Low 62
ment is applied. 8 High Medium Low Medium 58
The level of business risk does not have a strong 6 High Medium Low High 44
bearing on the success of the project, with high business 2 High Medium Medium Medium 28
risk projects being both successful and unsuccessful (see 5 High Medium Low High 18
10 High High High Medium 0
Table 2). The level of procurement or management risk

Table 3
Table 1 Level of risk management undertaken
Overall results
Project Brief Initiation Project General Success
Project Risk score Management score Success score number stage stage stages score

1 26 39 100
2 26 25 28 3 High High High Medium 105
3 23 45 105 1 Medium High High Medium 100
4 19 40 62 7 Medium High Low Medium 92
5 29 33 18 4 Medium Medium Medium High 62
6 28 31 44 8 Medium Medium Medium Medium 58
7 17 32 123 6 Low High Medium High 44
8 25 32 58 2 Low Low High Low 28
9 31 18 81 5 Low High High High 18
10 38 20 0 10 Low Low Low Medium 0
56 P. Elkington, C. Smallman / International Journal of Project Management 20 (2002) 49±57

most successful projects had either high or medium Whilst our ®ndings point to general areas that could
amounts of e€ort put into the risk management. How- bene®t from further analysis, the limitations of both the
ever, the rest of the order does not have a pattern, so it analysis and the interpretation of the questionnaire
appears that the initiation stage alone does not deter- should be considered. The signi®cant statistical rela-
mine the success of the project. The amount of project tionship between the level of risk management and the
risk management during the project stages also has no level of project success may be as a result of the man-
de®nite pattern. Finally, no obvious pattern is seen in agers who undertook the project. Further study into all
general risk management indicating that the areas of the elements of the way in which the project were run would
project managers' attitude to risk do not overly e€ect have to be undertaken to determine if one element
the success of the project. improved the project success rate fundamentally.
Further analysis reveals that the success of the project The pattern that the level of risk management under-
is greater. If more risk management is applied. More taken at the project brief stage would in¯uence the level
particularly the greater the risk management at the early of success of the project may also be due to a more
Project Brief stage of the project, the more likely the thorough approach to project management. This area of
project is to succeed. It appears that this pattern does project management could also be investigated
not develop just due to the extra scores attained by The level of technical risk in the project a€ecting the
using risk management earlier in the project. Projects results could be due the fact that all the projects were
that show high amounts of risk after the Project Brief reported after completion. Perhaps project managers,
stage do not seem to ``catch up'' with those who start when looking back on a dicult or unsuccessful project,
early on in the project. This can be seen best in projects tried to justify the diculty by increasing the technical
four, eight, six and ®ve. Projects four and eight both risk. There are alternative explanations. Whilst all pro-
have medium e€ort put into risk management at the ject managers in the Utility are now trained in Prince2,
brief stage, followed by medium e€ort in the two the method does not speci®cally teach risk management
remaining stages. These projects both rank above pro- skills. So more experienced project managers may have
jects six and ®ve in the success score rating. Project six developed risk management skills that make their pro-
has a low rating for the risk management at the Project jects more successful. Also, Prince2 states that the early
Brief stage, and the following stages are high and then parts of the project are important, and the extra e€orts
medium rated, project ®ve again has a low ®rst stage score, put into risk management at the project brief stage may
but is followed by two high ratings for the later stages. increase the overall success of the project. Finally it
Hence, projects that undertake risk management at should be noted that methods of dealing with problems
the earliest stages of the project will have more chance with both business and management risk are highlighted
in succeeding. If the project managers that assisted in in Prince2, and procurement risks are dealt with by legal
the weightings for the level of risk management knew of departments within the Utility. Technical risk is the
this information, they may not have stated that this only section highlighted in the questionnaire that a
early Project Brief stage was not as important as the project manager cannot easily get help with.
ones to follow. This may in turn have shown a stronger It is essential that the risks of a project be assessed at
link between the total risk management in the project, the Project Brief stage. Risks identi®ed here will not only
and the level of the projects success. help the production of the necessary project products, but
will increase the chance of overall project success. The
current process that the Utility uses for risk management
5. Conclusions is weak and an alternative should be used. Chapman
and Ward [5] o€er some ideas, but the complexity of much
We have identi®ed that there is a strong link between of their suggested framework may prove too complex for
the amount of risk management undertaken in a pro- any organisation where project management is not a
ject, and the level of success of the project, more suc- fully mature discipline. The CCTA [6] also o€er ideas,
cessful projects use more risk management. Also the but their approach su€ers from similar problems. How-
earlier that risk management was used in a project, the ever, adapting these approaches and ®tting them with
more successful it was. Furthermore, eight of the project our ®ndings, we have derived the following approach.
managers felt that they could bene®t from further
training in risk management, highlighting that the 1. Risk Identi®cation is mostly informal, and a check-
Prince2 method is weak in this area. The structured list of things to think about is most appropriate:
project management approach of Prince2 has brought
many improvements to the way in which the Utility (a) identify the risks obvious to you ®rst, and write
runs projects, but it should be seen a the latest them down;
improvement rather than the overall answer to the pro- (b) think of the who, why, what, which way,
ject management skills in the company. wherewithal and when of the project, and at
P. Elkington, C. Smallman / International Journal of Project Management 20 (2002) 49±57 57

each step, identify possible risks; 4. Act: prevent, reduce, transfer, plan for con-
(c) identify risks that come from the actual run- tingencies, or accept.
ning of the project cycle, such as resources and 5. Keep doing it.
(d) identify positive risks, such as early delivery of We would observe that the issue of project risk man-
products, as well as negative risks; agement is surely common to a greater or lesser extent
(e) be imaginative, it is easy to remove risks later in many organisations. Moving the practice of project
on in the process, but much harder to manage risk management forward, therefore, is important. Fur-
ones you did not see. thermore, the London Stock Exchange' risk reporting
(f) risk identi®cation is more easily done in small requirements (following the development of the Com-
groups or informal interviews to get others bined Code on Corporate Governance [2]), means that
involved. it is imperative for all organisations to get to grips with
risk in all of its forms.
2. Risk estimation
(a) assess the likelihood, consequences and timing
of the risks identi®ed; [1] Perkins P. Project risk management Ð brought to fruition.
(b) likelihood information can be improved by International Risk Management, 17 May 1999.
conferring with other managers and using sce- [2] Smallman C. The risk factor. Financial Times Mastering Man-
agement Review 1999;30:42±5.
[3] CCTA. Managing successful projects with Prince2. London: The
(c) timing of the risks is important; Stationary Oce, 1996.
(d) consequences should be identi®ed, and if pos- [4] Page Y. No change at the top Ð world's top 40 risk management
sible the cost of the consequence calculated; survey. International Risk Management, 1998, June, 32.
(e) clarify and improve the estimates. [5] Chapman CB, Ward SC. Project risk management, processes tech-
niques and insights. Chichester: John Wiley and Sons Ltd, 1997.
[6] CCTA. An introduction to managing project risk. London:
3. Risk Evaluation. Risks should be examined both HMSO, 1995.
individually and for their combined impact on the [7] Dembo RS, Freeman A. Seeing tomorrow, rewriting the rules of
project. risk. New York: John Wiley and Sons, 1998.