Professional Documents
Culture Documents
A Comprehensive Approach To Dynamic Project Risk Management
A Comprehensive Approach To Dynamic Project Risk Management
Alberto Sols
Abstract: A large percentage of projects suffer performance, feedback, and is dynamic in identifying the goal and the effec-
cost, and/or schedule problems. There are many reasons why tiveness of the developed solution (Blanchard & Blyler, 2016;
projects fail, including an inadequate approach to risk manage- Blanchard & Fabrycky, 1981; Sage, 1992).
ment. Inadequate approaches result when a comprehensive iden- A broad array of complementary techniques for risk identi-
tification of risks is not performed at project commencement, fication were identified. The procedure starts looking first into
when risk assessment fails to consider important aspects, when no the human dimension, with tips for fostering the right atmo-
subsequent follow-up is carried out for mitigation strategies sphere in a project for real-value-adding risk management, and
adopted, when no further identification of risks during project then moves on to the technical dimension. Some guidelines are
execution is completed, or a combination of these occurs. A given for better risk identification. The largest contribution of
number of publications have dealt with different facets of risk this article is the comprehensive approach to the assessment
management, but not in a comprehensive way. This article com- of identified risks, which facilitates risks filtering and adoption
piles the approaches applied and observed by the author based on of mitigation strategies.
25 years of industry experience; these observations were synthe-
sized and result in a procedure for dynamic risk management Literature Review
successfully applied to a number of projects. The use of a broad There is abundant literature on troubled projects and on risk
array of techniques is suggested to identify risks, which are then management. Nevertheless, the state of the practice is insuffi-
thoroughly analyzed. The assessment was performed using a cient, as reflected by the large percentage of projects that exhibit
comprehensive array of criteria. The complete set of criteria performance, cost, and/or schedule problems. Those problems
included essential ones such as aggregability factor, triggering have been documented in previous studies. Troubled projects
factor, early warning, immediacy, and recoverability. The thor- usually exhibit early warning signs, not always duly perceived by
ough assessment was done dynamically. The initial assessment project managers (Kappelman, McKeeman, & Zhang, 2007).
enables the adoption of the most adequate mitigation strategies, There are many reasons why projects may fail to achieve their
which later on are dynamically validated. New risks are also desired goals, as a number of studies have surfaced (Kappelman
detected and dealt with dynamically throughout project execu- et al., 2007; Pinto & Mantel, 1990; Zuofa & Ochieng, 2014). The
tion. The main contribution of this work is the synthesis of state- Standish Group CHAOS yearly report on software projects is
of-the-art knowledge into a state-of-the-practice procedure, particularly notorious. Of over 50,000 projects analyzed in 2015,
which can be applied by engineering managers in all sectors and 19% were considered as failed, 52% as challenged, and only 29%
in all phases of project execution. as successful. These levels of failed and challenged have remained
reasonably stable over the last 5 years (Standish Group, 2015).
Keywords: Project, Dynamic, Risk, Management Nevertheless, the reports of the Standish Group have received
some criticism, mainly that their definitions of successful and
EMJ Focus Areas: Program and Project Management; Decision challenged projects have four major problems: they are mislead-
and Risk Management ing, one-sided, adulterate the estimation practice, and result in
meaningless figures (Eveleens & Verhoef, 2010). As perceived by
T
the author of this article throughout more than 25 years of
he problems and challenges faced by society are evolving experience in several industry domains, there is widespread
fast and are rising to unprecedented levels of complexity. perception among engineering managers that too many projects,
Technologies are also maturing and changing rapidly, at least among those of significant technical complexity, fail to
impacting and reshaping our world. That, in turn, brings new unfold as planned and desired, resulting in unacceptable losses.
opportunities and poses new challenges. To cope successfully The large percentage of troubled projects suggests an insuffi-
with that environment, engineering managers need a solid foun- ciently adequate approach to project management and to poor
dation in risk management. Many projects are troubled, exhibit- risk management practices.
ing problems in performance, costs, and/or schedule. Poor risk Risks can be identified through a combination of product-
management is one cause of troubled projects. The systems based techniques, such as Failure Mode, Effects and Criticality
approach to project management requires that a global view of Analysis (FMECA), Fault Tree Analysis (FTA), as well as pro-
the managed project be exercised. Risk management is an essen- cess-based techniques, such as Level of Protection Analysis
tial part of project management and even in projects in which (LOPA) or the Swiss Cheese Model (Altabbakh, Murray, Gran-
risks are systematically addressed, the state of the practice has tham, & Damle, 2013).
significant shortcomings. This article presents a procedure for Risks should not be addressed as stand-alone events. It is
dynamic risk management based on the personal experience essential that cross-interactions between perceived risks be
gathered by the author over more than 20 years of project addressed. Moreover, new systems often bring unintended,
management, mainly in the defense sector. The procedure was negative consequences. From the early stages of a project, the
developed using a systems engineering approach. In particular, system engineer must search for unintended consequences of
this approach has a specific goal, uses a global view and the system under design. That search will likely increase safety,
Step3. Complete a
Step1. Foster the right Step2. Identifyinitial
Project start comprehensiverisk
risk atmosphere. risks.
assessment.
Initialriskmanagement
Step5. Develop
Step6. Group Step4. Prioritize
preliminary mitigation
mitigation strategies. assessed risks.
strategies.
Step7a. Follow-up on
Step8c. Re-group Step9. Identify
risksand onadopted
mitigation strategies. ongoingrisks.
mitigationstrategies.
Step10. Compile,
registerand
Project
disseminaterisk- Y N
end?
relatedlessonslearned
at projectclosure.
Ongoingriskmanagement
(namely, certain risks are undertaken) even if they can cause an essential piece. It should come as no surprise that knowledge
avoidable loss, but only if the possible degree of loss seems to be of failures and mistakes are among the least likely to be openly
acceptable (Luhmann, 1993). Consequently, when there is a shared by project team members. Penalizing team members for
need or convenience for compressing the schedule in a project, reporting mistakes and failures will disrupt the risk management
certain risks will have to be undertaken. The pivotal point for process (Davenport & Prusak, 2010). Nobody enjoys failures.
the engineering manager is to have a clear understanding of Yet, in many complex projects and endeavors, success can be
what those risks are and how they can be mitigated. To mitigate achieved only when mistakes happen and are duly capitalized
is to make less severe or painful. Therefore, to mitigate a risk is upon. That creates a climate where team members feel that it is
either to reduce (or even eliminate) the probability that the risk safe to fail (Syed, 2014). If this atmosphere is not created, risk
happens and/or to diminish the impact of the risk consequence, management will not render its full potential, no matter what
should it materialize. techniques or methods are applied. A pure technical approach to
The developed procedure consists of 10 steps. It is impor- risk management will not be fully successful if the human side
tant to notice that these steps are to be performed in a way that, has not been adequately brought into the picture. Creating such
in most cases, implies a significant departure from usual prac- environment and culture is a sine qua non condition for excel-
tices. A flowchart showing the steps to be carried out is depicted ling at risk management.
in Exhibit 1. The following sections describe the essence of how
these steps are to be carried out. Identify Initial Risks
It is necessary to identify risks that may prevent project goals
Foster the Right Atmosphere from being reached, those that could imply some unacceptable
The first thing for an engineering manager to do, to deal with damage to people, to the firm, or to society at large, despite the
risks in a way that adds real value and contributes to project project goals having been met. The objective is to generate an
success, is to foster the right culture and atmosphere. That exhaustive list of the risks with potential for project disruption,
means that every team member should perceive that he or she in its broadest sense. Six key actions should be undertaken for a
is seen as a true asset, capable of contributing to identifying, comprehensive risk identification strategy: (1) consider the nat-
assessing and mitigating risks, in an environment in which ure of the project, (2) consider all types of risks, (3) be exhaus-
psychological safety reigns. Team members must be comfortable tive in the risk identification effort, (4) look to bottlenecks, (5)
expressing their thoughts and concerns about the project (Gar- look to external sources of risk, and (6) consider the potential
vin, Edmondson, & Gino, 2008). That demands that a proper side effects of mitigation strategies if adopted.
failure culture is instilled, led by example by the project manager It is advisable to consider the classification of the project
and the top managerial layers in the firm. In every project, using the Novelty, Technology, Complexity and Pace (NTCP)
failure is an option except in its very final stage (Slegers et al., framework (Dvir, Raz, & Shenhar, 2003; Shenhar & Dvir, 2007).
2012). Every failure offers a unique opportunity for learning and The project NTCP classification, also known as project dia-
frequently, without certain failures, there can be no project mond, will help to identify risks that are more likely to happen
success. The important thing is to capitalize on all lessons due to the nature of the project.
learned, including the suffered failures. When the factor of Identifying all types of risks is facilitated by following an
concern is risk, knowledge of failures and mistakes is an appropriate risk taxonomy. One taxonomy suggested by the
Risk Attributes
Likelihood Description
1 Non-detectable Even if the risk materializes, it will go unnoticed to the project manager and/or team members for a sufficiently long time
(compared to the project timescales); eventually, everything becomes known
2 Very seldom If the risk materializes, there is unlikely that it will be perceived by the project manager and/or team members in a reasonably
detectable short timescale (compared to the project timescales)
3 Detectable in some If the risk materializes, there is a reasonable probability that it will be perceived by the project manager and/or team members
cases in a reasonably short timescale (compared to the project timescales)
4 Detectable in most If the risk materializes, it is very likely that it will be perceived by the project manager and/or team members in a reasonably
cases short timescale (compared to the project timescales)
5 Always detectable Even if the risk materializes, it will always be perceived by the project manager and/or team members in a reasonably short
timescale (compared to the project timescales)
Time elapsed, ti Time that has spanned from the moment the risk was identified until the present time, if the risk has not been
prevented or transferred to a third-party willing to undertake it
Risk aggregability of two risks, The capability that risks have of yielding consequences, when risks materialize reasonably concurrently in time. The
ri and rk consequences are much more severe than the consequence if any risk were to materialize alone. Risk aggregability is
formulated as follows:
1 if siþk >> si and siþk >> sk
ai;k ¼
0 otherwise
The risk aggregability factor for risk ri, denoted as afi, is the ratio of the number of risks that are aggregated with ri, over
the total number of pair of risks that contain ri. If there are n risks, afi is calculated as follows:
Pn
aik
af i ¼ k¼1
n1
Risk ri capable of triggering A risk ri is said to be capable of triggering risk rk if ri materializes and implies that the likelihood of risk rk taking place
risk rk increases substantially. It is denoted as tik and defined as follows:
8
>
> 1 if ri ðith riskÞ happening implies that lk
<
ðlikelihood of kth riskÞ increases substantially
tik ¼
>
>
:
0 otherwise
Risk chain is a subset of risks (ri, rk, . . ., rm, rn) such that tik = . . . = tmn = 1 and such that sn is unacceptable. That is, a risk
chain is a subset of risks in which each one can trigger the following one, being unacceptable the consequences of the
last risk in the chain. The rational is that, whereas some risks may be acceptable, they could trigger others in a chain
reaction, leading to a risk of unacceptable consequences.
The trigger factor of risk ri, denoted tfi, is the product of the number of risk chains that can be initiated by ri times the
total number of downstream risks in the initiated chains
Early warning Risk ri is said to have an early warning when it is possible to anticipate its materialization based on unfolding events
Immediacy The consequences of risk ri are immediate if they take place concurrently in time with the materialization of the risk
Recoverability Risk ri is said to be recoverable if it is technically and financially possible for the project to regain the state it had prior to
the materialization of the risk
and its effects can impact whether or not additional mitigation circumstances aside) when that person leaves the company.
actions are taken. For sake of simplicity, this attribute of imme- That loss in knowledge, skills, and experience is permanent.
diacy of consequences is also binary (yes/no). Consider for The mitigation strategy to be adopted for an identified risk,
example the risk of losing a very knowledgeable and valuable ceteris paribus, should depend on risk recoverability or capabil-
team member. One scenario is that that person, assumed to give ity for returning back to the initial condition, after the risk has
a 3-month notice (common in many countries), announces one materialized. Once risks have been assessed, they have to be
day that he or she is leaving the company, which permits the prioritized.
taking of actions to transfer knowledge, train a replacement, and
reduce the impact of his or her leaving the project. On the other Prioritize Assessed Risks
hand, if that person suffers an accident, contracts a disease, or Prioritization of the assessed risks is also a fundamental step and
any other equivalent situation that leaves him or her immedi- is to be undertaken at the beginning of a project. A number of
ately grounded, the project manager has no time to react. In risks will be identified at the beginning of a project. During
both scenarios, the likelihood of that situation happening is low, project execution, new risks will exist. Not all identified risks
but the difference in the immediacy of the consequences makes represent the same capacity for project disruption. Therefore, it
the second scenario much more worrisome than the first. is essential that risks be prioritized, based on assessments. Prior-
Finally, recovering from risks that have actually happened is itizing assessed risks paves the way for selecting appropriate
sometimes difficult and often times recovery is not possible. This mitigation strategies. The use of thresholds helps in prioritization.
attribute, of recoverability from a materialized risk, is binary For each of the nine attributes, the project manager and the
(yes/no). Let us consider again the previous case. From a reco- team define a lower and an upper threshold. For each attribute
verability point of view, it is clear that if a very talented and key x, there will be a lower threshold xl and an upper threshold xu.
team member suffers an unfortunate accident or contracts a An ABC classification or sorting of risks is performed, based on
disease, hopefully sooner rather than later that person will be the values of the nine attributes for each identified and assessed
back, bringing again his or her knowledge, skills, and experience. risk. The most important risks, or Class-A risks, are those for
On the contrary, there is no way back (exceptional which the severity of the consequences, the aggregability factor,
3 – Reliability of r11 Accept as good boards that are actually defective (testing error type II)
functional tests r12 Test manager leaves the company shortly before the FAI
r13 Damaging a board when placing the board in the bed of needles
4 – Reliability of r14 Failure to spot quality-wise unacceptable soldering of components due to lack of appropriate training and education
visual inspections r15 Quality manager leaves the company shortly before scheduled FAI
r16 Lack of analysis of the causes of the detected errors and of implementation of the necessary changes to increase the
robustness of the manufacturing and inspection processes
r17 Inconsistencies between quality inspectors in decisions based on visual examinations of board batches
Risk Attributes
Vol. 30 No. 2
r17 Inconsistencies between quality inspectors in decisions based on I 2 3 3 N Y Y –
visual examinations of board batches 2M 3 3 3 N Y Y –
2018
Exhibit 10. Mitigation Strategies Adopted for Selected Risks
Vol. 30 No. 2
developing technical manuals
r12 Test manager leaves the company shortly before the FAI r12 ms1 Initial Reduction – Hold a meeting with the test manager to assess his overall degree of satisfaction with
the company, aiming at identifying any potential issues of his concern or dissatisfaction, if so then
take the appropriate and feasible actions
r12 ms2 Initial Reduction – Ask the test manager to identify a qualified senior technician in the test department
and have him follow up closely all the test activities related to the contract
2018
r12 ms3 Initial Contingency – Should the test manager leave, the identified senior technician would be
immediately appointed to take over the responsibilities as new test manager
r14 Failure to spot quality-wise unacceptable soldering of r14 ms1 Initial Reduction – Increase the training in visual inspections, in order to further develop the skills of the
components due to lack of appropriate training and inspectors (specially those of the new recruits) and reduce the likelihood of failure to spot quality-
education wise unacceptable soldering of components
r13 ms2 Initial Reduction – Implement a 2-month mentor project in which each senior inspector takes
responsibility for mentoring two junior ones, in order to share with them skills and tacit
knowledge, to help them go faster up the learning curve
r17 Inconsistencies between quality inspectors in their r17 ms1 Initial Reduction – Conduct special sessions chaired by the quality manager at which boards picked at
decisions in visual examinations of board batches random were inspected by several technicians, who would then exchange their perceptions,
seeking to harmonize their assessments and interpretations
Updated, Reduction – Organize a workshop to be taught by a recognized expert in the IPC A 610 standard,
2 months into at which the end customer is invited as observer, to strengthen the knowledge and correct
the project interpretation of the standard, as well as to achieve a higher degree of homogeneity in the
assessments done by the inspectors
137
4 areas are summarized in Exhibit 8. The assessment of contributed substantially to the successful deliveries of boards
these identified risks is summarized in Exhibit 9. Two risk and harnesses as established in the contract schedule.
chains were identified. In the first risk chain, risk r8 (late
reception of long lead time components) could trigger risk r5 Implications for Engineering Managers
(suboptimized development of the assembly manual), which Bringing projects to a successful end is the responsibility of
could then trigger risk r9 (inconsistencies between operators engineering managers. Achieving project goals requires a
in the application of the assembly manual). The severity of number of skills and abilities, including the ability to lead
the consequences of r9 was far worse than those of r8. Since team members and to proactively manage identified risks.
one chain could be triggered resulting in two downstream Even for managers who are aware of the role and relevance
risks, triggering factor for risk r8 is tf8 = 2. In the second of risk management, traditional approaches to risk manage-
risk chain, risk r10 (failure of new recruitments passing IPC ment have three limitations. First, risk identification often
A 610 exam) could trigger risk r14 (failure to spot quality- relies on product-based techniques, such as FMECA, which
wise unacceptable soldering of components due to lack of overlook risks that only process-based techniques detect.
appropriate training and education), risk r17 (inconsistencies Second, the assessment of identified risks is done with a
between quality inspectors in decisions based on visual reduced set of criteria. Third, the assessment is done once,
examinations of board batches), and risk r11 (accept as neglecting changes that occur over time. This article
good boards ones that are defective – testing error Type provides engineering managers with a procedure for mana-
II). Since three chains could be triggered by risk r10, result- ging risks dynamically. Most engineering managers are
ing in a total of three downstream risks, the triggering factor aware of the importance of managing risks, but traditional
of risk r10 is tf10 = 3. approaches have limitations. A deep understanding of how
Furthermore, three blocks of risks that could be aggre- to perform a comprehensive risk assessment, using a com-
gated were identified. If risk r1 (purchase of components prehensive set of criteria and following the steps described
from unauthorized suppliers) and risk r2 (inadequate in- in this article, enables engineering managers to have a more
coming quality inspection of received components, allowing complete understanding of risks and of the potential impact
defective or wrong components to be accepted into the of each risk. The successful application in several projects of
inventory) were to happen together, negative consequences the procedure described in this article ensures that its appli-
would occur. If risk r6 (production manager leaves the com- cation will enable the adoption of mitigation strategies that
pany shortly before the FAI), risk r12 (test manager leaves are more likely to be effective and comprehensive. Further-
the company shortly before the FAI), and r15 (quality man- more, a holistic approach to risk management reinforces the
ager leaves the company shortly before the FAI) were to ability of engineering managers to have a global view of the
happen simultaneously, the negative consequences to the project by focusing not only on the tasks to be done but also
project would be substantial. Third and final, if risk r7 on what could make the project derail, the global view that
(damaging a board when manually soldering the filter) and is also known as the conceptual skill (Katz, 1986). Neglect-
risk r14 (failure to spot quality-wise unacceptable soldering ing to adequately manage risks in a project is, in itself, a
of components due to lack of appropriate training and very serious risk with consequences. Successfully coping with
education) were to happen simultaneously, the consequences the growing complexity of projects requires a dynamic
to the project would also be substantial. In these cases of approach to risk management. The procedure presented in
aggregated risks, the consequences of the simultaneous this article provides an approach for engineering managers
materialization were assessed subjectively by the project to dynamically manage identified risks.
team. In all cases, the consequences were considered to be
much more negative than those consequences of any of these Acknowledgments
risks that could happen individually. The author wishes to express his most sincere gratitude to
Next, initial mitigation strategies were identified and the reviewers and editors. Thanks to their insightful recom-
selected. Exhibit 10 shows the strategies chosen for selected mendations, the readability and structure of the paper were
risks. Given that the FAI had to be held within the first significantly enhanced.
6 months, after 2 months into the project a reassessment was
conducted, to validate the goodness of the adopted mitigation References
strategies and to ascertain if there were new risks or changes to Altabbakh, H., Murray, S., Grantham, K., & Damle, S.
risks previously identified. The assessment concluded that the (2013). Variations in risk management models: A com-
strategies had produced the desired results, but the risk of parative study of the space shuttle challenger disasters.
inconsistencies between quality inspectors in decisions based Engineering Management Journal, 25(2), 13–24.
on visual examinations of board batches (r17) was now perceived doi:10.1080/10429247.2013.11431971
as more likely to happen, based on gathered data by the quality American Institute of Chemical Engineers. Center for Chemical
inspectors. This is reflected in Exhibit 9, in the rows indicated by Process, S. (2014). Guidelines for initiating events and inde-
2 months into the project. A new mitigation strategy was pendent protection layers in layer of protection analysis
adopted, as shown in Exhibit 10, in the row indicated by Retrieved from Ebook Library http://public.eblib.com/
2 months into the project. The risk management approach was choice/publicfullrecord.aspx?p=1895791
very successful. All adopted mitigation strategies yielded the Aven, T., & Renn, O. (2009). The role of quantitative risk
desired results and the FAI was successfully passed at the first assessments for characterizing risk and uncertainty and
attempt. Furthermore, the ongoing risk management delineating appropriate risk management options, with