Project Management

EBS MBA Program

Module 3 : Project Risk Management
Presented by :
Karim Hamza
MPhil / MBA | PMP
 Agenda
Background to Risk

Risk Handling

Types of Risk

Risk Conditions and Decision making

Risk Management

Risk, Contracts and Procurement

 too many risks...
...which one first? ...what do I do?
...what do I do?

risk plan
...what’s that?
 Introduction
Risk, is a measure of the probability and consequence of not achieving a specific project
goal.
The project manager must:
Manage risk through the project life cycle
Identify the present risks in the project and in the environment
Transfer or reduce unacceptable risk
Set up monitoring and control systems to manage residual risk
Risk analysis a basic function of the human cognitive process - compares possible gains and
losses and makes a subjective decision
Risk = f (event, uncertainty, consequences)
Risk acts like a barrier to the development of effective strategy
Exposure: when a realised change in a variable within a given time scale will result
in a change in one or more of its key performance indicators
The greater the potential change in performance, the greater the exposure
Sensitivity: A function of three elements:
1) Significance (severity) of the organisations exposures to different events
2) Likelihood of different events occurring
3) Ability to manage the implications of these different events
Having an effective Risk Management Programme implies better possibilities of taking
advantage of risky opportunities in the marketplace
Risk can lead to both positive & negative outcomes, and it raises the need for an effective
way of managing risk to make sure it is effectively addressed and used.
 Risk forecasting and prediction

uses knowledge of past events to assess a current risk in making a decision.

Assumes that acceptable outcomes in the past will continue to be acceptable outcomes
during the current evaluation process
Risk forecasting, which is:
Based on experience
As much subjective as objective based
Possible to subject it to complex modelling ex. chaos theory,
best evaluated using a combination of modelling and subjective approaches
predicting future trends
In developing a forecast, a decision maker uses a two-stage process:
what the future is like before the proposed action
what the future will be like after the proposed action
Important considerations regarding forecasting:
Accurate data
Time limits
Cost: Detailed and complex forecasting is a labour-intensive task
Vision: Project manage attempts to predict the future and identify possible
events that are outside his/her experience
Intuition and bias are powerful influences on any forecasting application
 Risk handling
manage risk by deciding what level of risk is
acceptable and what level is not
acceptable.
not acceptable Risk is transferred or reduced in
some way.
residual risk is at an acceptable level, ensure
that it does not affect the performance of the
project
Total risk will diminish as the project
progress
 Project risk management

Risk Assessment Risk Control

Identify risk Measure/

control

Analyse risk Propose Respond to risk

risk response

Classify risk Residual risk

Prioritise risk Es,Contingenci

es
 Risk Classifications
Project risk: limited to risk considered in relation to the project. Examples are:

Delays caused by bad weather

Errors in specific contract documents
Cost increases caused by changes in individual supplier prices
Day-to-day breakdown of plant and equipment
Individual absenteeism or labour problems
Strategic risk (long-run): concerned with variables that can affect the progression and
development of the organisation in its attempt to progress from current position to the
desired position. Are more difficult to manage than project risk. Examples:

Variations on competitor behaviour

Changes in the economy
Impact of IT and new technology

Generic Risk
Strategic risk relating to
long-term performance of
the organisation
(markets, corporate
governance
(ethics) ,stakeholders)
Operational risk
Includes the process itself,
asset, people within project
team & legal controls ex.
Project risk
Financial risk : market,
credit, capital structure and
reporting risks
Knowledge risk IT
hardware/software,
information management,
and planning
Catastrophic risk Risks
that cannot be predicted
effectively and therefore
cannot be quantified
accurately. Usually covered
by contingencies and
reserved
Types of Risk
Market
Business risk (dynamic
risk)
Market business risk
(MBR): caused by asset
trading, and risk is
distributed among
shareholders, creditors,
employees and all other
stakeholders
Market financial risk
(MFR): caused by the
gearing ration of the
organisation, and measures
the risk of dividends falling
to zero
Static risk (insurable)
Considers losses only, and
seeks to minimise problems
or losses at a given level
Ex. fire insurance,
can also be reduced by
mergers and acquisitions,
specific risk of the company
is diversified across a wider
range of business areas
Organization Predication
External risk: risks with Predictable risk: known
little control possibilities for unknown risks
the organisation Unpredictable risk:
Competitor risk: unknown unknowns
Market demand risk:
Innovation risk:
Exposure risk:
Shareholder risk:
Political/Statute risk:
Impact risk:
Internal risk: originate
from within the organisation
Operational processes
risk:
Human
resources,availability,
Production capacity ,Time-
based ,Tactical
response,Change
Financial risk:
Management risk:
IT and technology risk
 Risk conditions and decision making

1) Conditions of certainty: (known known)

The outcome is known and foreseeable from the information that is available
to the decision maker
The decision maker knows with 100% certainty what the outcome will be

2) Conditions of risk: (known unknown)

Probability that an event will occur and where some kind of assessment can be
made.
Most risk management and decision making take place under conditions of risk
higher profits = higher potential risks.
higher profits = higher potential losses
3) Conditions of uncertainty: (unknown unknown)
Apply when it is not possible to identify any known events Not possible to predict
outcomes with any accuracy
“Risks are insurable, while uncertainties are not”
 Decision making under Uncertainty

Hurwicz Criterion (Maxi Max): maximum possible profits irrespective of loss

Decision maker is always optimistic and seeks to maximise profits by an all-or nothing
approach.
not concerned with potential losses
high-risk strategy for decision making
Wald Criterion (Maxi Min): minimum profit with no loss
Decision maker is pessimistic and seeks to minimise losses, and will only consider
minimum profits
Used when the company cannot make a loss
Savage Criterion (Mini Max): minimum regret
Decision maker is a bad loser, and therefore attempts to minimise the maximum regret.
maximum regret is the largest regret for each strategy and the largest regret is the
greatest difference within a state of nature
total regret values = maximum possible outcome - minimum possible outcome
Laplace criterion: maximum profit based on probabilities
Attempts to convert decision making under conditions of uncertainty into decision making
under conditions of risk
Subjective probabilities are assigned to each possible outcome
Objective probabilities are based on long-term frequencies of occurrence
Baynesian theory applies, which states that if the probabilities of each state of nature
are not known, they can be assumed to be equal. The probability of each nature is
therefore the average pay-off value
 Decision Making

Decision Making under Conditions of Risk

S1 = (100m × 0.25) + (80m × 0.25) + (60m × 0.50) = 25m + 20m + 30m = £75m
S2 = (150m × 0.25) + (100m × 0.25) + (80m × 0.50) = 37.5m + 25m + 40m = £102.5m
S3 = (200m × 0.25) + (160m × 0.25) + (−£100m × 0.50) = 50m + 40m − 50m = £40m

Decision making under Conditions of Uncertainty

1- Hurwicz Criterion :maximum profit using strategy S3 is £200 million.However, strategy S3 is risky because
there is
a 50 per cent probability that state of nature N3 will apply
2- Wald criterion strategy S2. In any state of nature, S2 still makes a minimum profit of £80 000
3- Savage Criterion difference between maximum possible outcome and minimum possible outcome.
Strategy S2 gives the minimum maximum regret at £110 million. A Savage criterion decision maker would
therefore elect
for strategy S2.
4- Laplace Criterion: decision maker would go for strategy S2 because this gives the greatest payoff
based on the average payoff in terms of equal probabilities of each individual payoff.
 Risk Management Strategy

needs to align strategy, production, human resources, technology, leadership

and knowledge
It needs to cross functional and project boundaries and unite all sections of the
organisation in the envelope of Total Strategic Risk Management (TSRM)
As with TQM, TSRM has to reach all sections and has to be forward looking
and predictive instead of just reactive
TSRM has to consider all key performance indicators of the organisation, both
static and dynamic
TSRM must be developed alongside, and be integrated with, strategic planning
and management
 Risk Management Systems
aims to identify the primary risks an organisation is exposed to, so that an
informed assessment can be made and proper decisions made to safeguard the
organisation
A risk management system should be:
Practical
Realistic
Compliant with internal and external standards
Cost-efficient
Most risk management systems contain five distinct areas:
1 risk Identification.
2 risk Classification. Analysis
3 risk Analysis.
4 risk Attitude.
5 risk Response, Control, policy and Reporting. Management
 Analysis

Work breakdown structure Identification Risk checklist

Interna Classification Controllabl

l e

Probability of occurrence Analysis Impact of occurrence

Management

Averse , Neutral , Seeking Attitude

Response
Risk Management
Strategy
 Risk Management System-1.Risk Identification

finding all risks that are likely to impact on a given project and explore the linkages and interdependencies
between them
risk identification typologies for project risk:

Internal risk: identified by using a WBS

External risk: ex.interest rates & levels of economic activity, difficult to identify and evaluate
Project risks: applied within the project environment (OBS, team membership, leadership,
communications)
Overall risk a combination of these 3 sources of risk
Risk sources can often be identified in terms of objective and subjective sources:

Objective: total of past experience on past projects in relation to current project

Subjective:total of current knowledge based on current experience
Brainstorming is most widely used method for risk
identification, look at the project scenario and try
to identify as many risks as possible.
include internal, external and controllable,
uncontrollable, and all other forms of risk
that can affect the project
Brainstorming:
Phase 1: The creative phase
Phase 2: Evaluation phase
AGAP : Risk seeking all goes according to plan
WHIF : risk averse
 Risk Management System-2.Risk Classification
Types
Specific risk Market risk
(insurable risk) (business risk)
Most classifying risk linked to Potential losses Pt. gain/ loss
Fire Share value
portfolio theory, which considers Flood Sales
risk classification from financial Breakdown Profitability
point of view and the beta- Theft Acquisitions
coefficient
Primary classifications: Market risk
vs. Static risk
Source
3-level classification system Environmental
Market
Company
1) Risk type
Project
2) Risk extent
3) Risk impact
Impact
High
Medium
Low
 Risk Management System-3.Risk analysis
Based on the identification of all feasible
options and data relating to the various risks
and to the analysis of the various outcomes Impact Risk Map
of any decision 2-Yellow1 1-Red Zone
H, Impact . L, Probability H, Impact . H,
require close attention and are Probability
Risk analysis comprises 6 basic steps: typically driven by external .dangerous risks
1) Evaluate all the options. factors .Immediate action is
May be insurable and require required
2) Consider the risk attitude of the contingency planning
decision maker
3) Consider the characteristics of the
risks: controllable ?/impact? 4-Green Zone 3-Yellow2
L, Impact . L, Probability L, Impact . H, Probability
4) Establish a measurement system: not of sufficient stature to often relate to day-to-day
qualitative/quantitative/combined allocate specific resources, and operations. Left to accumulate
represent areas that could be these risks can equate risk of
5) Interpret the results/prediction outsourced quadrant 2.
6) deicide which risks are retained and
which are transferred to other parties Probability
Risk map: showing the relationship between
risk probability and impact for a range of
given risks as a function of time.
Risk grid: alternative to the risk map.
depends on: probability of risk occurring,
impact,
and risk attitude of the risk taker
 Risk Management System-4.Risk Attitude

Much risk evaluation is subjective and therefore dependent on the risk attitude
of the risk taker and the perceived level of risk faced
Risk takers can be:
Risk seeking
Risk neutral
Risk averse
Risk attitude is also dependent on the type of setting the decision is made:
A Group will take accept more
risk than an individual.
A Multidisciplinary Group will be
even more risky decisions.
Teams tend to take more risky
decisions the longer they
are together.
 Risk Management System-5.Risk response
Risk response: response depends on the nature of risk, detail of analysis and the attitude of the risk taker
Variables that affect risk response:

. Company policy. Lack of relevant information on cause and effect

. Length of time of exposure to the risk . Individual vs. team interests
. Involuntary risk (acceptable risk) . Alternatives (cost/non-cost effective)
. contract requirements
Risk response basically centres on risk distribution which depends on:

Is the outcome of the project worth the risk?

Who (which party to the contract) has the greatest risk control?
Who has the greatest risk liability? And What incentive does each party have?
Response options:

1- Risk retention
In general, risk retention applies to low impact, low probability risks
Ex.: manufacturers retaining the risk of 5% defect rate, but allows this risk transferred back by a
guarantee or warranty
2- Risk reduction
Engineering it out
Training and development
A risk-reduction matrix comprises 3 categories: risk, how to reduce probability, how to reduce impact
3- Risk transfer
Contractual clauses (damages clauses) or through negotiation
Most common: insurance contracts
4- Risk avoidance
Involves removing the risk in all forms from the project
 Risk Management System-6.Risk Control
Risk control, policy and reporting
Process of using the information that has been learned on a project to assist in the later
development of the project.
The storage and classification of learned information is crucial to any risk management
system
Risk control involves monitoring risks that have been dealt with at a previous stage,
Experience with risk and risk management is often documented into a “risk handbook”,
which may be incorporated into the organisations “best practice” documentation
There must be frequent reporting on high impact, high probability risks present
Risk reports should be produced to a time-table and be controlled by an overall strategy,
with the frequency depending on the significance of the risk
A risk policy establishes a number of elements:

Overall aims and objectives concerning risk

Accountability for individual managers
Established through a TRM
Formalised reporting channels
Risk tolerances (direct variance envelope)
Authorisation procedures
 Risk, Contracts and procurement
Contract :
way of managing risk by risk transfer or mitigation
formal agreement between two parties which records the rights and obligations of each
party to contract
When risk is transferred to contractors and suppliers, their tender price will be higher to
reflect the increased risk
reduce potential conflict in that responsibilities and obligations have been agreed in the
contract
Reasons for conflict or disagreement include:
Inadequate and defective contract documentation
Inappropriate contractual arrangements
Incorrect estimating and pricing
Unreasonable risk as allocated by the contract
Breakdown in personal communication
Interface management system problems
Vague or unclear contractual terms
Ambiguous specification
The main consideration in terms of contracts and contract law, is commensurate risk,
which is an obligation when accepting a contract
Commensurate risk is the risk of being unable to fulfil the obligation or duty because one’s
own inadequacy, incapacity, inadvertence or error, or because of interference from
outside events and sources
Within any contractual agreements, the contract defines only the ground rules. The
execution of the contract depends on goodwill, intent and the relationship between the
parties
 contract documents
signature block and project title: identify the project and its parties
The definition of contract terms and scope: range
obligations
Project approvals
Payment systems
Working drawings: full design information of the project
specification:
Schedules
General conditions: standard forms of contract, often sector generic
Specific conditions: specific terms and conditions applied by the client
Provision for change and variations:
The form of tender: a legal offer to carry out the works and appendices
contains a summary of any additional contractual information, such as fees
and contingencies
Dispute resolution
Bonds and warranties
Contracts involving public finance often contain a detailed bond cover
 Contract
In order for a contract to exist, there must be:

Offer and acceptance:

Consideration: a fee charged in advance to retain the services,
Capacity
Legal relations: the terms and conditions in the contract must relate to actions that are
not illegal
Communication: Acceptance must be communicated to the bidder for the contract to be
valid
Alternatives to fulfilment of the contract includes:

Breach: where one party acts in contravention with one ore more terms or conditions
Frustration: where a contract cannot be performed, even if both parties wish to do so.
Rescission: where there has been and error or misunderstanding in the preparation of the
original contract. The courts can then elect to rescind one or more contract terms if
they are not acceptable, for example in the case of contradictory terms
Rectification: where a contract term has been wrongly worded or phrased
Void: e.g. when the contract goods are illegal
Termination/determination: under certain circumstances a contract may be determined,
and this means that both parties to the contract cease works, and the party that has
determined the contract can seek reimbursement against the party who has been
determined (e.g. determination by the contractor because the client has not paid
agreed sums of money
 Procurement
Process by which goods and services are acquired,
Good procurement leads to good suppliers and in turn
leads to increased performance/profitability
Most large organisations have a legal section
responsible for procurement, preparation and
execution of contracts.
Procurement act at 2 levels :

Strategic level: involves the corporate strategy of

the organisation
Project level: restricted to procurement options
relevant to the project only
Procurement life-cycle phases:

Objective phase: objectives of procurement process

are established and reconciled with the objectives
of the project and overall organisation objectives
Exposure phase: a list of different possible sources
of supply is made and examined in regard to past
experience.
Alternatives phase: involves various alternative
sources available., including checks of the bidders
plants, records, financial numbers etc.
Documentation phase: prepare contract documents.
Tendering phase: those applicants selected to
proceed may be invited to tender or bid as the
preferred source.
Contract administration phase: contract is awarded
and client administer contract in order to ensure
that both parties comply with the contract
 Characteristics of contracts:
In all cases there will be some fundamental contractual risks, including:
Adequacy of design: latent (hidden) and patent (obvious) defects
Project eventual cost: the risk for cost overruns may be client –or contractor based
Safety and indemnification for accidents: provisions for indemnity
Third-party insurance: insurance against damage to third parties Fire, flood etc
Completion deadlines: if the project is completed late, both the client and the contractor are likely
to loose money, to protect against late completion

Punitive
Liquidated (cash)
Ascertained (based on actual losses incurred)
Typical examples of client risk include:

Failure to provide information within a reasonable time .

Late instructions
Errors or omissions in the contract documents
Delays caused by nominated subcontractors
Delays caused by client consultants
Changes in statute
Non-availability of labour
Civil commotion and disruption
Declaration of war or war damage
Exceptionally adverse weather
Q&
A