4 Managing Risk

Everything we do, from getting out of bed in the morning to returning there at night,
carries risk. It is not surprising that projects, which metaphorically (and sometimes
literally) break new ground, attract many risks. Project risks can be predictable or
completely unforeseeable. They might be caused by the physical elements or they
could be political, economic, commercial, technical, or operational in origin. Freak
events have been known to disrupt projects, such as the unexpected discovery
of important archaeological remains or the decision by a few members of a rare
protected species to establish their family home on what should have been the site
of a new project.
Project risk management (and much of mainstream project management) is
concerned with attempting to identify all the foreseeable risks, assessing the chance
and severity of those risks, and then deciding what might be done to reduce their
possible impact on the project or avoid them altogether.
Risks can occur at any stage in a project. Some are associated with particular
tasks and others originate from outside the project and can manifest themselves
without warning. Generally speaking, a risk event that occurs late in a project can
be more costly in terms of time and money than a similar event nearer the start of
the project. That is because as time passes there will be a greater value of work in
progress and thus higher sunk costs at risk of loss or damage.
Some projects that are very small or which are similar to projects undertaken
by the contractor in the past might not need special attention to risk management
(other than obtaining some insurance cover). However, for any significant new
project a risk management strategy must be developed, first to identify as many
potential risks as possible and then to decide how to deal with them.
Copyright © 2014. Taylor & Francis Group. All rights reserved.

Identifying the Possible Risks

Risks can occur in any kind of project and they can range from the obvious to the
most unexpected and bizarre. In a lifetime spent with projects I have known risk
events ranging in scale from a tragic underground mining disaster to an exploding
hearing aid battery (which blew the unfortunate lady’s hat off). Risk events can
even happen after the project is finished and handed over. Business change and
IT projects seem to be particularly prone to risk of failure, with huge losses of

Lock, D 2014, The Essentials of Project Management, Taylor & Francis Group, Farnham. Available from: ProQuest Ebook Central. [22 November 2023].
Created from UNICAF on 2023-11-22 16:16:55.
 The Essentials of Project Management

money. With this vast breeding ground for possible risks it is apparent that the risk
manager’s first problem is to identify the risks that might affect the project.
Checklists (which should grow in size and value as companies gain more project
experience) are a good starting point for listing the foreseeable risks. Studying the
history of similar projects can also highlight possible problems and help the project
manager to learn from the mistakes, accidents and experiences of others.
A brainstorming meeting of key staff is a good method for identifying all the
possible risks (along with many of the improbable ones). Much depends on how
the brainstorming session is conducted. The meeting leader should encourage an
atmosphere of ‘anything goes’, so that participants feel free to propose even the
most bizarre risk possibilities without fear of ridicule. All suggestions, without
exception, should be recorded for subsequent appraisal and analysis.

Risk Appraisal and Analysis

Once identified and listed, risks can be ranked according to the probability of
their occurrence and the severity of the impact if they should occur. This process
allows the most improbable risks listed during brainstorming to be removed, but
it should highlight those risks that are most likely to happen or which would have
the greatest potential impact on the project. For this analysis the possible causes
and effects of every identified risk have to be considered.

Qualitative Risk Assessment

Qualitative risk analysis involves considering each risk in a purely descriptive way.
We have to imagine various characteristics of the risk and the physical effect that it
could have on the project.
Fault-tree analysis and Ishikawa fishbone diagrams (not described here) are
methods used by reliability and safety engineers to consider and analyse the
effects of faults in design and construction, but they can be adapted easily for
project management.
A common project management method, which also has its roots in reliability
engineering, is failure, mode and effect analysis (FMEA). Failure mode and effect
Copyright © 2014. Taylor & Francis Group. All rights reserved.

analysis starts by considering possible risk events (failure modes) and then proceeds
to predict their possible effects. Figure 4.1 shows part of a simple FMEA chart. This
illustration contains only three items, but there might be hundreds in a large
project. This is a qualitative process because there is no attempt to give each risk a
priority ranking number or to quantify the damage if the risk should occur.

44

Lock, D 2014, The Essentials of Project Management, Taylor & Francis Group, Farnham. Available from: ProQuest Ebook Central. [22 November 2023].
Created from UNICAF on 2023-11-22 16:16:55.
  Managing Risk

Recommended
Item Failure mode Cause of failure Effect action
1 Project Engine refuses Poor Project manager Improve vehicle
manager’s to start maintenance marooned at maintenance
car remote site with procedures.
no other means Consider replacing
of transport the car.

2 Main building Building Errors in floor Personal injuries Triple check key
collapses during loading Project delays structural
installation of calculations Loss of calculations
heavy reputation
machinery

3 Floor slabs Personal injuries Ensure operatives

incorrectly Project delays get good training
poured Loss of and instruction.
reputation Employ competent
site engineering
manager.

4.1 Part of a failure, mode and effect analysis (FMEA)

Quantitative Risk Analysis

Quantitative risk analysis goes at least one stage further than qualitative analysis by
attempting to quantify the outcome of a risk event or to attach a numerical score
(rank) to the risk according to its perceived priority for arranging preventive or
mitigating action.
Although all quantitative methods produce ‘actual’ numbers they can give a
false sense of precision. The results are based on only on estimates and human
judgement. Those judgements might be fundamentally flawed, mistaken or simply
too difficult for any person to make with any degree of certainty.
Failure mode effect and criticality analysis (FMECA) is a common method for
attempting to quantify and rank risks. The example in Figure 4.2 is based on the
FMEA illustrated in Figure 4.1 but now contains ranking assessments. The numbers
written against each risk in the columns headed ‘Chance’, ‘Severity’ and ‘Detection
difficulty’ are allocated on a scale of 1 to 5, where 5 is at the highest end of the
perceived impact scale. Multiplying these three numbers for each particular risk
Copyright © 2014. Taylor & Francis Group. All rights reserved.

gives that risk a ranking number. The higher this ranking number, the greater
must be the management attention given to prevent the risk from occurring or to
mitigate its effects should it happen.
Item 2 in Figure 4.2, for example, considers the possibility and potential
seriousness of a building collapse. This is for a building created as part of a project, and
the collapse in question might happen during the installation of heavy machinery
on an upper-level floor. If the floor has been incorrectly designed or constructed, it
might not be sufficiently strong to carry the weight of the machinery. The assessor
clearly thinks this is unlikely to happen because they have ranked chance at the

45

Lock, D 2014, The Essentials of Project Management, Taylor & Francis Group, Farnham. Available from: ProQuest Ebook Central. [22 November 2023].
Created from UNICAF on 2023-11-22 16:16:55.
 The Essentials of Project Management

Cause of Detection
Item Failure mode failure Effect Chance Severity difficulty Rank

1 Project Engine Poor Project 2 1 3 6

manager’s refuses to maintenance manager
car start marooned at
remote site
with no other
means of
transport

2 Main Building Errors in Personal 1 5 3 15

building collapses floor loading injuries.
during calculations Project
installation of delays.
heavy Loss of
machinery reputation.

3 Building Floor slabs Personal 1 5 2 10

collapses incorrectly injuries.
during poured Project
installation of delays.
heavy Loss of
machinery reputation.

4.2 Failure, mode, effect and criticality analysis (FMECA)

bottom end of the 1–5 scale. There is no doubt, however, that if this event did occur
it would be extremely serious, so the severity has been marked as 5.
Detection difficulty means the difficulty of noticing the cause of a risk in time
to prevent the risk event. In this example of possible floor collapse, the risk assessor
thinks that although the chance of a design error is very low, the difficulty of
spotting a mistake if it did occur would be fairly high (3 on the scale of 1–5).
The product of these three parameters, 1 × 5 × 3 gives a total ranking number
of 15. Theoretically, when this exercise has been performed on every item in the
list, the list can be sorted in descending sequence of these ranking numbers, so that
risks with the highest priority for management attention come at the top of the list.
Some assessors use weighted parameters. For example, it might be considered
that the severity of the risk should play a higher part in deciding ranking priority,
so the severity column could be marked on a higher scale, say from 1–10. Item 2 in
Copyright © 2014. Taylor & Francis Group. All rights reserved.

Figure 4.2 might then be marked 9 on this extended scale, which would increase
the ranking factor for this item from 15 to 27.

Risk Register
When all the known risks have been listed, assessed and ranked it is time to consider
what might be done about them. That process requires that all potential risks be
listed in a risk register (or risk log). An example of a risk register page is shown

46

Lock, D 2014, The Essentials of Project Management, Taylor & Francis Group, Farnham. Available from: ProQuest Ebook Central. [22 November 2023].
Created from UNICAF on 2023-11-22 16:16:55.
  Managing Risk

in Figure 4.3. This is modelled closely on the FMECA method demonstrated in

Figure 4.2 but with the following noticeable additions:

• an ID number for each risk listed;

• space for noting any action required;
• a column headed ‘Action by’ in which the name of the person or manager
responsible for taking action for each risk can be entered.

The risk register should be reviewed and updated regularly throughout the life of
the project. It is advisable to use the computer to sort the risks according to their
ranking, with the highest-ranked risks placed at the top.

Risk Date Risk description and Probability Impact Detection Risk Recommended mitigating or Action by:
ID registered consequences (severity) difficulty ranking risk avoidance action
P = 1-3 S = 1- 3 D = 1-3 P x S x D

4.3 Example of a risk register (or risk log) format

Methods for Dealing with Risks

Copyright © 2014. Taylor & Francis Group. All rights reserved.

When all the known risks have been identified, assessed, ranked and registered it is
time to consider what might be done about them. The resulting decisions must be
entered in the two right-hand columns of the risk register.
The project manager usually has a range of options about how to deal with
each possible risk:

1. Avoid the risk – the only way to avoid a risk is to remove all the possible causes,
which could even mean deciding not to do the job at all.

47

Lock, D 2014, The Essentials of Project Management, Taylor & Francis Group, Farnham. Available from: ProQuest Ebook Central. [22 November 2023].
Created from UNICAF on 2023-11-22 16:16:55.
 The Essentials of Project Management

2. Take precautions to prevent or mitigate risk impact – this is a most important

part of risk management, needing the active participation of managers and
relevant staff. It needs a high-level risk prevention strategy combined with
executive determination to ensure that all preventive measures are always
followed throughout all parts of the organization. It requires the creation of a
risk prevention culture, covering all aspects of project tasks, health and safety
and consideration for the environment. Here are a few examples of the many
possible practical measures, chosen and listed at random:
–– high security fencing to reduce the chance of gatecrashers at an open air
pop festival;
–– provision of marquees at a garden party in case of rain;
–– regular inspection and testing of electrical equipment and cables to ensure
safe operation;
–– double-checking to detect errors in design calculations for vital project
components or structures;
–– provision of back-up electrical power supplies for vital operations, essential
services and computers;
–– frequent back-up and secure offline storage of data;
–– avoidance of trailing electric cables in pedestrian areas;
–– ensuring that means of escape routes in buildings are always clear of
obstructions and that smoke screen doors are kept closed;
–– regular fire drills, testing of fire alarms and emergency lighting;
–– on-the-job training of back-up staff to understudy key roles in
the organization;
–– regular inspection and maintenance of lifts and hoists;
–– provision of safety clothing and equipment to protect workers, and
enforcement of their use;
–– restricted access to hazardous areas;
–– provision of secure handrails and good lighting to all stairways;
–– choosing the time of year most likely to provide fair weather for
outdoor projects;
–– adequate training of all those operating potentially hazardous machinery;
–– regular financial audits and the installation of procedures to identify or
deter fraud;
Copyright © 2014. Taylor & Francis Group. All rights reserved.

–– and so on, and so on: this list could be very long.

3. Accept the risk – rain might make the day chosen for office relocation miserable
for all concerned but the risk would have to be accepted. There are numerous
small things that can go wrong during the course of any project. Many of these
risks can be accepted in the knowledge that their effect is not likely to be serious.
4. Share the risk – if a project, or a substantial part of it, appears to carry very high
risk, the contractor might seek one or more partners to undertake the work
as a joint venture. Then the impact of any failure would be shared among
the partners. Sharing a risk big enough to ruin one company might reduce

48

Lock, D 2014, The Essentials of Project Management, Taylor & Francis Group, Farnham. Available from: ProQuest Ebook Central. [22 November 2023].
Created from UNICAF on 2023-11-22 16:16:55.
  Managing Risk

its impact to little more than a temporary inconvenience when it is shared

between two or more companies.
5. Limit the risk – there are occasions when project risks should only be accepted
with safeguards to limit their potential effect. A good example is a task or
project, perhaps for pure research, that cannot be clearly defined at the outset.
The stage-gating procedure outlined at the beginning of Chapter 2 is usually
suitable for this purpose. Some project closure tasks carry the risk that spending
on them could go on for too long after the project has been delivered. One way
to mitigate this is to allow only named individuals to spend time on closure
tasks and to impose a strict time limit.
6. Transfer the risk to a third party – some risks, or substantial parts of them, can
be transferred to another party. By far the most common method relies on
obtaining insurance from an insurance broker or underwriter. Figure 4.4
summarizes some of the insurance obligations and options available to
project managers.

Risk
?

Risks that can Risks that can Risks that are

and must be be insured if difficult or
insured required impossible to
insure

The contractor or
Compulsory legal Contractual Management the customer
requirement requirement choice must accept the
risk

Examples Examples Examples Examples

- Employer’s - Liability for - Loss or damage - A loss where the

Copyright © 2014. Taylor & Francis Group. All rights reserved.

liability for injury damage to to tools and insured would

to employees customer’s equipment at the make a profit
property project site from a claim
- Liability to third
parties arising - Indemnifying the - Pecuniary loss - Unreasonably
from use of customer through an high chance of
motor vehicles against injury to unforeseeable the loss
on public roads persons cause occurring

4.4 Insurance options and obligations

49

Lock, D 2014, The Essentials of Project Management, Taylor & Francis Group, Farnham. Available from: ProQuest Ebook Central. [22 November 2023].
Created from UNICAF on 2023-11-22 16:16:55.
 The Essentials of Project Management

Obtaining Insurance
Insurance can be sought directly from an underwriter, or through a broker;
preferably one with a good reputation and experienced in the insured’s type of
project activity. The insurer will need to be supplied with sufficient information
for the risk to be adequately defined, and the contractor will be expected to inform
the insurer of any change of circumstances likely to affect the risks insured. The
insurer may wish to make investigations or even follow up the project work using
its own experts.
Professional advice from experienced insurers can often be of great benefit in
reducing risks, especially in the areas of health and safety and crime prevention.
The time to seek such advice is before work on the project starts.
Copyright © 2014. Taylor & Francis Group. All rights reserved.

50

Lock, D 2014, The Essentials of Project Management, Taylor & Francis Group, Farnham. Available from: ProQuest Ebook Central. [22 November 2023].
Created from UNICAF on 2023-11-22 16:16:55.