Managing project risks

Projects attract many risks. Project risk management is concerned with attempting to identify all the foreseeable risks, assessing their probability and severity and then deciding on how to mitigate them. Risks that appears at the later stage of the project might be more significant as a substantial part of work has been already done within the project. The risks, should be, therefore, addressed as early as possible in the project planning stage and reviewed later on a regular basis.

Statistical tools can be used to assess the probability of the project finishing by its target completion date.

1. Identify and evaluate risks

Checklists are often used to see the foreseeable risks. Looking on history of previous projects can also add value in terms of risk assessments. Brainstorming sessions can be a particularly powerful tools to identify the different project risks. Classification of risks could also be a good idea.

These classification can include:

1. Risks that are likely to occur at the start of the project.

2. Risks that are likely to occur during the execution of a project.

3. Risks that are likely to occur at the later stages of a project.

4. Risks that are likely to occur after handover to customer.

5. Risks that can occur at any time of a project.

Once identified, these can be ranked to the probability and severity level.

A cause-and effect diagram examines a possible causes of a risk event but failure mode analysis is generally most appropriate for project risk management.

Fishbone diagrams are commonly used to analyse fault in design or construction. These diagrams can be utilised to examine failure or poor performance in organisations. The effects and causes are determined.

Example of fishbone diagram is presented below.

Source: https://www.visual-paradigm.com/project-management/fishbone-diagram-and-5-whys/

But project management is concerned with listing possible causes first and then assessing the effects.

Failure mode and effect analysis (FMEA) can be used more effectively in project management. It starts to consider possible risk items and then predicts possible effects. Therefore, this method is more helpful.

An FMEA example is presented in figure below.

Source: https://www.researchgate.net/figure/An-example-of-FMEA-table_fig4_220838473

Additionally, risk classification matrixes can be utilised.

A simple risk classification matrix is presented in figure below.

Generally, a risk classification matrix will consist from severe impact - severe chance items to low-impact and low-chances items. then, we are trying to quantify the risk long with qualitative assessments in the FMEA.

An sample of such risk evaluation is shown below.

These rankings can be added to FMEA templates and act as more comprehensive guide to risk management. This is called FMEACA (Failure mode effect and criticality analysis).

Additionally, sensitivity analysis might be performed. These consider effects of risks arising from wrong estimating of values during financial analysis. The actions would involve repeating the calculations several times to test the outcomes.

2. Deal with risks

After identifying and assessing the risks we must consider how we can manage them.

We could either Avoid, Prevent, Accept, Share, Limit or Transfer the risks.

In order to avoid risks we might want to eliminate all possible causes.

To prevent risks we might need to adopt a high-level risk prevention strategy. Any preventive measures and procedures should be followed in any department or area. Therefore, this involve participation of all key people. These can include regular inspections or testing, double checking failures and errors, back-ups, escape-routes, regular tests of equipment, refresher and regular training, maintenance schedules, restricted areas and hazard areas, limiting access, regular audits etc.

We might also accept risks. This can arise when risks identified are not likely to cause serious consequences. Even if they happen, they might be overcome by corrective actions and re-scheduling.

Sometimes risk might be shared. The contractor might choose to share risks with the partners.

We might also try and limit the risks. In research projects when the costs might not be clear at the start risks might occur in further stages. To limit such risks approvals of steps might need to be implemented. Identification of significant events might be needed. For example:, approval of significant costs, imposition of time limits of some steps or occurrence of other significant events in the project life cycle. These steps aim to limit risks and be documented in the project procedures and policies.

Some risks can also be transferred to another party through insurance.

Insurance

Financial risks can be transferred through insurance. Often a company will pay a premium to insurance company.

There are different types of insurance:

* legal liabilities (compensations awarded by courts, statutory, regulatory and contractual commitments, legal expenses).

* protection against damage or loss of property / work in progress.

* personnel insurance.

* pecuniary loss.

Cover of some risks might be required by law or commercial contracts. A further division of risks, therefore, has been identified:

Risks that can and must be insured

These are all statutory and contractual requirements that need to comply with laws and regulations. For example, certification and inspection of equipment. The main regulation that it applies to in the UK is the Health and Safety at Work Act 1974. The project managers should be checking the inspection certificates and ensure these are valid. The project manager will also want to know on whether any subcontractors have relevant insurance for personal injury, death or illness caused to anyone as the result of the project. An insurance should cover compensations for injuries, loss or damage of property, financial losses, infringement of intellectual property rights, accidents, liability arising from use of product, nuisance and environmental damage.

Risks that can be insured if required

These can be chose by the senior management and include all-risks insurance. These typically protect against fire, storm, thief, damage of construction plant and machinery, hired equipment, items and materials in transit, temporary buildings, tools etc.

Decennial insurance is dedicated to insure against damage to premises caused by defect in the design, material or construction. The project owner does not need to make a claim against the contractor.

If employees are required to travel a decision might be made to make accident, medical expense or sickness insurance.

Some insurance also cover key persons if they are sick, ill or dead.

Risks that are difficult or impossible to insure

At times where a chance or risk occurring is very high or data from the past is not available to assess risks, refusal to insure might happen. These items are generally excluded from the insurance portfolio.

It is best when insurance is south from a reputable insurer. They also should have access to relevant information for the identified risks. The contractor must also provide the insurer with any changes that might affect it. Generally organisations use professional advise in this matters. This can give great benefits in reducing those risks.

Liability insurances become difficult to obtain and expensive, therefore insurance company should be involved in projects as early as possible and find the optimal insurance cover for the project risks.

Contingency plans

Events like pandemic, flooding, earthquakes, hurricanes, natural disasters might require contingency planning. Not only by the project organisations but also in place for suppliers and subcontractors.

Crisis contingency plans can be made to deal with those effectively.

The first step in designing such plans would be to select the team members responsible for such contingency actions. These might include emergency services, relief organisations or cleaning services. The resources should also be determined should such crisis happens.

After key person are identified relevant action plans should be prepared. The plans should be regularly reviewed and kept up to date. Special emergency funds, equipment or storage might need to be organised. Lists of secondary organisations must also be prepared (special contractors, decontamination experts, explosives experts, demolition contractors etc).

The action plan should include all steps required in case event will happen. Exercises and tests might be performed. Then, tested plans should be documented, including all lessons-learned from the tests and added to the project handbook or manual.