A Framework to Select Techniques Supporting Project Risk
Transcript Of A Framework to Select Techniques Supporting Project Risk
A Framework to Select Techniques Supporting Project Risk Management
Chapter 4
Sabrina Grimaldi, Carlo Rafele and Anna Corinna Cagliano
Additional information is available at the end of the chapter http://dx.doi.org/10.5772/50991
1. Introduction
Projects may be conceived as temporary endeavors with a finite completion date aimed at generating unique products or services [1]. Today’s marketplace characterised by fierce competition requires increased accuracy and reduced time and costs in running projects [2]. In such a context, the variability of actual quality, time, and cost performance compared to the expected one crucially impacts on the success of a project and makes risk a central issue in project management [3]. It has been demonstrated that failure to deal with risk is a main cause of budget exceeding, falling behind schedule, and missing performance targets [4,5]. Additionally, in several industries, such as the construction and information and communication technology ones, the growing level of complexity, due to increased size and scope, huger investments, longer execution processes, more required resources, an augmented number of stakeholders, instable economic and political environments, and changing regulations, exacerbates the degree of risk in projects [6]. Therefore, these aspects ask for assessing and controlling risk throughout all the phases of a project. Before going into detail about project risk management, it is beneficial to recall the notions of uncertainty and risk. Uncertainty arises from either the natural variability or randomness of a system or an incomplete information or knowledge of some of its characteristics. In the first instance, uncertainty cannot be reduced by increasing data collection or knowledge, though they are valuable for assessing it, while in the second case a more accurate data collection and understanding are able to decrease the level of uncertainty [7-9]. Project risk is defined as an uncertain event or condition that, if it occurs, has either a positive or a negative effect on project objectives [1,10].
The management of risk is currently one of the main topics of interest for researchers and practitioners working in the field of project management. Different perceptions, attitudes, values regarding risk, needs, project sectors, specifications, geographical, social, economic,
© 2012 Cagliano et al., licensee InTech. This is an open access chapter distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
68 Risk Management – Current Issues and Challenges
and political environments have led to a variety of definitions, concepts, terms, and approaches, all highlighting the need for systematically addressing uncertainty.
Since the Nineties, most of the contributions have focused on the establishment of a risk management process: significant examples are the Project Uncertainty MAnagement (PUMA) process [11],the Multi-Party Risk Management Process (MRMP)[12],the Shape, Harness and Manage Project Uncertainty (SHAMPU) process [13], the Two-Pillar Risk Management (TPRM) process [14],the risk management process developed by the Project Management Institute [1], the Project Risk Analysis and Management (PRAM) process [15], the Risk Analysis and Management for Projects (RAMP) process [16], and The Active Threat and Opportunity Management (ATOM) Risk Process [10].
An effective application of risk management processes is not disjointed from sound enabling instruments. So, another research stream is running parallel to that focusing on the overall risk management structure: the development, implementation, and evaluation of operational means to put in practice risk management [17].
However, in literature there is a scarce systematisation of the actual capabilities of such practices. In addition, there is a lack of frameworks categorising them based on a comprehensive set of the peculiar characteristics of a project, of its management process, and of its surrounding business environment, as well as on the attitude of an organisation towards risk.
In order to contribute to fill this gap, the present work puts forward a taxonomy supporting the selection of the most suitable risk management techniques in any given project scenario, with the aim of fostering knowledge creation about how to treat risky events. The research mainly focuses on projects characterised by the achievement of a final work product not completely defined at the beginning of the project itself, such as in the construction, engineering, and information and communication technology industries.
After discussing the value of communication and knowledge in risk management, a set of dimensions reflecting the most important managerial and operational conditions characterising a project is developed starting from a review of pertinent literature. Widely applied techniques to support project risk management are presented and classified according to the framework. Finally, implications, ramifications, and future research directions are elaborated and conclusions drawn.
2. Communication and knowledge creation in risk management
Identifying and assessing risk sources and their impacts on project activities as well as developing responses to risk rely on a heterogeneous knowledge basis made up of past experiences, skills, and perspectives of involved people. However managing data, information, and in general the knowledge generated during the life cycle of a project is a difficult task and an inappropriate way of doing that may be a cause of failure. In particular, communication about risk is often very poor, even if the interactive process of exchanging information and opinions among all the concerned parties is a critical condition in the risk
A Framework to Select Techniques Supporting Project Risk Management 69
management process to effectively support decision-making [18]. Projects are often organised and managed in ways that create information and communication disconnects. Decisions about risk are made independently from one another according to the different nature of possible risky events (e.g. business, technical, operation, and country-specific) and the interactions among them are not taken into account. Participants in a project do not share a comprehensive understanding of the risks that may affect it and a life cycle view of uncertainty is usually uncommon. This brings compartmentalisation of risks because they are identified, assessed, and controlled by using only one perspective [19]. A structured communication of the objectives, instruments, and findings of the risk management process as well as of the required actions as a result of its output is strongly needed, being organisational and individual learning increasingly important when dealing with risk [20].
Communication among project parties generates awareness of risk and supports knowledge creation about both drivers and effects of uncertainty and approaches to cope with it.
A variety of practices exists to deepen the understanding of causes and consequences of uncertainty [4,21-23]. However, their application is still limited because several organisations do not systematically track past data and performance for this purpose. When there is a substantial lack of explicit information an important source of knowledge is represented by the implicit information held by the so called “experts”. The term expert refers to those people to whom special knowledge about specific issues is attributed and from whom it is possible to obtain information that is useful for risk investigation. The process of extracting information from experts is named elicitation, which is defined as formulating a person's knowledge and beliefs about one or more uncertain quantities into a probability distribution for these quantities [24]. Elicitation of implicit expert knowledge is a core component of qualitative risk assessment, by means for instance of Delphi analysis or SWOT analysis, where it is used to define probability distributions for the occurrence and the impact of risky events.
Another relevant issue in knowledge creation about risk is related to the guidelines on how to approach it. As mentioned, literature offers a wide range of frameworks to identify risk sources, evaluate their probabilities and impacts in both a qualitative and a quantitative way, and set up risk response strategies. Also, there are some attempts to categorise these practices according to the nature of the data they rely on, the phase of the risk management process, the kind of project, or the purpose of the analysis [1,25-27]. However, existing contributions usually focus on just one single aspect and there is a lack of taxonomies that simultaneously look at all the relevant dimensions that should be taken into account when choosing an appropriate means of treating risk. In addition, the terminology used to address risk management practices is somewhat confused. The most common words that can be found in literature are tool, technique, and method but there is no widely accepted definition of these concepts and of the relationships among them in the field of risk management. Sometimes a same practice is referred to with different terms. For instance, while Delphi is generally classified as a technique [1,26], the Failure Mode and Effects Analysis (FMEA) is defined as either a tool [4] or a method [25]. However, determining the exact nature of risk instruments and creating a hierarchy among them help to recognise their
70 Risk Management – Current Issues and Challenges
scope and range of application and allow a more appropriate use at various risk management levels.
How to select the correct practices and capture their actual potentialities is of paramount importance to enhance the knowledge that is necessary to manage in an effective and efficient manner the risk and the associated information throughout the development of a project. Such understanding facilitates a clear view of the critical conditions of a project, thus fostering performance improvement and enhancing trust within the project team [28].
The developed framework focuses on the need for a comprehensive perspective on the factors affecting risk investigation and proposes a taxonomy based on the most significant elements characterising the scenario in which project risk is approached. The aim is assisting in the choice of the appropriate practices according to the level and the purpose of the risk management effort. Since the distinction among the different terms to address risk management practices is not the purpose of this work, they are all referred to as “techniques”.
3. Dimensions for selecting techniques to support project risk management
There are multiple aspects that can be considered when facing the decision about the appropriate techniques to be applied for the purpose of risk identification, assessment, or control. They will be widely explained in the following sections.
3.1. A review of classification criteria
A commonly used criterion suggests looking at the nature of information that is available in a project. Qualitative and quantitative techniques are two fundamental groups applied to risk management. In the qualitative techniques risk assessment is connected with the determination of qualitative scales for evaluating the frequencies of occurrence of risky events and their impacts. They do not operate on numerical data but present results in the form of descriptions and recommendations basically according to opinions and risk tolerance boundaries collected from experts. The qualitative techniques are adopted to prioritise the identified risks for subsequent further action, such as quantitative risk analysis or response planning [1]. Moreover, they are used for determining highly risky areas in a short time, cheaply, and easily. At the other hand of the spectrum, quantitative techniques to support project risk management numerically analyse the effects of risks on overall project objectives in order to elaborate future trends [1,29]. They are applied to give an accurate image of risk that facilitates the cost and benefit analysis during the selection of reduction measures. However, the implementation of quantitative techniques is generally more expensive and requires greater experience than the application of qualitative techniques [30].
Another criterion is choosing techniques to support risk management according to the degree of knowledge about risk and the goal of the analysis. Kmec [27] discusses
A Framework to Select Techniques Supporting Project Risk Management 71
approaches to risk identification for the following situations: the majority of risks are known, the risks have been prioritised, the risk list is short, risks are classified according to some criteria, risks are broken down to build a hierarchy, relationships among risk are investigated, and risk evolution is studied overtime. Also, techniques for risk management differ according to whether the main aim is monitoring economic and financial outcomes, checking quality variance, tracking time delays or estimating the probability of the overall success or failure of a project.
In addition, risk management practices can be distinguished based on how the investigation is performed. Gidel and Zonghero [31] focus on selected techniques and suggest when they are suitable depending whether an analogical, heuristic, or analytic approach is applied to risk identification. With an analogical approach the study of risk mainly relies on the experience coming from the management of previous and similar projects. The heuristic approach uses the project team creativity or expertise through for instance brainstorming sessions. Finally, the analytic approach is typically based on FMEA and Fault Tree Analysis and aims to decompose a system to identify risky events for each sub-system together with their causes and effects.
Also, the nature, size, and phase of the life cycle of a project as well as the kind of associated consequences determine which techniques to support risk management should be used. Some authors highlight that, although risk management should assist in the entire life cycle of a project, it is particularly crucial in the planning stage and its scope and depth increase as the project moves towards the execution phase, while they decrease in the termination phase [13,32]. As a matter of fact, the earlier the risks are identified, the more realistic the project plan and the expectation of results and the more effective the contingency plans both during the development of the project and beyond [1,33].
Other works focus on the strong correlation between the risk profile of a project and its organisation: for instance, different procurement schemes require different risk practices [22].
Furthermore, every single step of managing risks, whether identifying or assessing them, developing response plans, or monitoring their execution, implies a different level of information and detail, thus it requires the application of different techniques. Literature reports numerous classifications of techniques according to the phase of risk management for which they are most suitable [1,34,35].
Finally, the project risk management capabilities of an organisation improve as its risk culture increases. A scarce awareness towards risk drives occasional applications of informal risk techniques to specific projects and problems are dealt with only when they show up. Recognising the relevance of risk, instead, is the condition for proactively managing uncertainty [33,36,37]. As a consequence, techniques supporting risk management require different levels of corporate risk maturity in order to yield the expected benefits and this constitutes a criterion according to which risk techniques may be classified [25].
72 Risk Management – Current Issues and Challenges
3.2. Three dimensions to characterise project risk management techniques
Based on a careful analysis of the characteristics of the techniques supporting risk management proposed in literature and applied in business practice, the authors believe that among the discussed criteria
the phase of the risk management process; the phase of the life cycle of a project; the corporate maturity towards risk;
are the three dimensions that encompass the most relevant aspects for understanding and choosing among project risk management techniques. In fact, the focus is on “risks” that occur in “projects” which are in turn run by “companies”. Moreover, such dimensions adequately reflect the crucial concept that risk practices can only be selected once a problem is structured and well understood and the application of these instruments depends on the circumstances of the problem, hence on the need to fully comprehend it.
Every specific risky event in a project has its own escalation process characterised by one or more sources or causes, an occurrence, and one or more consequences [35]. Each of these phases requires its own approach to be studied. Sources of risk are analysed by concentrating on their identification, description, and classification (e.g. internal and external causes), the occurrence is defined by the probability and the impact of the risky event, and the consequences are described in terms of time, cost, and quality variance against the expected performance.
Additionally, no practice is perfectly tailored to deal with every risk occurring in the course of a project [22]. Each of the risks faced during a project has its own specificity depending on its position within the project life cycle. For example, throughout the feasibility study, when the main issue is making appropriate strategic choices, the probabilities of occurrence of risks are difficult to be defined because of the still scarce level of information associated with that phase. By contrast, in the following phases risks are mainly related to the consequences of decisions made in the previous steps of the project and their sources, manifestation, and effects can be characterised in a more accurate way. Also, in the late phases of a project a risk may be the effect of other risks that manifested themselves in previous phases.
Besides the phases of the risk management process and the life cycle of a project, a third pillar constitutes the foundation of a sound selection of techniques supporting risk treatment: the reference context of the organisation that develops a project. In particular, this work is interested in the maturity towards risk, that is basically achieved through risk awareness, the consideration that the risk management activity is on the same level as cost, time, and scope management tasks, commitment to high quality of data, systematic implementation of instrument to deal with risk, development of responses to risk, and assessment of the obtained results [38]. The extent to which a company possesses these features represents that cultural bedrock that enables the application of specific techniques to prevent, accept, mitigate or exploit risky events and their effects. In particular, a high
A Framework to Select Techniques Supporting Project Risk Management 73
level of risk awareness, together with appropriate availability of knowledge, make possible to obtain that objective information allowing the quantification of risk.
A selection of support techniques based on the above dimensions represents a strength inside the risk management process because it stimulates the achievement of improved outcomes in terms of time, cost, and quality performance [39].
3.3. Phases of the risk management process
According to Hillson [40], risk management is about finding an answer to six simple questions such as “What do we want to achieve?”, “What might affect us?”, “Which of the things that might affect us are most important?”, “What should we do about them?”, “Did our actions work?”, and “What has changed in the new scenario?”. These questions represent the main issues of the risk management process, which is generally recognised as the process concerned with conducting the following phases: risk management planning, risk identification, risk analysis, risk response, and risk monitoring and control [1].
In risk management planning the objectives and the approach to carry out risk treatment tasks are decided together with assigning resources and time to these activities, with the aim of allowing a smooth conduction of the subsequent phases. Risk identification defines the risks to which the project is exposed and describes their causes and characteristics. The goal of the risk analysis phase, sometimes named risk assessment, is giving an importance priority to the identified risks to enable managerial actions and establishing the overall level of risk exposure of the project. In particular, qualitative risk analysis is focused on determining the probabilities of occurrence of risky events and the associated impacts on project outcomes, the time periods when the risks could affect the project, when it is possible to influence them, and the relationships between risks and cost, schedule, scope, and quality constraints. Quantitative risk analysis operates on those risks that substantially impact the project and numerically evaluates their effects. Risk response starts from the previously identified risks and their significance to develop actions to increase opportunities and decrease threats. Resources and activities are inserted into the budget, schedule, and project management plans. The final phase, risk monitoring and control, is the on-going identification and management of new risks that become known during a project, the tracking of already identified risks, the monitoring of residual risks, the implementation of planned responses as well as the review of their effectiveness, the development of additional actions, if needed, and the formalisation of lessons learned about risk [1,35].
The importance of the dimension of the risk management process phases for selecting techniques to support the treatment of risk is witnessed by the many works discussing instruments for each phase existing in literature. Some of them have been already presented in Section 3.1.
3.4. Phases of the project life cycle
In a similar way as when the risk management process is approached, undertaking a project means tackling some basic questions: “Who are the parties ultimately involved?”, “What do
74 Risk Management – Current Issues and Challenges
the parties want to achieve?”, “What is it the parties are interested in?”, “How is it to be done?”, “What resources are required?”, and “When does it have to be done?”. These questions are answered during the life cycle of a project, which is defined as a systematic way of conceptualising the generic structures of projects into a number of phases that assure better management control [1,13,41].
The project life cycle is domain specific and, because of the complexity and diversity of projects, its breakdown into phases is different based on several factors such as the size (e.g. small or large-scale projects) and the type (e.g. engineering and construction projects or new product development projects) of the project. Four general phases can be associated to the kinds of projects that are considered by this work: conceptualisation, planning, execution, and termination [1,13].The conceptualisation phase regards identifying an opportunity or a need, clarifying the purpose of the project by defining the relevant performance objectives and their importance, formalising the concept of the project, and evaluating its feasibility. The planning phase includes undertaking the basic design, developing performance criteria, formulating a base plan together with targets and milestones, and allocating internal and external resources to achieve the plan. With the execution step of a project action begins: the main tasks here are coordinating and controlling the performing of planned activities, monitoring progress, and changing targets, milestones, and resource allocation as required. Finally, the termination phase involves commissioning and handover, reviewing the lessons learned during the project, and assuring the necessary support to the product of the project until it is discarded or disposed.
It is widely recognised that a structured view of the project life cycle provides a proper frame for understanding major sources of uncertainty, as well as their occurrence timing and impacts, during all its phases [13]. Also, the project life cycle is a natural setting for distinguishing among approaches to risk management. As the life cycle evolves, different information becomes available about the aspects and components of both a project and its environment, such as stakeholders, scope, time, and cost as well as corresponding assumptions and constraints. Therefore, there are more risks at the beginning of a project, while they decrease as the project progresses towards its termination. As a consequence, the greatest opportunity to risk reduction resides in the early project stages. In general, during the conceptualisation phase, decision makers should focus on different sources of uncertainty, such as technological, cultural, social, and economical ones, to make sure about the feasibility of the project [42]. The identified uncertainties should be then taken into account during the planning phase of the project. The risk management process should monitor the changes as well as the new risks emerging in the execution phase and manage the appropriate actions to reduce or eliminate them [1]. Finally, the typical risks in the termination phase are related to the proper maintenance, improvement, and changing needs in light of evolving societal, demographic, operational, or economic conditions.
Since the sources of uncertainty change during the project life cycle, it is vital to understand how the risk management process has to vary accordingly. This consideration supports the need to enable project managers to focus on specific sources of uncertainty in each stage of the project by means of appropriate practices to identify, assess, and treat such uncertainty
A Framework to Select Techniques Supporting Project Risk Management 75
in order to optimise its impacts. In addition, a project life cycle-oriented view of risk management techniques helps to avoid compartmentalisation in approaching risk, which occurs when each participant looks at risks with a single, specific perspective and based on his own goals, irrespective of the other project parties [19].
3.5. Corporate maturity towards risk
The concept of maturity indicates an evolution from an initial state to a more advanced one through multiple intermediate states corresponding to different levels of awareness towards risk and capability to deal with it. The degree of maturity towards risk of an organisation depends on its risk culture, which is stimulated by the available informational context and the type and size of the organisation itself. All these factors also impact on the maturity of the project management process, that may go from basic project management, to the systematic planning and control of a single project, to the integrated planning and control of multiple projects, to the continuous improvement of the project management process [43], which in turn influences how risk management is applied.
Hillson [37] proposes a risk maturity model made up of four stages: Naïve, Novice, Normalised, and Natural. Naïve means that an organisation has not yet captured the need for managing risks and no structured approach is in place for this purpose. Novice defines an organisation that recognises the benefits of managing risk and is actually implementing some form of risk governance but it lacks a formalised process to perform this task. Normalised is the degree of maturity characterised by a formalised risk process included in routine business activities whose benefits, however, are not consistently achieved in every project. Finally, the Natural maturity level denotes an organisation that is completely aware of risk and proactively manages opportunities and threats through consistent risk information. A similar organisation will benefit from improved corporate planning, more transparent relationships with stakeholders, and better global performance [44].
Moving from one level to the upper one in this maturity scale implies that an organisation is willing to perform a more thorough and systemic analysis of the escalation processes of project risks. In order to do that, not only different but also more sophisticated and detailed techniques have to be applied [33,38]. Based on this, it can be stated that the more mature is an organisation towards risk, the more the phases of the risk management process it will implement. Companies with a low maturity degree only limit themselves to risk identification or qualitative risk analysis, while organizations with a higher level of maturity deal with all the stages of the risk management process, including collecting past data to carry out quantitative analysis. Thus, the maturity of a company towards risk and its response to possible consequences are strictly related to the development of the risk management phases.
4. Classifying techniques supporting project risk management
The three defined dimensions characterising the choice of project risk management techniques are here applied to a selection of practices that can be commonly found in both literature and practice.
76 Risk Management – Current Issues and Challenges
First, the focus techniques are briefly described and their strengths and weaknesses highlighted (Table 1).
No. Technique
Description
Strengths
Weaknesses
1 Brainstorming An effective way to generate lots • Improves problem • Prone to the negative
[1,13]
of ideas on a specific issue and then determine which idea–or
analysis by providing effects of personality
more possible
excesses.
ideas–is/are the best possible solution. Ideas about project risk are generated under the leadership of a facilitator.
solutions and unusual
approaches to a
• Difficult to create a
problem.
criticism-free
atmosphere.
• Increases the chances of obtaining an excellent idea.
• Not much structured.
• Involvement of individuals with a variety of backgrounds.
• The smaller problems that can have severe consequences on the project success are not
• Utilises the
identified.
thoughts of others. • Reduced
• Attempts to view participation due to
situations from an dominant
unfamiliar
personalities.
perspective.
• Inhibited
participation due to
inequalities in
expertise [13].
2 Cause and
It identifies the set of unwanted • Helps to determine • Not particularly
effect diagram effects and goes backwards to the root causes of a useful for extremely
trace the causal chain.
problem or of a
complex problems
or
It is also known as Ishikawa or quality characteristic where many causes
Cause
fishbone diagram and is useful in a structured way. and problems are
Consequence for identifying causes of risks. Analysis (CCA)
• Increases knowledge of a
interrelated.
[1]
process by helping
everyone to learn
more about the
relevant factors and
how they relate to
each other.
Chapter 4
Sabrina Grimaldi, Carlo Rafele and Anna Corinna Cagliano
Additional information is available at the end of the chapter http://dx.doi.org/10.5772/50991
1. Introduction
Projects may be conceived as temporary endeavors with a finite completion date aimed at generating unique products or services [1]. Today’s marketplace characterised by fierce competition requires increased accuracy and reduced time and costs in running projects [2]. In such a context, the variability of actual quality, time, and cost performance compared to the expected one crucially impacts on the success of a project and makes risk a central issue in project management [3]. It has been demonstrated that failure to deal with risk is a main cause of budget exceeding, falling behind schedule, and missing performance targets [4,5]. Additionally, in several industries, such as the construction and information and communication technology ones, the growing level of complexity, due to increased size and scope, huger investments, longer execution processes, more required resources, an augmented number of stakeholders, instable economic and political environments, and changing regulations, exacerbates the degree of risk in projects [6]. Therefore, these aspects ask for assessing and controlling risk throughout all the phases of a project. Before going into detail about project risk management, it is beneficial to recall the notions of uncertainty and risk. Uncertainty arises from either the natural variability or randomness of a system or an incomplete information or knowledge of some of its characteristics. In the first instance, uncertainty cannot be reduced by increasing data collection or knowledge, though they are valuable for assessing it, while in the second case a more accurate data collection and understanding are able to decrease the level of uncertainty [7-9]. Project risk is defined as an uncertain event or condition that, if it occurs, has either a positive or a negative effect on project objectives [1,10].
The management of risk is currently one of the main topics of interest for researchers and practitioners working in the field of project management. Different perceptions, attitudes, values regarding risk, needs, project sectors, specifications, geographical, social, economic,
© 2012 Cagliano et al., licensee InTech. This is an open access chapter distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
68 Risk Management – Current Issues and Challenges
and political environments have led to a variety of definitions, concepts, terms, and approaches, all highlighting the need for systematically addressing uncertainty.
Since the Nineties, most of the contributions have focused on the establishment of a risk management process: significant examples are the Project Uncertainty MAnagement (PUMA) process [11],the Multi-Party Risk Management Process (MRMP)[12],the Shape, Harness and Manage Project Uncertainty (SHAMPU) process [13], the Two-Pillar Risk Management (TPRM) process [14],the risk management process developed by the Project Management Institute [1], the Project Risk Analysis and Management (PRAM) process [15], the Risk Analysis and Management for Projects (RAMP) process [16], and The Active Threat and Opportunity Management (ATOM) Risk Process [10].
An effective application of risk management processes is not disjointed from sound enabling instruments. So, another research stream is running parallel to that focusing on the overall risk management structure: the development, implementation, and evaluation of operational means to put in practice risk management [17].
However, in literature there is a scarce systematisation of the actual capabilities of such practices. In addition, there is a lack of frameworks categorising them based on a comprehensive set of the peculiar characteristics of a project, of its management process, and of its surrounding business environment, as well as on the attitude of an organisation towards risk.
In order to contribute to fill this gap, the present work puts forward a taxonomy supporting the selection of the most suitable risk management techniques in any given project scenario, with the aim of fostering knowledge creation about how to treat risky events. The research mainly focuses on projects characterised by the achievement of a final work product not completely defined at the beginning of the project itself, such as in the construction, engineering, and information and communication technology industries.
After discussing the value of communication and knowledge in risk management, a set of dimensions reflecting the most important managerial and operational conditions characterising a project is developed starting from a review of pertinent literature. Widely applied techniques to support project risk management are presented and classified according to the framework. Finally, implications, ramifications, and future research directions are elaborated and conclusions drawn.
2. Communication and knowledge creation in risk management
Identifying and assessing risk sources and their impacts on project activities as well as developing responses to risk rely on a heterogeneous knowledge basis made up of past experiences, skills, and perspectives of involved people. However managing data, information, and in general the knowledge generated during the life cycle of a project is a difficult task and an inappropriate way of doing that may be a cause of failure. In particular, communication about risk is often very poor, even if the interactive process of exchanging information and opinions among all the concerned parties is a critical condition in the risk
A Framework to Select Techniques Supporting Project Risk Management 69
management process to effectively support decision-making [18]. Projects are often organised and managed in ways that create information and communication disconnects. Decisions about risk are made independently from one another according to the different nature of possible risky events (e.g. business, technical, operation, and country-specific) and the interactions among them are not taken into account. Participants in a project do not share a comprehensive understanding of the risks that may affect it and a life cycle view of uncertainty is usually uncommon. This brings compartmentalisation of risks because they are identified, assessed, and controlled by using only one perspective [19]. A structured communication of the objectives, instruments, and findings of the risk management process as well as of the required actions as a result of its output is strongly needed, being organisational and individual learning increasingly important when dealing with risk [20].
Communication among project parties generates awareness of risk and supports knowledge creation about both drivers and effects of uncertainty and approaches to cope with it.
A variety of practices exists to deepen the understanding of causes and consequences of uncertainty [4,21-23]. However, their application is still limited because several organisations do not systematically track past data and performance for this purpose. When there is a substantial lack of explicit information an important source of knowledge is represented by the implicit information held by the so called “experts”. The term expert refers to those people to whom special knowledge about specific issues is attributed and from whom it is possible to obtain information that is useful for risk investigation. The process of extracting information from experts is named elicitation, which is defined as formulating a person's knowledge and beliefs about one or more uncertain quantities into a probability distribution for these quantities [24]. Elicitation of implicit expert knowledge is a core component of qualitative risk assessment, by means for instance of Delphi analysis or SWOT analysis, where it is used to define probability distributions for the occurrence and the impact of risky events.
Another relevant issue in knowledge creation about risk is related to the guidelines on how to approach it. As mentioned, literature offers a wide range of frameworks to identify risk sources, evaluate their probabilities and impacts in both a qualitative and a quantitative way, and set up risk response strategies. Also, there are some attempts to categorise these practices according to the nature of the data they rely on, the phase of the risk management process, the kind of project, or the purpose of the analysis [1,25-27]. However, existing contributions usually focus on just one single aspect and there is a lack of taxonomies that simultaneously look at all the relevant dimensions that should be taken into account when choosing an appropriate means of treating risk. In addition, the terminology used to address risk management practices is somewhat confused. The most common words that can be found in literature are tool, technique, and method but there is no widely accepted definition of these concepts and of the relationships among them in the field of risk management. Sometimes a same practice is referred to with different terms. For instance, while Delphi is generally classified as a technique [1,26], the Failure Mode and Effects Analysis (FMEA) is defined as either a tool [4] or a method [25]. However, determining the exact nature of risk instruments and creating a hierarchy among them help to recognise their
70 Risk Management – Current Issues and Challenges
scope and range of application and allow a more appropriate use at various risk management levels.
How to select the correct practices and capture their actual potentialities is of paramount importance to enhance the knowledge that is necessary to manage in an effective and efficient manner the risk and the associated information throughout the development of a project. Such understanding facilitates a clear view of the critical conditions of a project, thus fostering performance improvement and enhancing trust within the project team [28].
The developed framework focuses on the need for a comprehensive perspective on the factors affecting risk investigation and proposes a taxonomy based on the most significant elements characterising the scenario in which project risk is approached. The aim is assisting in the choice of the appropriate practices according to the level and the purpose of the risk management effort. Since the distinction among the different terms to address risk management practices is not the purpose of this work, they are all referred to as “techniques”.
3. Dimensions for selecting techniques to support project risk management
There are multiple aspects that can be considered when facing the decision about the appropriate techniques to be applied for the purpose of risk identification, assessment, or control. They will be widely explained in the following sections.
3.1. A review of classification criteria
A commonly used criterion suggests looking at the nature of information that is available in a project. Qualitative and quantitative techniques are two fundamental groups applied to risk management. In the qualitative techniques risk assessment is connected with the determination of qualitative scales for evaluating the frequencies of occurrence of risky events and their impacts. They do not operate on numerical data but present results in the form of descriptions and recommendations basically according to opinions and risk tolerance boundaries collected from experts. The qualitative techniques are adopted to prioritise the identified risks for subsequent further action, such as quantitative risk analysis or response planning [1]. Moreover, they are used for determining highly risky areas in a short time, cheaply, and easily. At the other hand of the spectrum, quantitative techniques to support project risk management numerically analyse the effects of risks on overall project objectives in order to elaborate future trends [1,29]. They are applied to give an accurate image of risk that facilitates the cost and benefit analysis during the selection of reduction measures. However, the implementation of quantitative techniques is generally more expensive and requires greater experience than the application of qualitative techniques [30].
Another criterion is choosing techniques to support risk management according to the degree of knowledge about risk and the goal of the analysis. Kmec [27] discusses
A Framework to Select Techniques Supporting Project Risk Management 71
approaches to risk identification for the following situations: the majority of risks are known, the risks have been prioritised, the risk list is short, risks are classified according to some criteria, risks are broken down to build a hierarchy, relationships among risk are investigated, and risk evolution is studied overtime. Also, techniques for risk management differ according to whether the main aim is monitoring economic and financial outcomes, checking quality variance, tracking time delays or estimating the probability of the overall success or failure of a project.
In addition, risk management practices can be distinguished based on how the investigation is performed. Gidel and Zonghero [31] focus on selected techniques and suggest when they are suitable depending whether an analogical, heuristic, or analytic approach is applied to risk identification. With an analogical approach the study of risk mainly relies on the experience coming from the management of previous and similar projects. The heuristic approach uses the project team creativity or expertise through for instance brainstorming sessions. Finally, the analytic approach is typically based on FMEA and Fault Tree Analysis and aims to decompose a system to identify risky events for each sub-system together with their causes and effects.
Also, the nature, size, and phase of the life cycle of a project as well as the kind of associated consequences determine which techniques to support risk management should be used. Some authors highlight that, although risk management should assist in the entire life cycle of a project, it is particularly crucial in the planning stage and its scope and depth increase as the project moves towards the execution phase, while they decrease in the termination phase [13,32]. As a matter of fact, the earlier the risks are identified, the more realistic the project plan and the expectation of results and the more effective the contingency plans both during the development of the project and beyond [1,33].
Other works focus on the strong correlation between the risk profile of a project and its organisation: for instance, different procurement schemes require different risk practices [22].
Furthermore, every single step of managing risks, whether identifying or assessing them, developing response plans, or monitoring their execution, implies a different level of information and detail, thus it requires the application of different techniques. Literature reports numerous classifications of techniques according to the phase of risk management for which they are most suitable [1,34,35].
Finally, the project risk management capabilities of an organisation improve as its risk culture increases. A scarce awareness towards risk drives occasional applications of informal risk techniques to specific projects and problems are dealt with only when they show up. Recognising the relevance of risk, instead, is the condition for proactively managing uncertainty [33,36,37]. As a consequence, techniques supporting risk management require different levels of corporate risk maturity in order to yield the expected benefits and this constitutes a criterion according to which risk techniques may be classified [25].
72 Risk Management – Current Issues and Challenges
3.2. Three dimensions to characterise project risk management techniques
Based on a careful analysis of the characteristics of the techniques supporting risk management proposed in literature and applied in business practice, the authors believe that among the discussed criteria
the phase of the risk management process; the phase of the life cycle of a project; the corporate maturity towards risk;
are the three dimensions that encompass the most relevant aspects for understanding and choosing among project risk management techniques. In fact, the focus is on “risks” that occur in “projects” which are in turn run by “companies”. Moreover, such dimensions adequately reflect the crucial concept that risk practices can only be selected once a problem is structured and well understood and the application of these instruments depends on the circumstances of the problem, hence on the need to fully comprehend it.
Every specific risky event in a project has its own escalation process characterised by one or more sources or causes, an occurrence, and one or more consequences [35]. Each of these phases requires its own approach to be studied. Sources of risk are analysed by concentrating on their identification, description, and classification (e.g. internal and external causes), the occurrence is defined by the probability and the impact of the risky event, and the consequences are described in terms of time, cost, and quality variance against the expected performance.
Additionally, no practice is perfectly tailored to deal with every risk occurring in the course of a project [22]. Each of the risks faced during a project has its own specificity depending on its position within the project life cycle. For example, throughout the feasibility study, when the main issue is making appropriate strategic choices, the probabilities of occurrence of risks are difficult to be defined because of the still scarce level of information associated with that phase. By contrast, in the following phases risks are mainly related to the consequences of decisions made in the previous steps of the project and their sources, manifestation, and effects can be characterised in a more accurate way. Also, in the late phases of a project a risk may be the effect of other risks that manifested themselves in previous phases.
Besides the phases of the risk management process and the life cycle of a project, a third pillar constitutes the foundation of a sound selection of techniques supporting risk treatment: the reference context of the organisation that develops a project. In particular, this work is interested in the maturity towards risk, that is basically achieved through risk awareness, the consideration that the risk management activity is on the same level as cost, time, and scope management tasks, commitment to high quality of data, systematic implementation of instrument to deal with risk, development of responses to risk, and assessment of the obtained results [38]. The extent to which a company possesses these features represents that cultural bedrock that enables the application of specific techniques to prevent, accept, mitigate or exploit risky events and their effects. In particular, a high
A Framework to Select Techniques Supporting Project Risk Management 73
level of risk awareness, together with appropriate availability of knowledge, make possible to obtain that objective information allowing the quantification of risk.
A selection of support techniques based on the above dimensions represents a strength inside the risk management process because it stimulates the achievement of improved outcomes in terms of time, cost, and quality performance [39].
3.3. Phases of the risk management process
According to Hillson [40], risk management is about finding an answer to six simple questions such as “What do we want to achieve?”, “What might affect us?”, “Which of the things that might affect us are most important?”, “What should we do about them?”, “Did our actions work?”, and “What has changed in the new scenario?”. These questions represent the main issues of the risk management process, which is generally recognised as the process concerned with conducting the following phases: risk management planning, risk identification, risk analysis, risk response, and risk monitoring and control [1].
In risk management planning the objectives and the approach to carry out risk treatment tasks are decided together with assigning resources and time to these activities, with the aim of allowing a smooth conduction of the subsequent phases. Risk identification defines the risks to which the project is exposed and describes their causes and characteristics. The goal of the risk analysis phase, sometimes named risk assessment, is giving an importance priority to the identified risks to enable managerial actions and establishing the overall level of risk exposure of the project. In particular, qualitative risk analysis is focused on determining the probabilities of occurrence of risky events and the associated impacts on project outcomes, the time periods when the risks could affect the project, when it is possible to influence them, and the relationships between risks and cost, schedule, scope, and quality constraints. Quantitative risk analysis operates on those risks that substantially impact the project and numerically evaluates their effects. Risk response starts from the previously identified risks and their significance to develop actions to increase opportunities and decrease threats. Resources and activities are inserted into the budget, schedule, and project management plans. The final phase, risk monitoring and control, is the on-going identification and management of new risks that become known during a project, the tracking of already identified risks, the monitoring of residual risks, the implementation of planned responses as well as the review of their effectiveness, the development of additional actions, if needed, and the formalisation of lessons learned about risk [1,35].
The importance of the dimension of the risk management process phases for selecting techniques to support the treatment of risk is witnessed by the many works discussing instruments for each phase existing in literature. Some of them have been already presented in Section 3.1.
3.4. Phases of the project life cycle
In a similar way as when the risk management process is approached, undertaking a project means tackling some basic questions: “Who are the parties ultimately involved?”, “What do
74 Risk Management – Current Issues and Challenges
the parties want to achieve?”, “What is it the parties are interested in?”, “How is it to be done?”, “What resources are required?”, and “When does it have to be done?”. These questions are answered during the life cycle of a project, which is defined as a systematic way of conceptualising the generic structures of projects into a number of phases that assure better management control [1,13,41].
The project life cycle is domain specific and, because of the complexity and diversity of projects, its breakdown into phases is different based on several factors such as the size (e.g. small or large-scale projects) and the type (e.g. engineering and construction projects or new product development projects) of the project. Four general phases can be associated to the kinds of projects that are considered by this work: conceptualisation, planning, execution, and termination [1,13].The conceptualisation phase regards identifying an opportunity or a need, clarifying the purpose of the project by defining the relevant performance objectives and their importance, formalising the concept of the project, and evaluating its feasibility. The planning phase includes undertaking the basic design, developing performance criteria, formulating a base plan together with targets and milestones, and allocating internal and external resources to achieve the plan. With the execution step of a project action begins: the main tasks here are coordinating and controlling the performing of planned activities, monitoring progress, and changing targets, milestones, and resource allocation as required. Finally, the termination phase involves commissioning and handover, reviewing the lessons learned during the project, and assuring the necessary support to the product of the project until it is discarded or disposed.
It is widely recognised that a structured view of the project life cycle provides a proper frame for understanding major sources of uncertainty, as well as their occurrence timing and impacts, during all its phases [13]. Also, the project life cycle is a natural setting for distinguishing among approaches to risk management. As the life cycle evolves, different information becomes available about the aspects and components of both a project and its environment, such as stakeholders, scope, time, and cost as well as corresponding assumptions and constraints. Therefore, there are more risks at the beginning of a project, while they decrease as the project progresses towards its termination. As a consequence, the greatest opportunity to risk reduction resides in the early project stages. In general, during the conceptualisation phase, decision makers should focus on different sources of uncertainty, such as technological, cultural, social, and economical ones, to make sure about the feasibility of the project [42]. The identified uncertainties should be then taken into account during the planning phase of the project. The risk management process should monitor the changes as well as the new risks emerging in the execution phase and manage the appropriate actions to reduce or eliminate them [1]. Finally, the typical risks in the termination phase are related to the proper maintenance, improvement, and changing needs in light of evolving societal, demographic, operational, or economic conditions.
Since the sources of uncertainty change during the project life cycle, it is vital to understand how the risk management process has to vary accordingly. This consideration supports the need to enable project managers to focus on specific sources of uncertainty in each stage of the project by means of appropriate practices to identify, assess, and treat such uncertainty
A Framework to Select Techniques Supporting Project Risk Management 75
in order to optimise its impacts. In addition, a project life cycle-oriented view of risk management techniques helps to avoid compartmentalisation in approaching risk, which occurs when each participant looks at risks with a single, specific perspective and based on his own goals, irrespective of the other project parties [19].
3.5. Corporate maturity towards risk
The concept of maturity indicates an evolution from an initial state to a more advanced one through multiple intermediate states corresponding to different levels of awareness towards risk and capability to deal with it. The degree of maturity towards risk of an organisation depends on its risk culture, which is stimulated by the available informational context and the type and size of the organisation itself. All these factors also impact on the maturity of the project management process, that may go from basic project management, to the systematic planning and control of a single project, to the integrated planning and control of multiple projects, to the continuous improvement of the project management process [43], which in turn influences how risk management is applied.
Hillson [37] proposes a risk maturity model made up of four stages: Naïve, Novice, Normalised, and Natural. Naïve means that an organisation has not yet captured the need for managing risks and no structured approach is in place for this purpose. Novice defines an organisation that recognises the benefits of managing risk and is actually implementing some form of risk governance but it lacks a formalised process to perform this task. Normalised is the degree of maturity characterised by a formalised risk process included in routine business activities whose benefits, however, are not consistently achieved in every project. Finally, the Natural maturity level denotes an organisation that is completely aware of risk and proactively manages opportunities and threats through consistent risk information. A similar organisation will benefit from improved corporate planning, more transparent relationships with stakeholders, and better global performance [44].
Moving from one level to the upper one in this maturity scale implies that an organisation is willing to perform a more thorough and systemic analysis of the escalation processes of project risks. In order to do that, not only different but also more sophisticated and detailed techniques have to be applied [33,38]. Based on this, it can be stated that the more mature is an organisation towards risk, the more the phases of the risk management process it will implement. Companies with a low maturity degree only limit themselves to risk identification or qualitative risk analysis, while organizations with a higher level of maturity deal with all the stages of the risk management process, including collecting past data to carry out quantitative analysis. Thus, the maturity of a company towards risk and its response to possible consequences are strictly related to the development of the risk management phases.
4. Classifying techniques supporting project risk management
The three defined dimensions characterising the choice of project risk management techniques are here applied to a selection of practices that can be commonly found in both literature and practice.
76 Risk Management – Current Issues and Challenges
First, the focus techniques are briefly described and their strengths and weaknesses highlighted (Table 1).
No. Technique
Description
Strengths
Weaknesses
1 Brainstorming An effective way to generate lots • Improves problem • Prone to the negative
[1,13]
of ideas on a specific issue and then determine which idea–or
analysis by providing effects of personality
more possible
excesses.
ideas–is/are the best possible solution. Ideas about project risk are generated under the leadership of a facilitator.
solutions and unusual
approaches to a
• Difficult to create a
problem.
criticism-free
atmosphere.
• Increases the chances of obtaining an excellent idea.
• Not much structured.
• Involvement of individuals with a variety of backgrounds.
• The smaller problems that can have severe consequences on the project success are not
• Utilises the
identified.
thoughts of others. • Reduced
• Attempts to view participation due to
situations from an dominant
unfamiliar
personalities.
perspective.
• Inhibited
participation due to
inequalities in
expertise [13].
2 Cause and
It identifies the set of unwanted • Helps to determine • Not particularly
effect diagram effects and goes backwards to the root causes of a useful for extremely
trace the causal chain.
problem or of a
complex problems
or
It is also known as Ishikawa or quality characteristic where many causes
Cause
fishbone diagram and is useful in a structured way. and problems are
Consequence for identifying causes of risks. Analysis (CCA)
• Increases knowledge of a
interrelated.
[1]
process by helping
everyone to learn
more about the
relevant factors and
how they relate to
each other.