By David Webb
Risk is usually seen as being threats to project outcome. LR Consultants see risk management as the avoidance and mitigation of threats and the promotion of opportunities. This approach is designed to increase project returns, delivers higher predictability and therefore creates more certainty of outcome.
Change is the father of risk
Almost every imaginable risk has already happened, we know how to identify them, we know how to manage them; but we still miss them! If nothing changed managing risk would be easy; we would be able to learn from the past, avoid any pitfalls and take every opportunity. Unfortunately, change happens all the time and projects are particularly vulnerable.
Project activities change continuously. We start with a concept, which develops until we test and commission the completed project. We can directly influence the project delivery risks, but we must also address external risks such as political change, economic climate, market and supply capacity, etc. which we cannot influence.
The recent Boeing 737 Max debacle illustrates that adopting new technology must be subject to intense review. Weaknesses in the control software were missed. Return to the operation dates has been delayed several times. Leaks to the media suggest a dysfunctional management culture.
When the London orbital road, the M25, was complete it already had too little capacity. The design brief was wrong.
The Santa Monica Freeway opened two months early only three months after the 1994 LA earthquake. Opportunities taken included; cutting red tape, working round the clock, powerful incentives and world-class project management.
“We aim to put a man on the surface of the moon and bring him safely back to earth by the end of the decade,” JFK promised this in 1960 and NASA delivered the seemingly impossible project. It was helped by a bottomless pit of funding, but ingenuity, motivation and enthusiasm took the opportunity given.
A systematic approach is vital
Although almost every imaginable risk has occurred there is no-one who has experienced even a small fraction of these. Even the most experienced project team cannot rely on their combined experience. However, if the project adopts a systematic approach to risk management, integrated into the project delivery processes, success rates increase dramatically. Without a systematic approach key threats and opportunities will be overlooked.
There are four key risk management activities:
- Identification
- Assessment
- Control
- Monitor
These must be repeated at each key stage and kept up-to-date during each stage.
There are many risk identification methodologies available. During the early stages, a workshop using a checklist may be sufficient; providing the workshop participants, between them, understand all aspects of the project. Detailed design requires an approach that considers each element of the design in turn and how they interact with one another.
Hazard and Operability (HAZOP) Studies are widely used in the process industries. HAZOP has been adapted for use in other industries for example; the rail industry. These studies are updated throughout the project taking into consideration any changes that have happened or are expected.
Example of a risk identification tool:
This “Risk Rainbow” is designed to help identify risks under different categories. Each category is supported by a checklist. It is designed to prompt the user to identify risks.
The depth of risk assessment is influenced by the stage and nature of the project. The assessment considers the likelihood and potential impact of each risk. The assessment will identify the individual levels of threats and opportunities and the overall risk; these data can be used to target controls where they will be most effective.
In the early stages, or for low hazard projects, widely available data may be sufficient; this may be in-house, insurance, or other general data sources. High hazard projects require extremely detailed assessments during the design and engineering stages, for example, nuclear power stations, petrochemical plants or aircraft. Some projects may need to meet regulatory requirements which will influence the methodology.
The appropriate level of control can be difficult to establish. It can be tempting to layer controls on top of one another where the risk is high. However, there is a diminishing rate of return and escalating costs and in some cases, the risk may actually increase. There are a variety of tools available that help design controls such a Failure Modes and Effects Analysis, Event and Fault Trees, “Swiss cheese diagrams”, etc.
The Swiss cheese diagram is used to illustrate how a selected set of controls are effective against different hazards. Only if all controls fail to “block” the hazard will the event occur. It helps select the most effective control set.
A common issue is failing to monitor risk management effectiveness. Indicators are needed to monitor performance; leading indicators provide a warning that controls are beginning to fail, lagging indicators measure failure. Examples of leading and lagging indicators include projected cost vs cost to date; the percentage of workforce safety trained vs injury rates. Audits by management and internal audit teams can check that controls are in place, in particular management controls.
As previously mentioned, projects change continuously, the key risk management activities must be repeated at each stage. Also as previously mentioned the methodologies may be different at each stage.
Integration into management processes
The best risk management is integrated into day-to-day business and management processes. If it is “standalone” it can be ignored. The integration should add as little bureaucracy as possible otherwise it will be resented and avoided.
Risk management can also take advantage of other project activities including QA/QC, audit, HSE, HR, accounts, etc. All of these will have management and business processes into which risk management activities can be integrated. Quality Assurance procedures are a particularly good example. QA ensures processes are in place to deliver the project to specification, schedule and budget, these processes include many risk-related activities such as; budget and schedule control, equipment specification, installation quality, etc.
It is also possible to integrate risk management with project IT systems. Budget and scheduling software is often capable of including risks in their estimates. There are risk management modules offered by enterprise software (ERP) suppliers such as SAP and Oracle. Specialist risk management software usually offers more comprehensive solutions, and many can link to ERP software. All of these will reduce the hours required to deliver risk management.
All of these processes must adapt and change as the project moves forward. Risks become more fully defined and the number of risks increases as the project develops. The business and management processes controlling the risks must be updated.
Risk Management must be seen to add value
Risk management has a cost, however well integrated it is into other processes; there will be workshops to attend, reports to prepare and actions to take. This will not happen unless the project team is convinced it will add value. This starts with top-level commitment. Project executives need risk information to inform their decisions. If executives demand this information their subordinates will use risk management to provide it.
A significant challenge is to show that risk management is improving performance. This is often about publicity; reporting on newly identified risks, their potential impact and the measures taken to address them. Examples of failures in other projects can also be used to demonstrate the benefits.
Independence and reporting
The risk management function must be independent of the project delivery teams. They must be free to report risk without influence. This is often addressed with parallel reporting lines to the project chief executive and a corporate risk management team. Following the Gulf of Mexico disaster, BP introduced separate reporting lines for safety management.
Risk management generates a huge amount of data on risks and their potential impact. Even on a medium-sized project there may be several hundred risks. Reports need to help the reader focus on where the action is needed and will be most effective. A common approach is to report the “top ten” risks and the status of their controls; this is useful but will account for only a small portion of the overall risk.
A powerful approach is to show the “inherent” risk, without controls, and the “residual” risk with controls in place. For projects, this should focus on schedule, budget and final performance. This approach was used for a £23 bn UK government project across 26 departments, the reports allowed the prime minister and chancellor to identify weaknesses and shortfalls in department projects. Ministers and senior civil servants quickly learned that they needed to bring action plans to their meeting with the PM!
Experience counts
Although no-one has seen everything, experienced managers are key to success. These managers will have seen risks come to fruition and will value the benefits of good risk management. The risk team must also include staff with experience of comparable projects or operations. However, this is not always possible and external experts can be used to review arrangements and contribute to the development of the risk management programme.
Successful risk management helps maximise project returns. LR Consultants have a team that helps their clients achieve this.