International HRM,DOC

8/7/2019 International HRM,DOC

1/6

Risk management

Risk-managementinfrastructuresT M Williams

All major projects are subject to risk. Current researchhas concentrated on eliciting indiv iduals risk attit udes,and analysing projects to estim ate overall project risk.The paper explains t he need for a risk- managementinfrastructure. Criteria for choosing metho ds aredescribed. Various techniqu es in current use arediscussed. Issues involv ed in mult icompany projects arenoted.Keyw ords: risk management, mult icompany projects,management structures

The risks involved in major projects have been thefocus of much attention in recent years. The techniquesfor monitoring and managing such risk have not been asfully studied. This paper addresses these techniquesfrom the viewpoint of a practising risk manager. Theauthor has some risk management role, in one way oranother, in many of the current major UK navalprojects, above and below water. The paper begins bydescribing project risks and looking at current researchand the need for a risk-management infrastructure.Criteria for choosing methods are discussed, and thensome methods are described. Finally, issues involved inmulticompany projects are noted.

RISKSMajor development programmes are subject to risk inall their phases. Risk means, in this sense, thecombination of individual uncertainties which have animpact on the overall objectives of the project.

It is essential to establish these project objectives.Projects can have few or many objectives; they may bedetailed or broad; they may be well specified orsubliminal. However, virtually all projects have threemain objectives: meeting a particular specification,within an overall timescale, and within an overall cost.

Projects can fail on one, two or three of these mainobjectives. There is a very large set of literaturerelating to project outturns, from early studies such asBAeSEMA, 1 Atlantic Quay, Broomielaw, Glasgow G2 8JE, UK

that by Marshall and Meckling, to later studies such asthat by Baum and Tolbert. Morris and Hough3 haveprepared a fascinating study of major projects, underthe auspices of the UK Major Projects Association, andthey give a very full bibliography. They concentrate oneight recent projects, whose success or failure can beclassified under the three headings above. One project,the (early) Channel Tunnel, was cancelled, and one,the Heysham 2 project, was in a state of flux at the timeat which the study was carried out. The other six can becharacterized as shown in Table 1 (in which a tickdenotes success).

Uncertainty from a huge number of sources combinein many complex ways to produce risk to these overallobjectives. Technical, temporal and financial un-certainties are usually involved, but political orcontractual uncertainties also produce risks, as douncertainties outside the project, either within theparent organization or even outside the organizationaltogether (where, say, the project is one of a numberof parallel developments). The major source in manydevelopment projects is the technical uncertainty in-herent in novel developments; however, this maymanifest itself in activity overruns and overspends aswell as in specification underachievement. It is there-fore necessary to establish the risks to all the projectsobjectives simultaneously. Indeed, management inter-vention often determines the balance between under-achievements of the three objectives, perhaps via

Table 1. Success of projectsProject Success

Time cost SpecificationConcorde

>X X v

Thames BarrierUK Advanced Passenger Train X v XFulmar North Sea Oil Field X d vComputerization of UK Pay asYou Earn tax system

>V d V

Project Giotto

VOI 11 NO 1 February 1993 0263-7863/93/01000546 0 1993 Butterworth-Heinemann Ltd 5


2/6

RISKMANAGEMENT

throwing money at a project to achieve the specifica-tion and timescale while exceeding budget, or finishingon time and budget with an inferior output.

These risks are of particular concern to governmentdepartments, who effect many of the big developmentprojects in the UK. Humphries4 describes the develop-ments within the UK Ministry of Defence making riskanalysis and management mandatory on large defenceprojects, particularly following initiatives by the thenUK Chief Scientific Advisor, Professor Sir RichardNorman, and the so-called Jordan-Lee-CawseyReport.

CURRENT RISK RESEARCH: SINGLEPERSONCurrent research has concentrated on two areas:l individuals attitudes to risk, and the elicitation of

these attitudes by analysts,l the analysis of projects to indicate the degree ofoverall risk.This is not the place to provide a full literature surveyof these areas, and so only a few major texts arequoted.

A full study of managers attitudes to taking risks isdescribed in the book by MacCrimmon and Wehrung.This defines standardized risk situations, and describeshow managers choose options and risk action/outcomebenefits. It also compares various risk measures inthese standardized situations (such as prospect theorye,an important alternative to classical von Neuman-Morganstern utility theory). This discussion is putwithin the context of a manager making a commercialdecision. Over 300 references give a good view of theliterature. One further step taken by this text isconsideration of managers adjustment of risk, byhedging, keeping options open, or delaying until moreinformation is available, rather than by simplyimmediately choosing one of the available riskyoptions, as suggested by simple models.

The uncertainty involved in real risk situations is, ofcourse, usually unknown, being epistemic rather thanaleotoric. To put decisions on a rational basis, analystsneed to elicit probabilities and probability distributionsfrom experts. Formal methods need to be used toensure consistency and uniformity in this exercise. Thenow classic paper on this subject, which describes inparticular the SRI method for probability encoding, isby Merkhover. This again gives a good review of theavailable literature, and covers important aspects ofbias and motivation, problem structuring, and the useof extra information such as distributional data andregression towards the mean.

Concerning the second point listed above, on projectanalysis, considerable research has been undertaken onthe accumulation of uncertainties to produce temporalrisks to a project. Chapman et al. lo provide a discussionof some methods for time and cost planning, and thechoice between them. Cooper and Chapman expandthis, concentrating on the CIM method. Williams2discusses the practical problems involved in an analyticmethod, and describes the RiskNet approach; this

6

paper begins to recognize the combination of time, costand technical risks. which is discussed further below.

NEED FOR RISK-MANAGEMENTINFRASTRUCTUREMuch of the research has thus concentrated on indi-vidual project managers (e.g. Reference 5 deals with anindividual managers attitudes and actions), or analysedprojects for a homogenous client. In actual projects, anumber of people are involved, and, in major problems,a number of corporate entities are involved. (Hailldescribes this oversimplification as the myth of thedecision maker). Therefore, a risk-management infra-structure is essential, to ensure that the following actionstake place.

Risks are continuously monitored.Top-level studies have a rational basis.Risks are controlled, risk-reduction actions areimplemented, and optimum use is made of risk-reduction resources.Reporting on risks and risk sources flows correctly upthe management structure.Direction on action plans for risk reduction andcontingencies flow correctly down the managementstructure.Problems and potential failure in a project are flaggedas early as possible (cancellation possibly beingallowed to avoid large nugatory costs4).

This is particularly the case because decisions are notusually one-off go-no-go decisions. They are madeover a period of time, with assessments and subdecisionsoccurring sequentially (see, for example, Reference 13),requiring a dynamic, reactive management infra-structure.

An effective risk-management infrastructure alsoprovides the correct place for risk analysis within theoverall project management. Simply analysing risk andthen managing it (see, for example, Reference 14) is notsufficient. Embedding risk analysis within an effectiveinfrastructure ensures that its results are accepted andacted upon. This may then answer the critics of riskanalysis, who say that either risk analysis is not usefuland that management should just live with the riski3, orthat good project management implicitly includesgeneric strategies for minimizing risk so that separaterisk analysis is unnecessary (see Reference 14), or thatrisk analysis is useful but frequently not accepted.

An effective risk-management infrastructurebecomes even more important when a project is beingcarried out not by one corporate entity, but a consortiumor community of companies. This is becoming morecommon, particularly in the defence industry, and theauthor has been a project risk manager or analyst on anumber of such projects.

CRITERIAWhat criteria should be applied when planning such astructure, choosing whether a more or less formalsystem is appropriate, and choosing whether a simpleror more complex system is more appropriate?

International Journal of Project Management


3/6

RISKMANAGEMENT

Risk-management structures provide two benefits:clearly, a mechanism for ensuring that risks areanalysed and managed,a means of communication across a complex projectstructure, providing a common currency15 for suchcommunication, and ensuring monitoring and controlof risk (see Coo Per and Chapmans framework ofcommunication ).

The type of structure developed depends on thediffering requirements for these two components:A project that is low-risk, highly serial, or short induration, or whose risk is owned by another party,tends to have a low requirement for the first benefitabove. Conversely, a risky project (e.g. a newdevelopment) with a highly uncertain environment,highly parallel or very long, or whose risk is whollyowned by ones own organization, tends to have a highrequirement for the first benefit above.A project that involves many parties in consortia orcontractor/subcontractor relationships, or even asingle company spread over many divisions and/orsites (each party possibly only having a view of part ofthe project), has a high requirement for the secondbenefit above. Conversely, a small tightly knit projectteam, the members of which generally know theproject status, has a low requirement for the secondbenefit above.

This relationship is shown in Figure 1, which also showsthe frequency with which such projects have beenfound by the author to occur in practice.The key word in approaching the first benefit aboveis ~ex~bifity. The achievement of effective analysisrequires an approach that is able to encompass thecomplex interacting uncertainties that are inherent inthe real world, which may not fit a standardizedstructured package-based method.The key word in approaching the second benefitabove is formality. The achievement of effective riskcommunication where there is a high requirementneeds a structure of pro formas for enquiring,reporting and instructing, and a formal system forreview and decision taking. Typical methods aredescribed laterteam, implying in this Da6er. WA mall integrateda low req;irement for this, would

HighRequirement forsecond benefit :communication

Hiah riskLow riskSerialShortOutside riskownershlpI

UncertainenvironmentParolleiLong

.I

HighRequirement for first benefit :analysis, man~ment

Figure f. Re~~tio~s~ip between ~~~pone~ts

Specificationdoto

ISpec~fxxtlon - riskassessment

Figure 2. Role of risk register

Progmmme

assessment

Vol 11 No 1 February 1993 7

view the imposition of a complex formal system asunnecessary and intrusive.SINGLE-COMPANY CASEA risk infrastructure within a single homogeneouscompany serves as an integrating factor in drawingtogether analysis of the specification, temporal and costuncertainties. Risk acts as a common currency15,enabling these three aspects to be considered in a singleintegrated analysis.The most common administrative device for keepingtrack of these risks is the use of a risk register: asimple collection of risk statements, each pro forma,containing, for example,

the owner of the risk,the estimated likelihood of its occurrence,the project objectives on which it impacts (e.g.scheduling, cost, some specific specification orperformance measure), and the estimated severity ofits impact,work-breakdown items and/or PERT activities influ-enced,possible contingency plans, to prepare for the eventof the risk occurring,secondary risks or knock-on effects.An easy extension of this idea is the generation of themost important risks into a key-risk list or a key-riskagenda, as described below.The central role that the risk register plays in therisk-assessment process is shown in Figure 2. The risksin the register that impact on each of the three mainobjectives can be combined to show the risk to thatobjective. In particular, the following are true.l The combination of uncertainty and costs to give anoverall cost risk assessment is well known and notunusual6. Stochastic spreadsheets assessed numeric-ally by simulation and distribution-convolutionmethods are commonly used.o Methods of combining uncertainties to give anoverall assessment of risk to specification or perform-ance measures can use similar additive methodswhere the measure (such as the weight of a finalproduct) is easily quantified. Otherwise, morequalitative analysis will display information graphic-ally, for example on probability-impact grids (see


4/6

RISK MANAGEMENTFigure 3), and summarize the existence or non-existence of risk reduction or contingency actions.

l Combining time risks is not an additive process,but the effect of uncertainty on PERT diagrams is wellknown7,2. BAeSEMA use their RiskNet softwareto provide flexibility in modelling* rather than apackage which restricts the analyst to simple un-certainties in activity durations.

This assessment capability needs to be embeddedwithin a management structure. The key to integratingthe management is the risk-management committee(RMC). This is a committee that consists of perhaps therisk manager, the project manager, and one each of theline-management functions representing the three riskobjectives (e.g. the programmes manager, the cost-control manager and the chief engineer). This enablesassessments to be coordinated and decisions to bemade. Regular meetings of this committee provide thebasis for the cycle of risk-analysis activity.

Risks can be detected as being top-down (i.e.looking at the project as a whole), or as being bottom-up (i.e. looking at individual items). The formerensures an overview and the inclusion of super-itemrisks, while the latter ensures coverage. Methods needto be established to track each of the top-down andbottom-up risks for each of time, specification andcosts. Typical methods used by BAeSEMA are shownin Table 2.l Networking is the core technique used by the

project-management team. When extended toinclude probabilistic effects, networking alsoprovides the basis for probabilistic risk assessment,such as RiskNet analysis. The discipline of networkconstruction requires management to consider:o the activities required for the project,o a range of possible outcomes for the project, and

not just the most likely outcomes,o where dependencies can be dispensed with, to

increase parallelism.The activity-review system is run by the project-management team, and it monitors individualactivities on a regular basis. Activities are defined inan activity register, by a hierarchical level of work-breakdown structure. Risk in these individualactivities is then investigated, identified and con-trolled by the development-team managers. Report-ing takes place regularly, on a structured pro formabasis. to the project-management team.

High

Impact

LawLikelihood

High

Figure 3. Probability-impact grid

l Key-risk agenda: This is a list of strategic issueshighlighted as key risks. Its purpose is to focusmanagement effort. Items are added or removedfrom the list at regular RMC meetings.

8 International Journal of Project Management

Table 2. Some methods

Time cost Specification FacilitatingTop-down RiskNet Stochastic Functional + Influence

Networks spreadsheets development diagrams(stochasticspreadsheets)

t T TBottom-up Activity WBS Functional

assessment progress assessmentreporting

The risk-reduction process is driven by two mainoutputs from the RMC:

In order for the core team to monitor the ongoingdevelopment of the functional capability of thesystem, the senior technical team is charged withcarrying out functional-development assessments atresult intervals. This is based on broad functionalareas of the system. The method cannot stand alone,as many dependency and temporal issues are notaddressed, but ito addresses the broader issues that apply across a

whole functional area, but which might be difficultto attach to any one of the component activities inthe project network.

o helps to establish risk-minimization effort.The functional-attribute review system is run by thesenior technical team. Technical performance para-meters are listed on an attribute register. These aretypically drawn from the cardinal point specification,although they also include secondary attributesrepresenting inhouse subgoals of interest. Specifictechnical performance measures are defined for eachparameter so that its progress can be monitored bythe development engineers on a formal pro-formabasis. The reporting is to the senior technical team.The risk team, as decision analysts, also havespecialized techniques to assist in structuring theproblem. One example is the use of influencediagrams, which can show the various influences thatbear upon the risks. The systematic study of suchdiagrams can show important chains of effects orpositive feedback loops. It can also promote usefulbrainstorming relating to the project networkstructure. Work with influence diagrams is generallyinformal, but it probably uses a decision analyst (afacilitator). If the structure of the influencesbecomes significant, there are tools to assist in theanalysis of these decisions: for a structural analysis,COPE assists in building influence diagrams anddemonstrating causal chains; where a more numericalanalysis is required, STELLA or stochastic spread-sheets can be used by risk analysts to give anintegrated overview.


5/6

RISKMANAGEMENT

l Action-effectiveness monitoring: To keep a formalrecord of the actions instigated by the RMC, and tomonitor whether they have been implemented andwhether they have been effective in reducing risk, arisk action register is maintained, and a suitable proforma is used for the reporting of implementationand outcome. Progress on an action is considered asthat action occurs on the key-risk agenda at the RMCmeeting.

Risk management also provides an essential input totradeoff analyses (see, for example, an early paper byStarr and WhippIe). The benefits of an action ordesign option need to be balanced with costs in terms offinancial cost, time and specification disbenefits.Indeed, the risk-management process described abovegenerates possible actions in the form of risk reductionand contingency plans, and these need to go throughthe tradeoff analysis process.

MULTICOMPANY CASEThe infrastructures described above obviously needsome modification when more than one company orparty is involved in the project. Critical to thismodification is the relationship between the companies,and in particular whether they are essentiallyl equal, i.e. in a consortium, largely sharing the risk,

or0 unequal, i.e. in a principal/agent or prime contractor/

subcontractor relationship, with one largely bearingthe risk.

These two cases are dealt with in turn in this section,the former more briefly than the latter.The consortium case is intrinsically no different from

the single-company case. The higher dispersion of theproject and the increased need for an audit trail for anydecision made, strengthen the requirement for a formalrisk-management system (and not simply a risk-analysissystem (see, for example, Reference 14)). Indeed, thecriteria described above suggest that a more formalsystem should be used in this case. Within this system,the risk analysis should be an integrated holisticanalysis, to provide a common basis for the assessment.Although there is not necessarily any intrinsic pressuretowards secrecy or confidentiality, it is still necessaryfor the risk analyst to try to normalize the opinions thathe/she elicits. There are well-documented psychologicaland decision-theoretic techniques for debiasing experts(in particular, see the famous paper by Merkhover).Other standardizing methods can also be drawn on,such as

the use of independent experts, who can be seen tohave no interest in the contracting parties,the use of historic data to calibrate the results (aMeridian document is a good US source document,Pugh et aI. make some comments on UK aero-nautical projects, and Morris and Hough3 provide auseful bibliography),the single risk analyst, him/herself acting as anormalizing factor.

The principal/agent or prime/subcontractor relation-ship adds an extra dimension. Considerable researchhas gone into the nature of this relationship, forexample Eisenhardts agency theory (although shepoints out that risk is an issue that researchers shouldfocus on as a next step). This relationship has becomea particularly important topic in the defence world, asdefence ministries seek to transfer risk to industry.Thus, some naval programmes in Australia, forinstance, are understood to have been contracted on atime and performance specification, with liquidateddamages on shortfalls, so that the risk falls on the primecontractor. Similarly, Ministry of Defence policy in theUK is moving towards contracts in which risk istransferred to the prime contractor. It needs to bepointed out, however, that two areas of risk areconsiderably increased by this route:

While the risks of not meeting the written specifica-tion are transferred to the prime contractor, thecontracting party needs to specify exactly what isrequired, and the risk of unforeseen performancebehaviour, or outcomes that are not what wasoriginally intended, fall on the writer of the specifica-tion.The project is likely to fail if the prime contractorceases to exist. Prime contractorship requires aconsiderable financial base, but prime contractorshipcan also exacerbate problems that otherwise couldhave been contained to such an extent that acompany crashes.

In such a situation, the prime contractor can beexpected to charge a risk premium, to cover costoverruns, delays to payment points or damages ondelivery performance. However, this means the follow-ing:l The prime contractor must be able to quantify the

risks, and be confident in the answer, including risksinherent in the subcontractors.

l The procuring party must be able to assess thereasonableness of this premium, and to justify thepremium internally.

This increases the need for a formal, normalized,calibrated risk-management infrastructure. Inparticular, it increases the need for visibility andavailability. Quantification of the time, cost andspecification risks become important, and written key-risk agendas and risk-action registers become a meansof communication between the parties.

CONCLUSIONSThis paper has highlighted a gap in current research:the mechanisms and management infrastructure formanaging risk within projects. A start has been madeby defining some criteria for choosing an infrastructureand describing some techniques that have been foundto be useful in practice. Some of the issues presentwhen more than one company is involved have beendiscussed. It is hoped that this paper will be a spur tofurther research and discussion, to help those involvedin risk management to be more effective.

Vol 11 No 1 February 1993 9


6/6

RISK MANAGEMENT

REFERENCES1

2

3

4

5

6

7

8

9

10

1112

1314

Marshall, A W and Meckling, W H Predictabilityof the costs, time and success of developmentReport P-1821 Rand Corporation, CA, USA (1959)Baum, W C and Tolbert, S M Invest ing in Develop-ment Oxford University Press, UK (1985)Morris, P G and Hough, G H The Anatom y ofMajor Projects: A Study of the Reality of ProjectManagement John Wiley, UK (1987)Humphries, D E Project risk analysis in the aero-space industry in Project Risk Analysis in theAerospace Industry Royal Aeronautical Society,UK (1989) (Proc. Roy . Aeronaut. Sot. Conf.(1989))MacCrimmon, K R and Wehrung, D A TakingRisk s: The Mana gement of Uncertaint y Free Press,USA (1986)Kahneman, D and Tversky, A Prospect theory: ananalysis of decision under risk Econometrica Vol47(1979) pp 263-291Oakes, M Stat istical Inference - A Comm entary forthe Social and Behavioural Sciences John Wiley, UK(1986)Kahneman, D, Slavic, P and Tversky, A (Eds.)Judgement Under Uncertaint y: H euristics and BiasesCambridge University Press, UK (1986)Merkhover, M W Quantifying judgemental un-certainty: methodology, experiences and insightsIEEE Trans. Syst . Man. & Cyber. Vol SMC-17 No5 (1987) pp 741-752Chapman, C B, Phillips, E D, Cooper, D F andLightfoot, L Selecting an approach to project timeand cost planning Int. J. Project Manage. Vol 3(1985)Cooper, D F and Chapman, C B Risk Analysis forLarge Projects John Wiley, UK (1987)Williams, T M Risk analysis using an embeddedCPA package Int . J. P roj. M anage. Vol8 (1990) pp84-88Hall, W K Why risk analysis isnt working LongRange PZanning (Dee 1975) pp 25-29Ward, S C and Chapman, C B Extending the use

151617

1819

20

21

of risk analysis in project management Znt. J. Proj.Manage. Vol 9 No 2 (1991) pp 117-123Charette, R Softw are Engineering Risk Analy sis andManagement McGraw-Hill (1989)Treasury Green Book Guide HMSO, UKRitchie, E Network based planning techniques: acritical review of published developments in Rand,G K and Eglise, R W (Eds.) Further Developmentsin Operational Research Pergamon Press, UK(1985)Starr, C and Whipple, C Risks of risk decisionsScience Vol 208 (1980) pp 1114-1119Preliminary analysis of technical risk and costuncertainty in selected DARPA programs DARPAReoort 4287 Meridian Corporation, Falls Church,VA, USA (1981)Pugh. P. Acorn. A G and Ball, D Who can tell what0, I 7might happen? A review of methods for riskassessment in Project Risk Analysis in the Aero-space Industry Royal Aeronautical Society, UK(1989) (Proc. Roy . Aeronau t. Sot . Conf (1989))Eisenhardt, K M Agency theory: an assessmentand review Acad. Manage. Rev. Vol 14 No 1 (1989)pp 57-74

Terry W illiams is a principalconsultant for BAeSema (MarineDiv ision ), UK, in operational re-search. He specializ es in problemsinvolving uncertainty, usingstatisticslprobability, simulationand, particularly, project riskmanagement (PRM ). He beganPRM business i n 1985, carryingout seminal work in assessing riskw ithin major projects and theirmanagement and control. Hedeveloped the protot ype projectrisk-analysis tool RiskNet. In aw ide range of majo r developm entprojects, main ly i n defence, he nas carried out and led riskassessment s and advis ed on risk-m anagement infrast ructures. Heacts as risk manager on major m ulti company defence contracts,w ith roles in many of the current major naval programmes. Hestudied at Oxford and Birmingham, UK, and has published wi dely.

10 International Journal of Project Management

International HRM,DOC

Documents

Transcript of International HRM,DOC