Risk Management  

by Scott W. Cullen, MRICS
Hanscomb Consulting


In design and construction, risk analysis can be described as a systematic methodology and ongoing process by which occurrences that may substantially affect the end product (i.e. risks) can be identified, quantified, modeled, managed, and monitored. This tool is especially useful as a method of good project management and planning, because the business of building is inherently risky—the risk mitigation methods can be applied to project cost, schedule, quality/performance, safety, and business operations. Good risk management procedures ultimately measure the team's confidence level in the project on an ongoing basis, and allow the introduction of corrective actions, monetary contingency, and schedule float in order to minimize losses to the project and increase the likelihood of the project being completed on schedule and within budget.

The application of risk management procedures in construction can give early visibility to potential "problem areas" and opportunities, where effort and money can be expended early in the design and construction phases to reduce vulnerability, insurance costs, business or mission interruption, and claims. Early risk identification ensures that design and team effort is concentrated in critical areas, focusing the project team's attention on actions and resources where there is a major risk exposure, or where the greatest time/cost savings can be made through reengineering and streamlined project management. The objective is proactive management of projects, where problems are reduced as they are identified, as differentiated from the traditional approach to construction, which waits until critical problems develop and then implements an immediate (and typically expensive) response which may reduce the impact to the project but likely does not avoid losses as effectively as early risk response. Over time, risk management allows the project team to build a historical profile of risk based upon experience and lessons learned, which will allow for better management of future projects.

In essence, risk management is an organized method of identifying and measuring risk and then developing, selecting, implementing and managing options for addressing those risks. There are several types of risk that an owner should consider as part of risk management methodology. These include:

  • Schedule risk
  • Cost risk
  • Contractual risk
  • Health & Safety risk
  • Reputational risk
  • Organization/mission risk
  • Technical feasibility
  • Building performance risk (i.e. the intended return on investment in a system doesn't materialize)
  • Risk of technical obsolescence
  • Dependencies between a new project and other projects
  • Physical events beyond direct control

Risk management seeks to identify and ultimately control possible future events and should be proactive rather than reactive. To be effective, risk management must rely on tools and techniques that help predict the likelihood of future events, the effects of these future events and that provide methods to deal with these future events. While a large project or program of work will often require a specialist risk manager, the concept of Risk Management should really be considered the responsibility of everyone involved in a project.

Risk Mitigation and Monitoring

Risk mitigation and the development of appropriate response actions is often the weakest part of the risk management process - the ongoing management and monitoring of identified risks and the addition of new risks to the model, require constant vigilance.

When managing risks, there are several risk strategy options to be considered. Risks may be avoided entirely (usually by eliminating their cause or root), transferred to another party (through contracts or insurance), or exposure to the risk can be reduced (through planned action measures). Acceptance of the risk should be considered only as a last resort, and should only be applied for items that cannot be addressed by any other strategy.

For each risk item, an achievable target risk reduction goal should be set, and proactive steps or action items identified by which the goal can be attained. The mitigation steps must be appropriate, cost-effective, and achievable. The development of these steps should encourage problem solving and innovative solutions, with the objective of avoiding the risks or reducing their impact as much as possible. When discussing action items, it is important to remember that interpretation of each risk will differ from person to person, with the recommended course of action varying according to the person or organization's perceptions of project management, objectives, environment, experience, and risk tolerance level. Similarly, opportunities can be discussed, and steps or action items developed which can increase their probability of occurrence or their level of impact.

In addition to creating action items for the risk, the risk manager may want to ask the following questions:

  • What is the root cause or trigger for this risk?
  • Does this risk have an impact on business, or just on the project?
  • How will we know when the risk has occurred?
  • What will happen if the risk occurs?
  • How are we currently handling this risk?
  • What steps can we take to better manage or mitigate this risk?
  • What should we do if we fail to manage this risk?
Sample risk assessment sheet with identificatin fields, description fields and risk reduction fields

Figure 1. Sample risk assessment sheet with action items

The risk assessment sheet (RAS), or Risk Entry Form, is the appropriate place to record all known information about the risk. The RAS can also be managed in a database environment, such as MS Access, or within the project management software being utilized on the project.

The risk management cycle graphics showing Identify, Analyze, Plan, Implement, Reivew

Figure 2. The risk management cycle

The risk management process or program is typically driven by a single individual, the project risk manager, in concert with the project manager or other high-level oversight. Individual accountability for risks can be assigned, such that each risk has its own manager. Updates from the risk managers are collated on a periodic basis by the project risk manager, and added to the model.

Risk management is an ongoing and iterative process, which should be conducted throughout the lifecycle of the project. Each risk manager must review all of their risks on a monthly basis or more frequently, and update the risk assessment sheets, even if only to note that there has been no change.

Tools and Techniques

Paying attention to detail and implementing appropriate cost and schedule control systems will assist in risk analysis and management. Best practice guidelines in this area include the Risk Management Standard by the Institute of Risk Management, the Practice Standard for Project Risk Management by the Project Management Institute, and Risk Analysis and Management for Projects by the Institution of Civil Engineers. A key element is to develop levels of confidence around various financial outcomes, sometimes known as Confidence Modeling. This assists in the calculation of appropriate levels of contingency to be included at each stage of the project life cycle.

A technique to accomplish this is the use of range estimating as a risk analysis tool. Range estimating can be done in a rather simple fashion by selecting the 20 percent of the line items in an estimate that represent 80 percent of the cost then developing a range for each of those 20 percent and doing a simple process of adding the low and high ranges.

A more advanced approach could take the same 20 percent items, establish the range and then use any one of several available software packages to perform a Monte Carlo simulation (which is a problem solving technique used to approximate the probability of certain outcomes by running multiple trial runs, called simulations, using random variables) and produce a risk profile. This approach would give a more accurate projection of the logical highs and lows involved with 20 percent drivers. A sensitivity analysis can also be prepared to vary the key risk parameters. Read more.

Finally, it is possible to use a complete risk analysis package that includes range estimating and prepares a risk profile that estimates confidence ranges and contingency amounts. This type of an approach can establish contingencies for not only individual projects but for entire programs.

Monte Carlo or risk analysis is used when establishing a baseline or baseline change during budget formulation. The contingency developed from the Monte Carlo analyses should fall within the contingency allowance ranges presented previously.

Monte Carlo analyses and other risk assessment techniques use similar methodology to obtain contingency estimates. There are a number of software packages both publicly and commercially available. The estimator must subdivide the estimate into separate phases or tasks and assess the accuracy of the cost estimate data in each phase. After the project data have been input and checked, the software will calculate various contingencies for the overall project based on the probability of project underrun. The random number generator accounts for the known estimate accuracy. Once the program has completed its iterations (usually 1,000), it produces an overall contingency for the project with certain accuracy.

The application of this type of quantitative risk analysis allows the construction project exposure to be modeled, and quantifies the probability of occurrence and potential impact of identified risks. The results can be used to produce a realistic representation, in graphic s-curve form, of the project's total uncertainty and risks. Referring to the s-curve figure below as an example, a contingency amount of approximately $3.54 million on top of the base estimate amount of $46.7m represents 65% confidence in achieving that project cost. For 80% confidence, contingency should be increased such that total project cost is $51 million.

Sample project cost s-curve

Figure 3. Sample project cost s-curve

Risk management with probabilistic modeling can be used to reduce project contingency from a guesstimate of 10-20% to a quantitatively determined amount, typically in the range of 3-8%. Consistent with broader quality management principles, the team can make data-driven decisions specifically for that project, as opposed to relying on past rules-of-thumb. As the project progresses, and the confidence level in project cost increases, the early release of contingency amounts may be achieved and the money may be invested elsewhere.

Risk status communication and awareness must occur regularly as a normal part of project meetings, so as to note changes to existing risks. The risk probability of occurrence may increase or decrease, as may the time and cost impacts. Changes to the estimate line items, such as updated equipment quotes or actual costs, must also be updated in the model. As action items are implemented and the original risks are reduced, additional "secondary risks" may arise, which need to be added to the model. As design and construction progress, new risks will also be identified. Changes in scope can also be accommodated in the risk model, through analysis of their overall effect on the outcome of the project. The steps of identify-quantify-model-manage need to be taken for all new risks, secondary risks, and changes in project scope.

The nature of construction is such that, as time passes, the range of minimum and maximum expected values narrows, and confidence level in the most likely value increases, for each modeled risk item. This causes the project s-curve to straighten out, and its location to move to the right or left as exposure to risk either increases or decreases. The project risk manager must thus regularly review and update the risk model, and re-run the risk simulation.

Sample project cost s-curve after several iterations

Figure 4. Sample project cost s-curve after several iterations

As the project risk is being monitored, the data and trends can be collected and compared against the baseline risk assessment. From these trends, progress can be measured and "lessons learned" can be documented. The information can also be stored as historic risk data for future projects.


Risk management is a proactive project management tool used to reduce the susceptibility to losses incurred during a course of action, which leaves an auditable trail of changes. The process focuses project resources on reducing vulnerability, providing early visibility of potential problem areas and creating mitigation actions.

Good risk management should involve the entire project team, including design, engineering, business, contracts, finance, purchasing, estimating, and project controls. The process is ongoing, a never-ending cycle and iterative process of identification, quantification, modeling, management and monitoring. The analysis can include identified risks, estimate and schedule items, new risks, secondary risks, scope changes, change orders, and actual costs, so as to provide a graphic depiction of the changing nature of project risk over time.

As mentioned above, risk management with probabilistic modeling can be used to reduce project contingency from a guesstimate of 10–20% to a quantitatively determined amount, typically in the range of 3–8%. As the project progresses, and the confidence level in project cost increases, the early release of contingency amounts may be achieved and the money may be invested elsewhere, resulting in a more cost-effective project or program.

Major Resources