APC Trainer on... Risk Management (T077)
From understanding risk, to helping clients manage it
Construction is fraught with risk – whether it’s the risk of busting the budget or a design that doesn’t work. So the risk management (T077) competence of the APC is crucial. In the exam, the assessors will test you on your understanding of risk and how to handle it. At Level 1 you have to show an appreciation of the nature of risk and a knowledge of common risk items in the candidate’s area of practice. The level 2 competence focuses on your ability to undertake risk assessments and demonstrate knowledge of risk-related tools and techniques. Finally, level 3 tests you on your ability to advise clients on effective risk management processes for a specific project.
Question Can you explain to me your understanding of the nature of risk and give me some examples of key risks that might be relevant to projects in your area of expertise?
Sample Response Part 1 – The Nature of Risk
In the sample response we have followed the two part structure of the question. Starting with the nature of risk, the examiner is looking for a clear explanation of the core risk management principles. There is no specific order in which these should be presented and the candidate may wish to note that risk management is a broad subject with varying definitions depending upon the context. For example the terminology in risk management in construction varies to that used in financial investment risk management.
• Definition of Risk – The term risk is often used to describe a future event which may or may not occur. However, risk can be thought of in a broader context which is that risk is any uncertainty related to a future outcome. The candidate may wish to refer to a standard definition such as this one from the APM “An uncertain event that if it occurs has an impact on the project objectives”.
• Types of Risk – There are two broad types of uncertainty commonly looked at on projects:
o Risk Events, which are the chance that an unplanned event may or may not happen in the future, for example the chance of encountering an obstruction during an excavation.
o Uncertainty of estimating, which is a variance in the outcome of a planned event, for example the variance in the purchase price of steel which will be procured in two years time for a project.
• Types of Impact – The impact of a risk can take a number of different forms, with the key project impacts being; cost, time and performance. There are, however, other impact types such as damage to reputation or safety risk. It is important when undertaking risk assessments to ensure the most appropriate impact types are evaluated.
• Positive & Negative Uncertainty - Many people think of risk as being only events that have a negative impact on a project. However when thought of as ‘uncertainty’, then risk outcomes can have a negative or positive impact on the project.
• Risk Quantification - Risk is often defined as the combination of the probability of an event occurring and the consequence should that event occur. The probability is often described as a percentage with the impact defined in terms of cost or time. This is the basis of the simplest form of risk quantification but there are a range of more complex techniques available.
• Mitigation – The main reason for looking at risks to a project is to consider how they can be mitigated and the likelihood of a project achieving its objectives increased.
Sample Response Part 2 – Typical Risks
Turning our attention to the second part of the question, the candidate is asked to explain some typical risks applicable to their area of experience. This is only competence level 1 and so the candidate may wish to pick a relatively simple example project around which to frame their response. For example, they may have experience in the rail sector and explain that they will highlight some of the key risks associated with the replacement of a bridge structure. In this example, key risks to consider at the start of the project would include:
• Certainty of as-built information for the existing structure
• Condition of the existing structure
• Unforeseen ground conditions
• Agreement of adjacent owners to secure land for a worksite
• Availability of key rail related resources to input to the design
• Technical approvals
• Possession availability
• Possession overrun
• Disruption to train services during and after works
Question Can you please talk me through how you would approach the assessment and quantification of risk on a typical scheme with which you are familiar?
Because this question is based around a sample project, the various tools and techniques may vary to suit the scenario and so the candidate should clearly outline the type of scheme being used as the example and the perspective they are taking on the project. For our sample answer, we will take a mixed-use development where the client is seeking a project level risk assessment at the outline design stage (i.e. excluding investment appraisal commercial risks).
Risk Assessment Process – The candidate should first outline the risk assessment process which in this case would generically follow the following steps:
• Risk identification
• Risk evaluation
• Risk response
• Risk quantification
There are a number of common ways to identify risk on a project such as this and a thorough appraisal may combine several of the following approaches:
• Structured Interviews with key parties involved in the project
• A risk workshop with a brainstorming activity involving the professional team, client and end user representatives. To keep these sessions focussed it would be common to use prompt headings to focus the team in turn on different areas of risk.
• Risk checklists which can be used to draw on common risk types identified on previous schemes
• Research into recently completed projects of a similar nature
The first stage of any approach to identifying risks is to establish a clear understanding of the project scope, stakeholders and objectives and thus what desired outcomes may be at risk. In this scenario, a suitable approach would be a structured interview with the client followed by a workshop with the professional team. Checklists may then be used to ensure all common risk types have been considered.
Risks would normally be subsequently documented in a risk register which is often in a simple excel format, although there are more complex risk software systems available. It is important that risks are captured in the register with both a clear short title for ease of reference but also a more detailed description of the cause, event and likely impact that may occur.
The first level of risk evaluation is normally a qualitative assessment which is often undertaken in a workshop forum. Each risk is evaluated in terms of both its probability and impact using a three or five point scale. It is important that this scale is supplemented by some definitions so that when one person assesses a risk as a ‘high’ impact, the whole team have a common understanding of what that equates to in terms of time, cost etc. For example, a ‘high’ cost impact may be defined as a cost impact of between £100,000 and £500,000.
Although a range of impact types can be evaluated, it would be most common in this type of evaluation to focus on commercial impacts. Risks that have a time or performance impact would be converted into a financial form, for example a one month delay in opening of the scheme could be equated to the cost of running the project office for an additional month together with the loss off one month’s rental income.
Once qualitatively evaluated, the risks would be ranked by multiplying their probability and impact ratings in order to get an overall risk rating. The risks can then be sorted by risk rating so that the team can focus their efforts on mitigating the most potentially damaging areas of risk. When risks are later recorded in a risk register, a risk matrix showing impacts and probabilities on two scales (e.g. a 5x5 matrix for Very Low to Very High scores) is also usually created, that displays the risk ratings for all combinations of probabilities and impacts. Different ratings are then simply colour coded, usually red for highest ratings, amber for middle ratings and yellow/green for lowest ratings, to give a quick visual display of risk ratings.
Another valuable form of risk evaluation is to categorise risks by business area or source of risk. Clients often have set categories to apply to assist their understanding of the nature of the risks being carried by different projects and to help validate ownership of risk responses.
Using the risk rating as a prioritisation guide, the risk manager or the professional team (in a workshop forum) can then look at how to respond to the various risks. The overall aim of the risk response is not to eliminate all risk, but to find the most commercially advantageous way of responding to each identified issue.
In considering the risk response, the team must take account of the cost / time impact of the mitigation prior to any decision being taken. There is little point in spending more money on mitigating a risk than the cost that may be incurred from the risk itself if it should occur. Risk responses can be generically grouped into a number of categories:
• Reduce Uncertainty – Take action first to eliminate uncertainty if reasonably possible and cost-effective to do so to allow better evaluation of a risk and thus an improved decision regarding its mitigation.
• Eliminate – Take action to eliminate the risk, for example by altering the design to eliminate the feature which is causing the risk.
• Reduce – Take action to reduce either the probability or impact of the risk, for example undertake additional site investigation to reduce the chance of encountering unforeseen ground conditions.
• Transfer – Transfer the risk to another party, for example transfer the risk of sourcing specialised labour to a supplier through the formal contract put in place with them. The team need to take care when using risk transfer as there will normally be a cost associated with the transfer and it is rare that total transfer can be achieved. For example if a contractor carries the risk of timely delivery, although the client may levy penalties if they are late in completing the project, the client is still impacted by the disruption and reputation damage of the delay. The most common forms of transfer are contractual risk transfer and insurance.
• Tolerate – If the risk is of a low impact then it may be cost effective to tolerate the risk and deal with the consequences if and when the risk materialises.
• Contingency – For risks that cannot be fully mitigated or eliminated it is prudent to allow a time and cost contingency in the planning of the project to minimise the overall impact on planned outcomes should the risks occur. This contingency can be estimated based on industry norms and experienced judgement. However it is more appropriate on major schemes, and mandatory with certain clients, to use a more formal risk quantification exercise to determine a suitable contingency level. The careful evaluation of contingencies is a key element in robust project planning.
More than one type of response may be required to manage an individual risk and / or, one response may assist the treatment of several risks. It is very important that for every risk an owner is assigned responsibility to ensure that responses are fully developed and that individual response owners are identified with action due dates for those responses.
There are a number of ways to quantify risk, ranging from the more simplistic ‘expected outcome’ approach (where the commercial impact of each risk is multiplied by the probability and the results totalled) to more sophisticated quantitative analysis. The most common of the more sophisticated methodologies is Monte Carlo analysis which is undertaken using one of a number of specialist pieces of software. Monte Carlo analysis essentially requires the user to define the nature of each risk / area of uncertainty in mathematical / numeric form to create a risk model. Risk software is then used to run a large number of iterations (in the order of 5000 iterations) of the risk model. Each of these iterations effectively represents one scenario of how the project may outturn based on a ‘random’ sampling of the risks which is influenced by the various probabilities and risk profiles defined in the model. These scenarios are then statistically analysed to provide confidence levels associated with certain project outturns being achieved. For example, the risk model could be used to evaluate the confidence level associated with the project being delivered within a certain budget level. The analysis can also be used to determine appropriate levels of contingency and to also analyse the sensitivity of the project outturn to various risks or combinations of risks.
In this scenario, the Monte Carlo analysis could be used to determine the potential financial impact of the identified risks and thus the prudent level at which to set the risk contingency. Different organisations have varying policies as to what level of confidence the contingency is set, but an 80% confidence level is common. This means that based on the analysis, there is an 80% probability that the financial impact of the identified risks will be within the specified level of contingency.
As with risk identification, risk modelling is not an end in itself. The purpose of such analysis is to enable a deeper understanding of project uncertainty and thus better inform decision making.
Question On the project you referred to in the Level 2 answer, what advice would you give to the client regarding suitable systems for the ongoing management of risk?
The level 3 question probes the most important area of risk which is the forward management and reduction of the identified risks. Many clients have their own risk management procedures and systems with which any consultant will be expected to comply. The purpose of these procedures is to ensure consistency in how risk is dealt with across the organisation and in some cases to enable centralised reporting on risk exposure and action implementation.
Assuming that the client for the mixed-use development case study does not have prescriptive systems, then the candidate can give a general overview of a typical ongoing project risk management process. Key elements to this would include the following:
• Risk Management Plan – The project should have a concise Risk Management Plan that sets out how risk will be managed through the life cycle of the job, the systems that will be used, the timing of key reviews and the input required by the various parties. The Risk Management Plan may be a section within the Project Execution Plan and should itself have a clear owner.
• Risk System – It is important that risk information is held in a controlled and structured way accessible to the project team. There are various software systems on the market for managing risk information, however for a single project these tend not to be cost effective and the training requirements become a barrier to use. Thus for this scheme, a simple excel based risk register would be appropriate. The register would capture all the key information such as; risk descriptions, coding, impacts, categorisations, ratings, mitigation responses, action owners, due dates and the like. This can be held by the Project Manager and distributed monthly with the normal project reporting cycle, or it could be loaded onto any project extranet that was being used by the team so that people have continuous access to the latest information.
• Risk Ownership – Whilst the client ultimately carries many of the project risks, a Risk Owner should be assigned to each risk, this owner being the person best able to implement the mitigation actions identified and thus control the risk. Risk Owners are assigned responsibility for delivery of the risk mitigation actions.
• Ongoing Action Delivery – The key element of the risk management plan is following through on risk mitigation actions and it is normally recommended that the risk register has the ability to be sorted by risk action due date. The actions due can then be reviewed as an integral part of the regular project meeting cycle focussing in on issues that are key at that particular stage of the project.
• Periodic Review – The Risk Management Plan will also set down when, in addition to monthly action updates, the risk register should have more of a formal review to identify new arising issues and share knowledge on the updated risks. The reviews may be undertaken in a workshop forum and would be timed with key points on the delivery life cycle. Typical review points would be placed:
o Early in each key phase (to promote proactive risk mitigation)
o Towards the end of each phase (to ensure capture of risk information prior to moving forward and for inclusion in forward contingency budgets)
o At key milestones and/or approaching key risk events or action dates
o When new parties join the team (such as when the contractor is appointed)
o At close out (to review the effectiveness of mitigation measures and identify any issues to be communicated to the end user).
APC Trainer's advice is intended as guidance only and should not replace your own study