Risk management: Preparing for the worst

The increasing reliance of businesses on complex technology has placed greater demands on the building infrastructure that supports them. With 24/7 operations, business continuity requires an understanding of how technology is itself dependent on the facility infrastructure — facilities, systems and support equipment. And because a disaster may affect the whole firm, senior managers need to understand enough about the risks and relationships to take the right decision.

New build and refurbishment projects have very specific risks because responsibility for the development of the infrastructure is so often assigned to an army of consultants, specifiers and engineers. Even good design can be subverted by operational failures and it is all too easy for complex teams to lose sight of the needs of the occupier.

More organisations are now turning to project risk management teams to ensure they get a building that will not let their business down.

In April 2000, corporate risk consultants at BSC Consulting were brought in to provide project risk management consultancy for the design and build phases of a critical computer room supporting international operations for one of the world's largest pharmaceutical companies BSC was contracted on behalf of the company to ensure that there was no mismatch between the brief — a computer room and services with 24/7 operations — and the finished project.

Risk workshops
The arrival on the scene of the risk consultants mid-way through the project was understandably met with a certain amount of opposition by the project team. However co-operation from the entire team and the development of a positive risk culture were essential for the project's success.

Past experience indicated that this can be best achieved through workshops focusing on specific areas of risk.

The workshops were designed to create a forum for the team to consider the wider implications of the initial design compared with the realities of a changing construction programme.

The first workshop addressed the theory of 24/7 operations and the practicalities of achieving resilience. The workshop focused specifically on single points of failure, generator back up, dual electricity supplies and UPS back-up.

A series of 12 further workshops were delivered on:

• air conditioning
  
• power distribution
  
• power generation
  
• A/C controls and BMS
  
• UPS
  
• computer room power
  
• water systems
  
• earthing
  
• fire & sprinkler systems
  
• security
  
• commissioning & construction phase
  
• phased occupation.

At each workshop risk issues were raised, discussed and recorded. A dependency model was built with an easy-to-use front end to allow both the project team and the occupiers (the client) to understand the dependencies and risks as the project proceeded. This common view allowed decisions to be taken with a clear understanding of the risks entailed and how those risks could be managed.

Dependency model
The dependency model developed by BSC uses traffic light controls, which are easy to understand and provide an effective audit trail. Without needing to understand the technical issues, senior management can see at a glance where the project is proceeding well (green), where there are problems (red), and where identified risks are managed (amber).

With a single model, the business can identify which systems and items of equipment are essential to its operations. It is then a matter of including in the model the 'soft' human systems, which support these operations.

The result
By the end of the last workshop more than 100 risks had been identified. These were added to the dependency model and also to the supporting operational risk schedule which provided more complex analysis — for example, a description of the problem, recommendations, comments and the owner (the person or people responsible for action).

Some of the risks raised are common to many projects and included, for example:

stand-by power. A compromise had been made (for cost reasons) to have a single standby generator specifically for the communications suite. The contingency, in the event of a failure of the standby generator, was to couple in the site generator. However, it was calculated that in an emergency it would not be possible for this to be completed in time — there would need to be considerable load-shedding from the site generator and the electrical coupling would be counted in hours rather than minutes.

water tank. The planned location of the water tank adjacent to the switchroom was also identified as a risk issue. In particular it was identified that a hole (accidental or deliberate) in the water tank would have shut down the whole building since the principal exit route for the water would have been into the switchroom.

cooling plant. The workshops also identified that the cooling plant could not be operated if there was a failure of the automatic controls since an easy manual override/control had not been built in. This was a risk because any slight changes in the humidity or temperature could adversely affect the functioning of the computer machinery.

fire systems. Although the building was split into several sections it was identified that a small fire in any part of the building would have automatically switched off the cooling system in the computer room due to the design of the fire links. The addition of a dedicated computer room fire system linked intelligently to the main building fire system was raised as a more practical solution. In this way only fires which posed a direct threat to the computer room would bring about the suspension of the room's air conditioning system.

Conclusion
The combination of risk workshops and the development of a single dependency model enabled the project team to focus on what had to be completed to minimise risk to the business. The model identified all outstanding work and unresolved issues that would increase the risks. It also allowed these risks to be managed to an acceptable level in order that the project would be 'business safe' at hand-over.

For the client this approach offered a formal method for indicating where the project was adding risk to the business. Without needing to understand the technical issues, senior management could see at a glance how the project was proceeding and the link from the technical problems to the needs of the business allowing them to concentrate on critical issues.