Let's start with the basics, what is risk management? To be more specific, we could also ask what is risk management in a project?
The diverse literature on the matter usually defines risk management, in a generic way, as an organized, structured approach - scientific, we could say - to plan risk management in the environment in which we are operating.
Now, what is a risk? If we stick to Castilian1, the Dictionary of the Royal Spanish Academy defines it as "Contingency or proximity of damage." Other dictionaries define it as "Possibility of a mishap or misfortune, that someone or something suffers injury or damage." Applying these concepts to the project environment, we are talking about the contingency or possibility of negative effects on them.
As can be seen, official definitions imply that risks often adversely affect, or contain the potential to adversely affect, projects.
However, in the project environment and in other environments such as business management, the concept of “opportunity” has been recognized as the risk of something positive happening, and this term also implies the urgency of taking advantage of such opportunity. SWOT analysis (Strengths, Weaknesses, Opportunities and Threats) is widely known, where Threats are the classic risk and Opportunities the risk with positive potential.
This is clearly seen in the Project Management Institute (PMI) approach stated in the Guide to the Fundamentals of Project Management (PMBOK Guide), Chapter 11: “The objectives of managing project risks are to increase the probability and / or the impact of positive risks and reduce the probability and / or impact of negative risks, in order to optimize the chances of success of the project”.
We are now able to answer that risk management in a project is the systematic and organized process to plan the risk management of said project in such a way that the negative effects are mitigated, and the positive ones are maximized.
Said management process, given its quality as systematic, tends to have certain general steps: planning, risk identification, analysis and response.
Planning implies, first of all, knowing the project and selecting an appropriate methodology. You don't need the same tools for a large, complex project as for a small, simple one. If we are going to design and build a large and complex industrial plant with a large variety of specially imported supplies, it may be worth incorporating numerical methods such as the Monte Carlo analysis to study the effects of supply delays; but that approach would be excessive for the construction of a country house.
This planning must also define the criteria that the organization will use to manage risks:strategies, roles and responsibilities, budget and a time frame.
The identification of risks is often the best-known part of the process, since the most common tool is the use of workshops, in addition to expert judgment and brainstorming, among others. Naturally, knowledge of the project, its limits, restrictions and particularities
is essential, but one of the most critical components is the correct definition of the risk, ensuring that said definition is clear and unambiguous, so that the risk is well understood, that will allow a better analysis and the design of an optimal response.
It is vital to keep in mind that risk identification is an iterative process and that it must be kept up to date, since risks vary over time and with circumstances, so the risk register becomes a “living” document that requires periodic review.
Risk analysis has two complementary approaches: qualitative and quantitative.
The primary objective of qualitative analysis is prioritization of risks. This makes it possible to know which are the risks on which efforts should be focused in the first place, which are the ones that can be taken care of as second priority and which can be simply monitored for later review and action.
Risk prioritization is done by evaluating the combination of probability and impact, typically with the help of a probability and impact matrix, so that risks can be classified into groups according to the highest or lowest value of said combination.
Naturally we must recognize that the qualitative analysis of risks is a process in which there is a level of subjectivity since it is based on the perception of risk by the participants. The use of an experienced facilitator and the heterogeneity of the participants in the process help reduce bias in the analysis.
It is at the end of this analysis that the "owners" of each risk must be assigned. The risk owner is in charge of designing the individual risk management plan and ensuring that the planned response is implemented.
Quantitative analysis draws on the results of qualitative analysis and differs from it because it seeks to quantify, that is, to express numerically, the combined effect of risks and sources of uncertainty on the project.
It is important to note that this type of analysis is not essential for all projects, its use is usually reserved for larger or complex projects, for which the quantification effort is worth it, to the extent that the result of said process helps to allocate budget response plans.
Depending on the complexity, strategic quality, investment amount and other parameters of the project, quantitative analysis can increase its complexity by including high-level numerical tools, risk software, time and resources.
Whether a qualitative or quantitative analysis or both have been performed, the primary objective is risk response planning. This planning consists in the development of strategies, actions and options that allow managing risks during the life of the project, minimizing negative effects and trying to take advantage of opportunities.
In a very basic way, there are four approaches to responding to risks: avoid them, mitigate them, transfer them and accept them.
Avoiding them usually implies changes in the project. For example, if the use of a new technology may have too risky a combination of probability and impact, switching to a proven technology is a valid strategy. This can have effects on the cost of the project and even on the subsequent operational life, but if the risk or, rather, the consequences of its occurrence were too high or unacceptable, the change will have been worth it.
Mitigation consists of taking actions that significantly reduce the negative effects of a risk. Let us imagine that faced with the risk of a failure in the electrical flow, the response plan has considered the introduction of a generation equipment. But this equipment can only meet the basic needs of the project, since serving the total energy would be economically unviable. In this case, and in the event of a power failure, the emergency generator mitigates the risk of stoppage, but does not eliminate it to the extent that some tasks will lack energy. As we can see, when we mitigate a risk, there is a remanent effect. The effect is reduced, but not totally eliminated.
Transfer is a process by which risk is transferred to a third party, usually in exchange for something, typically money. The classic case is that of insurance; insurance is paid that gives us monetary reimbursement for the estimated value of the damage, less a portion called the "deductible". Insurance is not, however, the only transfer strategy. In construction, many clients transfer the risk of managing unions to the builders. The builders, of course, include in the price and lead time offered contingencies that they consider appropriate to manage these risks. The statement "in economics there are no free lunches" is very well known. Everything is paid or the system does not work.
Finally, there is the acceptance of risk. If the combination of probability and impact is low enough, the project decides not to develop a complex response plan and waits for the risk to occur. This should only be done with very little potential risks. For example, the probability that a rainstorm will paralyze a construction on the Peruvian coast is too low to develop a contingency plan; something absolutely different from a similar situation in the mountains or rainforest.
However, accepting risk does not imply a passive attitude. An accepted risk must be, at a minimum, monitored. Returning to the case of rain on the Peruvian coast, in the case of a El Niño or La Niña phenomenon, the rains could become significant.
In conclusion, risk management must be understood today as a fundamental tool for the successful management of projects. Its use must be iterative and permanently updated, since the risks, their consequences and control methods do not remain static. The system requires periodic reviews and appropriate and timely adjustments.
In times of change, when agility and economy are needed at all levels, the use of specialized services provides that precise mix of capacity, effectiveness and efficiency that organizations need to succeed.
At DC&R we are able to meet these requirements with professional solvency and the experience of more than 25 years in complex engineering and construction environments for heavy industrial markets of high demand such as mining, gas & oil, or energy, as well as for infrastructure and commerce.
DC&R also offers technical assistance services to businesses that need to interact with engineering and construction companies, from tender and project management to contract administration.