CONSTRUCTION RISK

MANAGEMENT

BQS 5209
 DEFINITION OF TERMS

Risk
• Darnall and Preston (2010) define risk as a
possibility of loss or injury
• Cooper et al. (2005) define risk as an exposure
to the consequences of uncertainty.
• PMI, 2013 defines risk as an uncertain event or condition
that, if it occurs, has a positive or negative effect on one
or more project objectives such as scope, schedule, cost,
and quality
• This definition of risk considers existence of both positive and
negative consequences of risk.

• ISO 31000, defines risk as an effect of uncertainty on

objectives, in which the effect signifies deviation from
expected in positive or negative way by accepting the
possibility of existing opportunities
According to Project Management Institute (PMI),every
risk has a cause and, if it occurs, an effect.
As such management of risk in construction projects is
very important as it helps in achieving project objectives
Risk Management
• It is defined as a systematic method of identifying
analysing , treating and monitoring the risk involved in
any activity or process
• It consists of maximizing the chances and the impact of
positive events while minimizing the probability and the
impact of negative events, in order to meet the project
objectives
• The process assists project managers in setting priorities,
allocating resources, and implementing actions that reduce
the risk of a project not achieving its objectives
• It is one of the nine knowledge areas propagated by the
Project Management Institute (PMI).
• It is probably the most difficult aspect of project management
• A critical component of any winning strategy
• It is a management tool(it aims at identifying sources of risk and uncertainty,
determining their impact, and developing appropriate management responses)
• It can also be thought of as a decision-making process,
as it follows the project from planning stage to the end
and is updated as necessary
 RISK MANAGEMENT PROCESS

There are different methodologies and standards in risk

management.
• These standards and methodologies provide major
steps for practising risk management
Methodologies and standards in risk management
Standard / methodology Description
PMBOK The most common handbook to project
management issued by PMI
ISO 31000- 2009 An official standard on risk management which
consists of collections of standards related to
risk management made by the international
organisation for standardisation
AMA handbook of project management A handbook to project risk management issued
by the American Management Association
ATOM (Active Threat and Opportunity A book describing a novel approach to project
management) risk management
GOWER The structure of the book is based on
International Standard ISO 31000 and some
from the PMBOK
A practical implementation approach A book which takes a lot from the PMBOK but
(Bissonette) adds on author’s experience and knowledge to
complete the PMBOK published in 2016
Steps in risk management according to PMBOK
 Risk management planning;
 Risk identification
 Qualitative risk analysis
 Quantitative risk analysis
 Risk response planning
 Risk monitoring and control.
Risk management Planning
• This is a plan of how risk management will be
conducted.
• Thus determining a plan for managing risk on a project
• The purpose of the process is to create a risk
management plan
• This plan is a subsidiary of the project management
plan, and it’s the only output of this process
• The plan details how risk management processes will be
implemented, monitored, and controlled throughout the
life of the project
• The planning process ensures that
Appropriate amount of resources and time are allocated for
risk management activities
Bases for evaluating risk has been agreed upon

• The process is based on other project management

documentation such as:
Project charter
This is a formal, typically short document that
describes the project in its entirety — including
what the objectives are, how it will be carried out,
and who the stakeholders are.
It is a crucial ingredient in planning out the project
because it is used throughout the project lifecycle.
 Project management plan
 It is a document that provide a comprehensive baseline
of what has to be achieved by the project,  how it is to
be achieved, who will be involved, how it will be
reported and measured and how information will be
communicated
 The document is developed as part of project initiation
and definition, it should be a living document that
evolves as the project progresses and is updated with
the latest relevant information as required.
Inputs to Risk management Planning are as follows:
• Enterprise environmental factors
• Organizational process assets
• Project scope statement
• Project management plan
Enterprise Environmental factors
 These are environmental factors either internal or external to
the project that can influence project success. 
 The factors are not within the control of the project team but
they need to plan for them
• One of the key elements of environmental factors is risk
tolerance levels and risk attitude of an organisation and
stakeholders
• Organizations and individuals have different tolerances and attitude for
risk, normally expressed in policy statements or revealed in actions.

• e.g. One organisation might believe that the risk of a potential

7% cost overrun is high , while another might think that its low
• It is important for the P.M to understand the tolerance level of
the organisation as well as the stakeholders before evaluating
and ranking the risk
• Risk tolerance
 It is the willingness of an organisation to accept or avoid a risk

• Risk attitude
 It is the chosen state of mind or mental view about risk.
 The risk attitude of organisations and individuals are determined by risk appetite and risk
threshold.

• Risk appetite 
 It is the level of risk that an organization is willing to accept to reach its goals and
objectives.

• Risk threshold 
 It is the level of impact, typically a clear figure, beyond which the organization will no
longer tolerate the risk
Organisational Process Assets
• These are lesson learned from the previous projects
which build on the knowledge base of the company
• Some organisations have predefined standard
approaches; risk categories; methods of analysis; roles,
responsibilities and authority levels for decision making;
methods for qualitative and quantitative risk analysis.
• This also includes policies and guidelines that might
already exist in the organisation
• Organisation risk management policies are any policies
that are considered when planning for risk

• The standard approach must be adapted to each project by the

project manager or the risk management team.
Project scope statement
• This serves as a baseline document for defining the
scope of the project deliverables, work which is needed
to accomplish the deliverables, and ensuring a common
understanding of the project’s scope among all
stakeholders
Project management plan
• This is a formal, approved document used to manage
project execution.
• It documents the actions necessary to define, prepare,
integrate and coordinate the various planning activities.
• The PMP defines how the project is executed, monitored and
controlled, and closed.
• It is progressively elaborated by updates throughout the
course of the project.
Contents of a risk management plan may vary but in general may
contain
• General information
• Methodology- Defining approaches, tools, and data sources that may be
used to perform risk management
• Roles and responsibilities
• Risk management Budgeting
• Risk management Timing and Scheduling
• Risk categories
• Definitions of risk probability and impact
• Probability and impact matrix
• Project stakeholder tolerances
• Reporting formats etc
 RISK IDENTIFICATION
• It is a process that involves identifying all the risks that
might impact the project, documenting them, and
documenting their characteristics
• It determines what might happen that could affect the
objectives of the project, and how those things might
happen.
• The process, attempts to identify the source and type of
risks.
• The process continually builds on itself as the project
progresses and develops the basis for the next steps
• Risk identification must be comprehensive, as risks that
have not been identified cannot be assessed, and their
emergence at a later time may threaten the success of
the project and cause unpleasant surprises.
• The risk identified are then assembled into a register
which is later used for risk response planning
• In order to identify risks, project managers start with risk
categories
• Risk categories are part of organizational process assets.
Every organization should have standard lists of risk categories
and it can be retrieved from achieves of already executed
project.

• Risk categories are a specific way of grouping risks

under a common area which provides a structured &
systematic approach in identifying risks to a consistent
level of detail.
 risk categories enable a greater management focus, thought,
provoking, and increasing the opportunity of identifying a wider
range of risks
 improve the effectiveness & quality of the risk identification &
analysis processes
 Grouping risks by common root causes which can lead to
developing effective risk responses
• Generally, risks to the project can be categorized by
 sources of risk (Schedule, Scope etc)
 the area of the project affected i.e. using Work Breakdown Structure(WBS)

• Other useful category include project phases

Broad categories that can be used to identify risk are:
• External: Government related, Regulatory, Environmental, Market related.
• Internal: Service related, Customer Satisfaction related, Cost related, Quality
related.
• Technical: Any change in technology related

• Risk categories can also be represented in a structured way into

a Risk Breakdown Structure (RBS).
• The RBS is a hierarchically organized depiction of the identified
project risks arranged by risk category and subcategory that
identifies the various areas and causes of potential risks
Risk Breakdown Structure
TOOLS AND TECHNIQUES FOR RISK IDENTIFICATION

Brainstorming
• It is probably the most often used technique of the Risk
Identification process.
• It involves getting subject matter experts, team
members, risk management team members, and
anyone else who might benefit the process in a room
and asking them to start identifying possible risk events.
• The facilitator can use the categories of risks to get
everyone thinking in the right direction.
 Documentation reviews

• Documentation reviews involve reviewing project plans,

assumptions, and historical information from a total
project perspective as well as at the individual
deliverables or activities level.
• This review helps the project team identify risks
associated with the project objectives.
 Information gathering techniques

• Information gathering encompasses several techniques,

including brainstorming, the Delphi technique,
interviewing, root cause identification, and strength and
weakness analysis.
• The goal of these techniques is to end up with a
comprehensive list of risks at the end of the meeting.
 Delphi technique

• A team of experts is consulted anonymously.

• A list of required information is sent to experts,
responses are compiled, and results are sent back
to them for further review until a consensus is
reached.
• It also helps prevent one person from unduly
influencing the others in the group
 Interviewing

• An interview is conducted with project participants,

stakeholders, experts, etc to identify risks.
• They provide possible risks based on their past
experiences with similar projects.
• The WBS and a list of assumption will help participants
to think in the right direction
 Root cause identification/ analysis
• The process involves digging deeper than the risk itself
and looking at what the cause of the risk is.
• This helps define the risk more clearly, and it also helps
later when it’s time to develop the response plan for the
risk.
Strengths, weaknesses, opportunities, and threats
(SWOT) analysis

It is a technique that examines through each of these

viewpoints (SWOT) the project itself, project management
processes, resources, the organization, and so on.
• It helps to broaden the perspective of where to look for
risks.
 Checklist analysis
• Checklists are usually developed based on historical
information and previous project team experience.
• They allows for quick and easy identification of risk
• However, checklists can not be relied on solely for Risk
Identification as some important risk might be missed
• The checklist can be improved at the end of the project
by adding the new risks that were identified.
 Assumptions analysis

• Assumptions analysis is a technique that involves

validating the assumptions identified and documented
during the course of the project Planning processes.
• The assumptions are used as a starting point to further
identify risks.
Diagramming Techniques
There are three types of diagramming techniques used in Risk
Identification
cause-and-effect, system (Ishikawa or fishbone)
• Cause-and-effect diagrams show the relationship between
the effects of problems and their causes.
• This diagram depicts every potential cause and sub cause of
a problem and the effect that each proposed solution will
have on the problem
• The technique uses a diagram-based approach for thinking
through all of the possible causes of a problem.
• This helps in carrying out a thorough analysis of the
situation.
• There are four steps to using Cause and Effect system:
 Identify the problem in terms of threat and opportunity
 Work out the major factors involved.
 Identify possible causes for each factors.
 Continue refining the diagram until satisfied that the diagram is complete.
 And analyze the diagram
• This diagram is also called a fishbone diagram or Ishikawa
diagram
The system or process flowchart diagram
• Shows the logical steps needed to accomplish an objective,
how the elements of a system relate to each other, and what
actions cause what responses.
• This flowchart is usually constructed with rectangles and
parallelograms that step through a logical sequence and allow
for “yes” and “no” branches (or some similar type of
decision).
Influence diagramming.
• Typically show the casual influences among project
variables, the timing or time ordering of events, and the
relationships among other project variables and their
outcomes.
• Simply put, they visually depict risks (or decisions),
uncertainties or impacts, and how they influence each
other. impact delivery time, and delivery time is a
variable that can impact when revenues will occur.
Outputs of risk identification process

• The process of Risk Identification results in creation of

Risk Register.
Risk Register
• A Risk Register is a living document that is updated
regularly throughout the life cycle of the project.
• It becomes a part of project documents and is included
in the historical records that are used for future
projects. 
• Each risk is assigned a specific risk owner who is
responsible for the risk reduction actions.
• Each risk is assigned a specific risk owner who is
responsible for the risk reduction actions.
• The risk register includes:
• List of Risks
• List of Potential Responses
• Root Causes of Risks
• Updated Risk Categories
•  
• The risk register includes:
• List of Risks
• List of Potential Responses
• Root Causes of Risks
• Updated Risk Categories
 RISK ANALYSIS
• Risk analysis is a stage in the RMP where collected data
about the potential risk are analysed.
• Risk analysis can be described as short listing risks with
the highest impact on the project, out of all threats
mentioned in the identification phase
• In the analysis of the identified risk, two methods are
used
 Qualitative
 Quantitative
 QUALITATIVE RISK ANALYSIS
• This is a process that involves ranking risk according to
their impact level and probability
• The process gives a strong understanding of most
important risk to focus on
• After qualitative analysis a probability and impact
matrix is produced in order to have a clear picture of
the risk and their importance
• Qualitative risk analysis assesses the impact and
likelihood of the identified risks and develops prioritized
lists of the risks for further analysis or direct mitigation.
• Qualitative risk analysis is usually done by conducting
workshops or interviews so that expert opinion can be
gathered
• The methods are based on descriptive scales, which are
used for describing the likelihood and impact of a risk.
• These scales dependent on the specific details of the
project.
• The rating scales are used to create a Risk Matrix 
which help in categorizing the Risk Level for each
risk event.
• Risk Matrix is a tool that help to determine the
risks that one need to develop a risk response for.
• The first step in developing a RM is to define the
rating scales for likelihood and impact
RATING LIKELIHOOD DESCRIPTION
1 Very Low Highly unlikely to occur. May
occur in exceptional situations.
2 Low Most likely that it will not
occur. Infrequent occurrence in
past projects.
3 Moderate Possible to occur.

4 High Likely to occur. Has occurred in

past projects.
5 Very High Highly likely to occur. Has
occurred in past projects and
conditions exist for it to occur
on this project.
RATING IMPACT COST SCHEDULE
1 Very Low No increase in No change to
budget schedule
2 Low < 5% increase < 1 week delay
in budget to schedule
3 Moderate 5-10% increase 1 - 2 weeks
in budget delay to
schedule
4 High 10-20% increase 2 - 4 weeks
in budget delay to
schedule
5 Very High > 20% increase > 4 weeks delay
in budget to schedule
• Example of a Probability and
impact risk matrix
• The company’s level of risk tolerance determines the
placement of the colour squares.
• Companies, or projects, with a high appetite for risk will
have a smaller area covered by red and orange squares
than those who are risk averse (reluctant to take risk)
• Typically, risks falling in the red and orange squares
necessitate further action.
• The risk matrix must be finalised, and agreed to, before
proceeding to later steps in the risk management process .
• Using the RM and Rating Scales, it is possible to
analyse the likelihood of each risk event occurring and
its impact to determine the Risk Levels.
• The RM gives information on project risk that can be
prioritised from the list of risks identified
• A qualitative risk analysis helps in determining specific
types or categories of risks that require special
attention or any risk events that need to be handled in
the near-term.
• The most challenging aspect of performing a qualitative
risk analysis is defining the rating scales.
• Once the scales have defined they can be used for the
duration of the project to effectively manage project's
risks in a timely manner
 QUANTITATIVE RISK ANALYSIS
• This is a way of numerically estimating the probability of
a project meeting its objectives.
• It is based on a simultaneous evaluation of the impact of
all identified and quantified risks, both prior to and after
taking mitigating actions.
• The process builds on qualitative risk analysis and goes
further in analysing the most important risk and their
probability of occurrence
• This process involves more sophisticated techniques
and methods to investigate and analyse project risks.
• It attempts to estimate the frequency of risks and the
magnitude of their consequences.
• Quantitative methods need a lot of work for the analysis
to be performed.
• However the effort should be weighed against the
benefits and outcomes from the chosen method
 • for example smaller projects may sometimes require only identification
and taking action on the identified risks, while larger projects require
more in depth analysis.

• The quantitative methods are more suitable for medium

and large projects due to the number of required
resources such as complex software and skilled
personnel (Heldman, 2005).
The purpose of this process is to:
 Quantify the project’s possible outcomes and probabilities.
 Determine the probability of achieving the project
objectives.
 Identify risks that need the most attention by quantifying
their contribution to overall project risk.
 Identify realistic and achievable schedule, cost, or scope
targets.
 Determine the best project management decisions
possible when outcomes are uncertain
• Quantitative Risk Analysis like Qualitative Risk Analysis
examines each risk and its potential impact on the
project objectives
• Both of these processes can be used to assess all risks
or only one of them, depending on the complexity of
the project and the organizational policy regarding risk
planning.
• The process can follow either the Risk Identification
process or the Qualitative Risk Analysis process
 TOOLS AND TECHNIQUES

Expected Monetary Value (EMV)

• This is a risk management technique which helps to quantify and
compare risks in many aspects of the project.
• It relies on specific numbers and quantities to perform the
calculations, rather than high-level approximations like high, medium
and low.
• EMV relies on two basic numbers.
• P – the probability that the risk will occur
• I – the impact to project if the risk occurs.
EMV = Probability * Impact
Example-I
• You have identified a risk with a 30% chance of
occurring. However, if this risk occurs it may cost you
500 USD. Calculate the expected monetary value (EMV)
for this risk event.
Example-II
• You have identified an opportunity with a 40% chance of
happening. However, if this positive risk occurs it may
help you gain 2,000 USD. Calculate the expected
monetary value (EMV) for this risk event.
Example-III
• In your project, you have identified two risks with a 20%
and 15 % chance of occurring. If both of these risks
occur they will cost you 1,000 USD and 2,000 USD
respectively.
• What is the expected monetary value of these risk
events?
Example-IV
• During risk management planning, your team has
identified three risks with probabilities of 10%, 50%, and
35%. If the first two risks occur, they will cost you 5,000
USD and 8,000 USD; however, if the third risk occurs it
will give you a benefit of 10,000 USD.
• Determine the expected monetary value of these risk
events.
Decision Tree Analysis
• The Decision Tree Analysis is a schematic representation
of several decisions followed by different chances of the
occurrence. 
• A decision tree, as the name suggests, is about making
decisions when faced with multiple options.
• It takes into account a number of factors including
probabilities, costs, and rewards of each event and decision
to be made in the future
• The analysis also uses expected monetary value
analysis  to assist in determining the relative value of
each alternate action.
Sensitivity analysis
• Sensitivity analysis is the quantitative risk technique
used to determine how independent variable values will
impact a particular dependent variable under a given
set of assumptions 
• It shows which task variables (Cost, Start and Finish
Times, Duration, etc) have the greatest impact on
project parameters
• The method looks at how uncertainties and risks assigned
to specific activities correlate with variance in the project.
• For example, sensitivity analysis allows one to identify
which task’s duration with uncertainty has the strongest
correlation with the finish time of the project.
• This in turn provides clues to where project managers
should look first when a management decision is
required.
Monte Carlo simulation
It is a computerized mathematical technique that allows
accounting for risk in quantitative analysis and decision
making
• It furnishes the decision-maker with a range of possible
outcomes and the probabilities they will occur for any
choice of action.
• It shows the extreme possibilities
• Risk analysis is performed by building models of possible
results and substituting a range of values—a probability
distribution—for any factor that has inherent uncertainty.
• It then calculates results over and over, each time using a
different set of random values from the probability functions.
• Depending upon the number of uncertainties and the ranges
specified for them, a Monte Carlo simulation could involve
thousands or tens of thousands of recalculations before it is
complete.
RISK RESPONSE PLANNING

• It is a process of developing options and determining

actions to enhance opportunities and reduce threats to
the project’s objectives
• It focuses on high risk items evaluated in the
qualitative and /or in the quantitative risk analysis
• In this process parties are assigned to take
responsibility for each risk response
Strategies for Negative Risks or Threats
• Strategies that are used to deal with negative risks or threats
to the project objectives include avoid, transfer, and mitigate.
Avoid
• To avoid a risk means evading it altogether, eliminate the
cause of the risk event, or change the project plan to protect
the project objectives from the risk event.
• The risk is avoided by eliminating its cause.
Transfer
• Risk transfer involve transferring the consequences of
that risk to a third party.
• The risk does not go away, but the responsibility for the
management of that risk will rests with another party
• This strategy impact the project budget and as such
should be included in the cost estimate exercises if it is
known that it is going to be used
• Transfer of risk can occur in many forms but is most
effective when dealing with financial risks.
• Ways of transferring risk on projects include
• Insurance through insurance companies
• Contactors can Subcontract work
• Modification of contract terms and conditions
Mitigate
• Risk mitigation involve an attempt to reduce the probability
of a risk event and its impacts to an acceptable level.
• The purpose of mitigation is to reduce the probability that a
risk will occur and reduce the impact of the risk to a level
where the risk and its outcomes can be accepted.
• Some examples of risk mitigation include performing more
tests, using less complicated processes and creating
prototypes.
Acceptance
• Acceptance is a strategy used for risks that pose either threats or
opportunities to the project
STRATEGIES FOR POSITIVE RISK OR OPPORTUNITIES

Strategies also exist to deal with opportunities or positive

risks that might occur on the project and they include the
following
• Exploiting a risk is about ensuring everything is in place
to increase the probability of the occurrence of the risk.
• Example of exploiting a risk. Suppose, some members
of the project team have determined a new technique to
develop a product and by using this technique, the
project duration can be reduced by 20%.
• To exploit this, there is need to ensure the technique is
used in the project and other team members are trained
on the new technique.
Share
• The share strategy is similar to transferring where the
risk is transferred to a third-party who is best able to
bring about the opportunity the risk event presents.
• For example, Forming a joint venture as a way of
capitalizing on positive risk
Enhance
• The enhance strategy closely watches the probability or
impact of the risk event to assure that the organization
realizes the benefits.
• This entails watching for and emphasizing risk triggers
and identifying the root causes of the risk to help
enhance impacts or probability.
Acceptance
• Acceptance is a strategy used for risks that pose either threats or
opportunities to the project
Passive acceptance
• With this strategy there is no need to make any plans to try to avoid or
mitigate the risk
• It involves willingness to accept the consequences of the risk should it
occur.
• Acceptance might also mean the project team is unable to come up with
an adequate response strategy and must accept the risk and its
consequences.
Active acceptance
• This include developing contingency reserves to deal
with risks should they occur.
• This is active acceptance and might involve developing
a contingency plan.
Contingency Planning
• Contingency planning involves planning alternatives to
deal with the risks should they occur.
• With Contingency planning the risk might occur, but
there are plans in place to deal with it when it occur
• Contingency comes into play when the risk event
occurs.
• The contingency is planned well in advance before the
threat occurs after the risk have been identified and
quantified
• Contingency plans include project funds that are held in
reserve to offset any unavoidable threats that might occur
to project scope, schedule, cost, or quality
• It also includes reserving time and resources to account for
risks.
• Contingency reserve is also used to cover for residual risk
A residual risk is a leftover risk, after implementing a risk
response strategy
• In risk response planning there is need for planning for
secondary risk that can occur on a project.
• Secondary risks are risks that come about as a result of
implementing a risk response.
 Risk monitoring and control
• Risk monitoring and control keeps track of the identified
risks, residual risks, and new risks.
• It also monitors the execution of planned strategies on
the identified risks and evaluates their effectiveness.
• Risk monitoring and control continues for the life of the
project.
• The list of project risks changes as the project matures,
new risks develop, or anticipated risks disappear.
• If an unanticipated risk emerges, or a risk’s impact is
greater than expected, the planned response may not
be adequate.
• There is need to develop additional response planning to
control the risk.
Risk control involves:
• Choosing alternative response strategies
• Implementing a contingency plan
• Taking corrective actions
• Re-planning the project, as applicable
Steps to Monitoring Project Risks
• Monitor Agreed-Upon Risk Response Plans
• Track Identified Risks.
• The project manager uses tools to track the overall project
risk.

• Identify and Analyse New Risks.

• Evaluate Risk Process Effectiveness.