Risk management essentials from project management perspectives

My only intention of preparing this post is to try reminding and refreshing all of us with some generic techniques and common sense about how we should assess, identify, analyze risk and its probability of occurrence from project management perspectives and then take some measurable steps to properly respond to the impacts that the risk would potentially entail. These risk management basics can also be used in every aspect of your life thus risks can at least be minimized if not avoided at all.

As you all might have known from many sources that project risk management simply is a systematic way of identifying potential risks within a project be it a project on operations, supply chain & procurement, commercial, marketing & BD, M&A, business process, systems, corporate governance & compliance, finance, corporate services, EPC, and audits and so forth by gauging or estimating the probabilities of these risks occurring to the project and then develop mitigation strategies to manage them effectively. In the business sector especially energy sector considerable resources are allocated to carry out quantitative risk assessments while such resources are rarely available to publicly funded projects such those funded by NGOs or social care organizations due to their limited budget allocations.

Nevertheless effective risk management plans can be put in place by adopting a systematic process of identifying and evaluating potential risks and using this analysis to develop strategies to manage and control them. In my experiences as project leader for various general management areas (operations management, project management, supply chain & procurement, commercial, marketing & BD, M&A, business process, systems, corporate governance & compliance, finance, corporate services, EPC, and audits, just to mention a few) such a process can be broken down into the following strategies:

1.   Risk assessment:

Risk assessment is the process by which potential risks to a project are identified and assessed, and appropriate responses to these risks are developed.

Firstly, make sure a list of the uncertainties involved in the project is produced.

Secondly, the likelihood of these uncertainties occurring and the relative impact they could have are also assessed.

Thirdly, the risks are prioritized and strategies developed in order to minimize the seriousness of their impacts.

2.   Risk Identification:

It is not too difficult to think of a number of 'generic risks' involved in energy or power plant projects. Listed below are the main potential areas of risks for a vast majority of such fixed assets projects as infrastructures, facilities, buildings, roads, ports, and so forth :

• Tasks involving third parties: selection of contractors or suppliers to the project determine a success or failure.
• Use of unfamiliar technologies, or emerging new technologies: choose technologies that you and your team are familiar or have been trained on.
• Any part of the plan based on assumption rather than fact: check all plans to become part of the project and ensure that they are all fact-based and workable.
• Insufficient skill levels: ensure you will recruit sufficient number of suitably qualified and right personnel to the project.
• Equipment support and knowledge: ensure that you have sufficient number of supporting equipment/machinery and operators are familiar with operating them.
• Clear workflow: make clear who does what and which job, how, where, when, how much and how long/deadline.
• Quality control: ensure that you have good quality control policies, systems and procedures in place to govern the business processes and communication for the project and between project team members.
• Compliance to standards: ensure every project team member including yourself complies to the policies, systems and procedures.

3.   Risk Analysis

Risk assessment is not simply about identifying risks so that the project team and stakeholders are aware of them. It also involves assessing the potential severity of these risks, thereby identifying where to most effectively focus attention and resources in managing them.

In order to assess the seriousness of a potential risk it is necessary to estimate the rough probability of it happening and the impact, should it occur, on the project timetable, project costs and end quality of the project resources.

4.   Assessing Probability

Without the benefit of a quantitative assessment of the probability of an event occurring, an assessment remains largely subjective and has to be based mainly on common sense and experience. As such the assessment has to be ongoing and evaluations of the probability of risks happening revised as the project proceeds and the likelihood of risks happening becomes clearer.

5.   Assessing Impact

Impact is the cost, time or quality effect a risk can have on a project. By involving all stakeholders especially your project management team you can list every potential risk to cope and then develop a further list of mitigation plans to manage them. In my experiences, establishing a risk map detailing every single risk factor with color code is one of the many strategies to manage risk impacts. Red means need the most attention as the impact is high both financially and operationally. Yellow means medium impact and then green or blue means least severe impact. The movement of each color should reflect real output or field result so consistent updating is essential.

6.   Planning a Risk Response

Decisions on the best course to take to in response particular risks should be based upon the risk analysis and ideally should take into account the benefit and cost of the risk response in relation to the probability and impact of the original risk.

Ideally those risks with the highest level of seriousness should be considered first. I am listing some types of risk response that have become my knowledge as a project leader in various sectors and functional areas over the last 25 years as follows:

6.1.        Risk avoidance

Also known as risk removal or risk prevention, risk avoidance involves altering the original plans for the project so that particularly risky elements are removed. It could include deciding not to perform an activity that carries a high risk. Less drastically it could involve altering the activity in such a way that the risk is removed, for example EAM systems ensures (ITMG/Banpu project that led long ago) that multiple backup copies of data are taken thereby avoiding their loss.

Adopting such avoidance techniques may seem an obvious way to deal with all risks. However, often the areas of the project that involve high risks are also the areas of the project that potentially contain the highest worth or the best value for money. Avoiding such risks may also result in removing potentially the 'best bits' of a project resource, and an alternative strategy that retains these risks may be more appropriate.

6.2.       Risk reduction

Risk reduction or risk mitigation involves the employment of methods that reduce the probability of a risk occurring, or reducing the severity of the impact of a risk on the outcome of the project. The loss of highly skilled staff is a considerable risk in any commercial project and not one that can (legally) be totally avoided. Keep your key personnel involved, motivated and feel respected and valuable to the project so that they can stay and contribute to the project optimally.

Suitable risk mitigation could involve the enforcement of a notice period, comprehensive documentation allowing for replacement staff to continue with the job at hand and adequate management oversight and the use of staff development program to encourage staff to stay.

6.3.       Risk transfer

Risk transfer moves the ownership of the risk to a third party normally by contract. This also moves the impact of the risk away from your project to this third party, for example ensuring that the geophysical studies on the soil surface on which you plan to build factories or plants are carried out by the consultants or contractors.

6.4.       Risk deferral

The impact a risk can have on a project is not constant throughout the life of a project. Risk deferral entails deferring aspects of the project to a date when a risk is less likely to happen. For example managing the expectations users have about the final physical form and delivery of a project can be time-consuming, so one way to reduce this risk is by not making a project available until user is involved in the testing and commissioning and declares satisfactory acceptance of the project. I did this during the construction of Banpu 7x2MW power plants in Bontang, East Balikpapan in 2010 where I had to make sure that end-user/IMM accepts the final output of the fixed asset projects before I would book them into my corporate fixed assets/plants and infrastructures/facilities systems.

6.5.       Risk retention

Whilst a certain number of the risks to the project originally identified can be removed by changing the project plan or dealt with by transferring the responsibility of the risk to third parties inevitably certain risks have to be accepted as a necessary part of the project. All risks that have not been avoided or transferred are retained or accepted risks by default.

It is therefore important to develop appropriate plans outlining how these residual risks will be dealt with should they occur. I exercised two strategies: 1) Pre-project construction risk strategy, a strategy that includes as many warranties or guaranties as possible in the contracts during negotiations; 2) Post-project construction strategy, a strategy that provides optimal protection by closing insurance policies for the fixed assets with reputable insurance or reinsurance companies (Allianz, AON, etc.) and enforce an asset user policy that outlines the risks that every fixed asset user is held accountable in case of asset loss and damage.

Thank you.

Herpiani Ng