M04-1 Introduction to Managing Risk & Opportunity

04.0 - MANAGING RISK & OPPORTUNITY

04.1 - MODULE 04-1 - INTRODUCTION TO MANAGING RISK & OPPORTUNITY

04.1.1 - WHAT IS THE PURPOSE OF MANAGING RISK & OPPORTUNITY

The purpose of the Managing Risk and Opportunity Module is to introduce the tools, techniques and methodologies associated with Risk and Opportunity, that have been identified as being “best tested and proven” practices and which have been found to work on “most projects, most of the time”; provide a logical or rationale sequence showing when those tools or techniques would normally and customarily be used and in selected instances, show how to use those tools/techniques and/or where to find additional information on how to use or apply them.

Risk Management and Opportunity Management, has become a somewhat controversial topic in the world of project management. Many of the leading organizations treat opportunity and risk as two sides of the same coin- that is, in every risk there is an opportunity and for every opportunity there are risks. While this may be true it doesn’t help the project control practitioner provide expert advice and guidance to the project manager or other key stakeholders.

• The Guild of Project Controls has taken a slightly different approach and recognizing that while the tools, techniques and process are the same to manage both risks and opportunities, the Guild treats them as two different sets of outcomes which often involve decisions and/or actions by different stakeholders.

As projects, whether from the owners or contractors perspectives are BUSINESS INVESTMENTS, from which both Owner (through whatever business objective the project was undertaken to achieve or realize) or the CONTRACTOR (through the profitable execution of the project) expect to obtain a fair return on their investment, whenever possible, the definitions used are coming to us from either Investopedia or the Business Dictionary rather than a standard English language dictionary on the basis that context is important and looking at project management in the context of being a business investment we believe makes the most sense.

Thus the Business Dictionary defines a “Risk” to be “A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.

Likewise, the Business Dictionary defines “Opportunity” to be “Exploitable set of circumstances with uncertain outcome, requiring commitment of resources and involving exposure to risk.

In terms of the modern definition of “risk”, the term risk encompasses both negative (threat) and positive (opportunity) outcomes to project objectives, due to the effect of uncertainty.  As this is inconsistent with the standard dictionary definitions, the Guild has opted to follow the Standard English dictionary definitions.

Therefore – for the purposes of this discussion, both “risk” and “opportunity” are used in accordance with their commonly understood meanings i.e. “risk” is synonymous with threat as a negative consequence on project objectives whereas “opportunity” is used to denote a positive outcome/consequence on project objectives occurring as a result of the effect of uncertainty.

Accordingly, the phrase “risk management” refers to the management of threats – risk with potential negative effects on objectives while “opportunity management” refers to events or conditions which could have a positive effect on project objectives.

04.1.2 - WHAT ARE THE PROCESS MAPS FOR MANAGING RISK & OPPORTUNITY

One of the major and most intractable differences between Owner organizations and Contractor organizations lies with the fact that for an owner, a project is invariably a cost or investment center (cash out) while for a contractor, a project is a profit center (cash in). Explained another way, for most Owner organizations, the return on their investment does not derive from the project itself but from whatever product, service, business process improvement or other result that the project was undertaken to realize or achieve, while for a Contractor, the project is the investment and the return on that investment comes from the project being profitable or building the Contractors reputation or some other tangible or intangible reason for the Contractor bidding on the project. This difference is not often covered and is one of the reasons the Owner-Contractor relations tend to be so confrontational and subject to disputes. Thus the process maps being shown offer both the Owner and Contractor perspectives, for while the differences may appear small, they are important in helping to understand the often contentious relationship between Owners and Contractors.

OWNERS PROCESS MAP-

Figure 1 - 1,000 Meter View of the Process Flow Chart for Managing Risk/Opportunity, from the OWNER ORGANIZATION PERSPECTIVE

Source: Guild of Project Controls

As Figure 1 above illustrates for an OWNER’S ORGANIZATION, the INPUTS to Risk and Opportunity Management are coming from sources both EXTERNAL and INTERNAL to the project and consisting of:

• Outputs from each of the Phase Gate Decision Support Packages (External)
• The results of the Stakeholder Analysis Meetings (External)
• The Business Case (External)
• Work Breakdown Structure (WBS) (Internal)

Because in an Owner organization, the revenue, cost savings or other benefit derives not from doing the project but from the product, service or change that the project was undertaken to deliver, the owner’s project management/project control team needs to be looking not only at the risks/opportunities associated with the project but also those risks/opportunities associated with the product of the project and how these risks/opportunities interact and affect one another.

However, at least in terms of the project related risks/opportunities, knowing that ideally the WBS has identified “all the deliverables and only the deliverables” required for the project to satisfy the purpose it was undertaken to achieve (“Business Case”) the WBS becomes the logical input upon which to base the Project Risk and Opportunity Analysis, which is why the first column in the Risk/Opportunity Register is the WBS element, understanding that if the WBS represents 100% of the required deliverables, and  looking at each WBS element in terms of the impacts Time, Cost, Quality and Scope could have, + or -, the probability of missing a project related risk or opportunity event is greatly diminished.

Once the risk/opportunity registers have been created, the outputs from these registers become inputs to all the remaining processes, especially Module 5 - Managing Contracts, Module 6 - Managing Resources, Module 7 - Managing Planning and Scheduling and Module 8 - Managing Cost Estimating and Budgeting. The reason being, these modules are where we need to be considering building contingencies, buffers and management reserves to both time and costs.

As indicated by the red lines, for an OWNER, both risk and opportunity events, if and when they do happen, form a feedback loop, which is why implementing a robust double loop learning process is critical to doing a better job of managing both risks and opportunities, particularly through the creation and use of “lessons learned” databases.

CONTRACTOR’S PERSPECTIVE-

Figure 2 below illustrates the important differences in risk/opportunity management between the Owner’s perspective and that of the Contractor. As Contractors are in business to make a profit from doing projects, the risks and opportunities for Contractors are directly related to the terms and conditions spelled out in the contract documents.   Which means that the majority of risks and opportunities for a Contractor are directly or indirectly imposed by the contract.

These can be identified by the “shall” clauses in the contract, as “Contractor shall to perform the work in a workmanlike manner”, with the definition of "Workmanlike manner" being defined as “the way work is normally and customarily done by other Contractors in the community."

For a Contractor, each time they see the word “shall” it means both a potential risk event if they do NOT do it, as well as requiring one or more activities in the schedule and a line item in the cost estimate to cover the costs of doing what is required.

Figure 2 - 1.000 Meter View of the Process Flow Chart for Managing Risk/Opportunity, from the CONTRACTOR ORGANIZATION PERSPECTIVE

Source: Guild of Project Controls

Unlike an Owner, who has to worry about the risks and opportunities not only related to the project but those related to the product the project was undertaken to achieve, the Contractor’s focus revolves around managing the risks and opportunities that the contract documents represent. This is why for most EXTERNAL risks/opportunities, there are clauses such as “force majeure” and requirements that Contractors carry various types of insurance, obtain performance bonds and guaranty their work.

For a Contractor, the only major uninsurable external risks revolve around resources (Module 6), weather (Module 7) and price increases (Module 8). Assuming the schedule is realistic to start with and the Contractor works his/her plan, then progress against the baseline (Module 9) should not pose an unmanageable risk, and if for whatever reasons the time frame is NOT reasonable, then the Contractor has plenty of opportunity to protect him/herself against late delivery penalties using Module 7, Module 10 and Module 12.

Figure 3 - The Risk & Opportunty Management Process Map 100 Meter Level of Detail

Source: Guild of Project Controls

Consistent with the Guild’s policy of researching and selecting “best tested and proven” practices as the basis for the GPC’s Body of Knowledge, which meet three criteria:

(1) Non-proprietary or “open source” (available in the public domain)

(2) Free of charge

(3) Accessible via the web

And then adapting them for project controls applications, we have built our risk/opportunity model around the following primary reference: US Federal Drug Administration’s “MDSAP QMS F0004.1.001 Risk Management Process Flowchart”  

Figure 4 - US FDA “Risk Process Map” Adapted for use in the GPCCAR

Source: Guidance for Industry- Q9 Quality Risk Management (2006)

Consistent with the standardized approach followed for all modules in the GPCCAR we had to ADAPT the FDA “Best Tested and Proven” methodology to make it “fit for purpose” in the context of applied project controls.  

We therefore need to see how this might relate or map to the project Risk Register:

Figure 5 - Risk Register Template Mapped to the FDA Risk Management Process

Source: Giammalvo, Paul D (2015) Course Materials. Contributed Under Creative Commons License BY v 4.0

Now in the context of applied project controls:

(1) Step 1 - Establishing the context- 

To be consistent, Step 1 is explored in this Module and involves determining the structure, and because it is organization specific, is also done in Module 04-2 - Developing the Risk/Opportunity Policies and Procedures Manual.

(2) Step 2 - Identifying Risks- 

Because the Guild is not only focusing on the PROCESS of risk/opportunity management but the practical aspects of HOW project control professionals can or should apply it in their day to day working environment, the Guild has researched what we consider to be one example of a “best tested and proven” Risk Register TEMPLATE which we have mapped against the Process Map. This was done to give a project control professional a STARTING POINT in the event their organization does not have a Risk/Opportunity Process in place and/or does not have a Risk/Opportunity Register Template.

As can be seen by comparing graphic Figure 4 - US FDA “Risk Process Map” against graphic Figure 5 - Risk Register Template that the Guild has gone to a greater level of detail in Identifying Risks (refer Module 04-3 - Identify Risks / Opportunities) than what the FDA has provided. This is to accommodate additional “best tested and proven” practices.

(3) Step 3- Analyze the Risks/Opportunities-

Comparing step 3 from both graphics, we can see that here, the GPC (Module 04-4 - Assess, Categorize, Prioritize And Quantify Risks or Opportunities) and the FDA are in agreement, even though the terminology is not exactly the same.

(4) Step 4 - Determining the Impacts/Consequences-

Both FDA and GPC agree that the impacts (consequences) need to be captured and while these can be expressed both in terms of time and costs, to be able to compare risks and opportunities in any meaningful manner the time impacts should be converted to a monetary value.

(5) Step 5 - 

Again both the FDA methodology and GPC risk/opportunity register template are in agreement that the next step is to calculate the PROBABILITY of a risk/opportunity event occurring.

(6) Step 6 - 

The FDA advocates ESTIMATING the level of risk while the Guild is advocating that project controls professionals should be CALCULATING the value of each risk/opportunity event using the concept of Expected Monetary Value or EMV.

(7) Step 7 - 

Both the FDA process map and the GPC template agree that risks should be evaluated and prioritized, the difference being that the GPC advocates using EMV as the basis to prioritize risks, rank ordered from the highest EMV to the lowest.

(8) Step 8 - Treat or Address the Risks-

Here again, the Guild has further subdivided the FDA process into both strategic and tactical responses. Strategic responses are high level, generic responses to dealing with risk or opportunities events while tactical risk/opportunity responses are very specific and often detailed responses which the people who are on the ground when the risk event occurs or the opportunity presents itself are expected to implement. In most cases, the authority has been pre-approved for “first responders” to initiate whatever tactical risk/opportunity response has been agreed to.

(9) Step 9 - Maintain the database- 

Because the Guild’s BoK is a fully INTEGRATED set of processes, creating, updating and maintaining the Risk & Opportunity Database falls under Module 11- Managing Project Databases.

(10) Step 10 - Communicating and Explaining- 

As the GPCCAR is a fully integrated set of processes this is covered under Module 02 - Managing People

(11) Step 11 - Monitor the Effectiveness of the Process-

The GPCCAR covers this in two modules: 

• A. in Module 04-6 - Risk / Opportunity Monitoring and Control we address the specifics of monitoring and controlling both risk and opportunity from the perspective of the project control professional 
• B. in Module 09-5 - Project Performance Forecasting we address the specifics of monitoring and controlling both risk and opportunity from the perspective of supporting project sponsors, project managers and other key decision makers to help them understand their options and to provide expert advice to guide them in making decisions. 

(12) Step 12 - Review Objectives, Decisions and Assumptions- 

This has been covered under Module 04-6 - Risk / Opportunity Monitoring and Control and Module 09 - Managing Project Progress

(13) Step 13 - Update Plans- 

In the GPCCAR this step is covered in Module 09 - Managing Project Progress, where we analyse the impacts of both risks and opportunities and make the appropriate and relevant adjustments to time and cost through the Change Management process defined in Module 10 - Managing Change

While this level of detail provides a more granular look of the processes and how they interact than the 1,000 Meter view, there is yet another deeper level of detail which the Guild calls the “ground” or “working level”.  It is the next level deeper which contains the explanation for each of the modules shown above, telling more about what inputs are required, including providing some examples; what tools, techniques are typically used,  including providing examples or templates, and in selected instances, specific step by step instructions or links to additional resources, showing how to use each of these tools or techniques consistent with the Guild’s commitment to identify and advocate “best tested and proven” practices.

04.1.3 - BACKGROUND INFORMATION FOR MANAGING RISK & OPPORTUNITY

04.1.3.1 - The Meaning of "Risk" and "Opportunity"

In terms of the modern definition of “risk”, the term risk encompasses both negative (threat) and positive (opportunity) outcomes to project objectives, due to the effect of uncertainty.  The title of this section of the GPCCAR is therefore slightly tautologous, and the reason for it is that the use of “risk” in a positive sense/as an opportunity, is not within the common vernacular.

Therefore – for the purposes of this discussion, both “risk” and “opportunity” are used in accordance with their commonly understood meanings i.e. “risk” is synonymous with threat as a negative consequence on project objectives whereas “opportunity” is used to denote a positive outcome/consequence on project objectives occurring as a result of the effect of uncertainty.

Accordingly, the phrase “risk management” refers to the management of threats – risk with potential negative effects on objectives while “opportunity management” refers to events or conditions which could have a positive effect on project objectives

One of the major and most intractable differences between Owner organizations and Contractor organizations lies with the fact that for an owner, a project is invariably a cost or investment center (cash out) while for a contractor, a project is a profit center (cash in). Explained another way, for most Owner organizations, the return on their investment does not derive from the project itself but from whatever product, service, business process improvement or other result that the project was undertaken to realize or achieve, while for a Contractor, the project is the investment and the return on that investment comes from the project being profitable or building the Contractors reputation or some other tangible or intangible reason for the  ontractor bidding on the project. This difference is not often covered and is one of the reasons the Owner-Contractor relations tend to be so confrontational and subject to disputes.

Because we are exploring risk and opportunity, and in the context of the explanation above, this is an ideal point to expand on the difference between PROJECT success and PRODUCT success.

This simple matrix illustrates an important concept that project control practitioners need to understand and appreciate:

Figure 6 - The Difference between PROJECT success and PRODUCT success

Source: Giammalvo, Paul D (2015) Course Materials. Contributed Under Creative Commons License BY v 4.0

In the worst case scenario, the Project “FAILS” and whatever PRODUCT or service or result the project created fails as well. The classic example of this scenario, is the European Channel Tunnel project; not only was it late and over budget, but the payback period on the investment is longer than the useful life of the product the project created. So both from a project and from an investment perspective, it was unsuccessful.

The classic example of a project which FAILED but the PRODUCT was a success, is the Sydney Opera house. The project itself was late, over budget, and experienced all kinds of quality problems, but the product the project created has become the iconic image of Sydney with untold tangible and intangible value added.

In the third scenario, the project was a “SUCCESS” (i.e. finished on time, within budget, in substantial conformance to the technical requirements with no lost time injuries or major environmental violations) but the product of the project failed to deliver the return on investment. We find this scenario playing out frequently in the oil and gas sector, where the drilling Contractor does a great job and walks away happy, but the well fails to produce the amount of oil or gas that the business case was predicated on.

We need to be able to identify different categories of risk and opportunity events, determine who is best able to manage that risk or opportunity, and then empower or authorize the person responsible with sufficient and appropriate authority to act to address that potential risk or opportunity event.

Lastly, we need to keep in mind that in many cases, (i.e new product development, oil and gas projects) that the “time to market” is much more important than the cost of the project. Explained another way, if you are the first in the marketplace with a new product or service, then you pick up the majority of the market share. Which means you may be willing to blow the budget as long as the project finishes on time or ahead of schedule. This is why before you do your risk assessment, it is imperative that you understand what your stakeholders need and want.

04.1.3.2 - Risk and Project Controls

It is widely aknowledged that the key to successful project controls is the fusing / integration of cost to schedule whereby the management of one helps to manage the other.  The focus on time and cost does not detract from the importance of other project objectives such as meeting stakeholder expectations, delivering value, furthering the organizations’ strategic objectives, meeting quality standards, being a good corporate citizen, etc., etc., etc.  It is simply an acknowledgement that from a project controls perspective, time and cost for a given scope are the most visible indicators of “project success” both from an organizational and an external stakeholder expectation point-of-view.

In addition to time and cost, project control is also faced with the inevitable changes in project scope/requirements brought about by changing stakeholder expectations and the influence of externalities in the project environment. Change is a major source of project uncertainty and requires control and management from within the Project Controls function.

To be clear, the Guild of Project Controls does not advocate or encourage conducting separate risk meetings. Risk (as we already do in safety) is and should be an agenda discussion item on EVERY single meeting, whether it is a Decision Support Package meeting, a Planning/Scheduling Development meeting or Progress Update Meeting at all levels, down to the field workers. (i.e. “Toolbox Meetings”)

History has shown that when we separate risk and treat as a stand-alone process, we find that we may do one or two risk meetings and then forget about the risk until something goes wrong. By integrating risk and giving it the same importance as we do time and cost and quality, we are less likely to end up with unpleasant surprises.

Explained another way, we need to treat ALL risk categories with the same seriousness and focus that we do for SAFETY, which is just one of many of the faces of “risk”.

Towards that end, the Guild has included the discussions and considerations of risk and EMBEDDED the risk assessment and management processes in the relevant Modules:

• Risk Meeting and Agenda Items in Module 01 - Managing Project Controls (Asset and Project Decision Support Package Meetings) and Module 02 - Managing People (Communications and Stakeholder Management)
• Schedule Risk Assessment as agenda items in Module 07 - Managing Planning & Scheduling
• Cost Risk Assessment as agenda items in Module 08 - Managing Cost Estimating & Budgeting
• Progress Risk Assessment as agenda items in Module 09 - Managing Project Progress

It is generally recognized that there are a minimum of 5 generic categories of Risk / Opportunity we find in projects and programs which are mapped to the phase gate approach:

• Business Risks / Opportunities (which are the focus of the Phase 1 DSP)
• Technical Risks / Opportunities (which are the focus of the Phase 2 DSP)
• Procurement Risks / Opportunities (which are the focus of the Phase 3 DSP)
• Constructability Risks / Opportunities (which are the focus of the Phase 4 DSP)
• Execution Risks / Opportunities (the focus of the Contractor, and consist primarily Safety, Health and Environmental, but also incl. productivity, weather etc)

Figure 7 - The Phase Gate Approach

Source: Giammalvo, Paul D (2015) Course Materials. Contributed Under Creative Commons License BY v 4.0

Phase 1 (also known as Identify or FEL1 Phase see Module 01 - Managing Project Controls for explanation) we focus on Business Risk/Opportunity- the probability that the product the project was undertaken to create does not or cannot realize the business objectives for which it was undertaken. This lies primarily with the asset managers- those individuals who prepare and control the CAPEX and OPEX budgets. Generally speaking, OWNER project managers have neither the knowledge nor the level of authority to make business decisions. On the other hand, project managers coming from CONTRACTOR side generally are empowered to make business decisions, more specifically to exploit opportunities caused by discrepancies in the drawings or technical specifications or other errors or omissions on the part of the owner in order to increase the profitability of the project. It is important for project control professionals to understand that working for an Owner’s project manager and working for a Contractor’s project manager may well require you to perform different sets of analysis.

Phase 2 (also known as Assess or FEL 2 Phase see Module 01 - Managing Project Controls for explanation) Here the focus is on Technical Risk. This is usually an engineering type of risk where options are considered such as using proven technology vs new technology or the latest version of a software package vs using an older version which has been debugged or opting for a Greenfield vs brownfield approach. (Construct a totally new facility vs Upgrading an existing facility) One of the primary tools/techniques used during this phase are Value Engineering. While project control professionals may be brought in as Subject Matter Experts, rarely are these decisions made by the Owners project manager alone and almost never by the Contractor’s project manager. (Yes, there are always exceptions to this rule)

Phase 3 (also known as Select or FEL 3 see Module 01 - Managing Project Controls for explanation) as this is the phase where long lead items are generally ordered, during this phase the emphasis is on Procurement Risks- this is where planners and schedulers in particular need to get involved to investigate, capture and analyze the impact long lead equipment deliveries might have on the project end date. Or if the project team is being proactive, to work on the backwards pass to see what date the equipment needs to be ordered by in order NOT to delay the project completion date.

Phase 4 (also known as Define see Module 01 - Managing Project Controls for explanation) - during this phase, the most common tools or techniques used to explore risk and opportunity are known as “constructability” reviews. Can the project be built as designed? And are there better or more efficient ways to do it? This is where Building Information Modeling (BIM) is most useful as it enables the project controls team, working with BIM design engineers to experiment with different options. Assuming the 3D BIM is “hot linked” to the CPM scheduling (4D BIM) and cost estimating software (5D BIM) both risks and opportunities can be simulated.

Phase 5 (also known as Execution see Module 01 - Managing Project Controls for explanation) - This is the phase where risks are most frequently encountered by project control professionals, be they planners/schedulers, cost managers or forensic claims analysis.  These are the day to day problems involving unexpected or unanticipated procurement delays, differing site conditions, productivity, slow cash flows. For most project control professionals, the project manager and other project team members will be looking to you to provide ideas, suggestions and alternatives for them to consider in keeping the project on time, within budget, in substantial conformance to the technical requirements with no safety or environmental incidents. This is the level of authority most commonly found in both Owner and Contractor project managers. (And yes, there are always exceptions but this statement is generally true).

While the focus or emphasis changes from phase to phase (refer Figure 1 - ASSET Life Span, PROJECT Life Span and PROJECT CONTROL Life Span in Module 01 - Managing Project Controls), any category or type of risk or opportunity can be identified during any phase. It is up to the project control team to track and manage the risk register for and on behalf of the project manager, the rest of the project team and all other key stakeholders. (We will explore how to develop a risk register in follow on modules).

Figure 8 - Risk and Opportunity Illustrating “Min-Max” Approach

Source: Giammalvo, Paul D (2015) Course Materials. Contributed Under Creative Commons License BY v 4.0

In Figure 8, we can see that while the process, methodology, tools and techniques to identify and analyze risk and opportunity are identical where they differ is in the strategy or tactics we can employ in order to minimize downside risk while maximizing upside potential. In applying this kind of “Min-Max Theory” in order to minimize downside risk while maximizing upside potential, we need to understanding that not all risks offer opportunities and not all opportunities carry the same risk. Explained another way, risk and opportunity are not two sides of the same coin but are often unique and separate and have to be treated separately.

To conclude, the purpose or objective of this Module on Risk will be to try to use BOTH Risk and Opportunity Management methodologies to try to increase the probability of achieving more SS and fewer FF projects, by identifying risk categories, assigning them to the organization or individual most capable of managing that risk and empowering or authorizing this person with sufficient authority to manage it, or if there is an opportunity, to empower or authorize the individual opportunity owner to maximize the value of any opportunities which do present themselves.

04.1.3.3 - Managing Scope & Quality

The paradox of project controls is that project management must be vigilant in controlling the outcomes of the project in a prevailing climate of change and uncertainty while being subjected to the same levels of change and uncertainty themselves. The project must deliver according to the agreed budget, schedule and scope/quality while operating within an environment where predictable (but not known in advance) deviations from plan are viewed by stakeholders as being “out of control”, and where management reaction to “regain control” will most likely result in instability within the project (Dr. Linda Bourne, PMI Research Conference 2006).

• Project Controls is not simply the passive monitoring of project progress – it is the active control of project planning and execution by means of quantifiable risk-based analysis and recommendations to the project sponsors, project managers and other key stakeholders can make informed decisions based on facts.
• Risk management and project control are therefore inextricably linked - in ensuring project success and this requires risk- based project controls (RBPC) to ensure that the project control decisions taken under conditions of uncertainty, are effective and efficient in ensuring the achievement of project objectives.

04.1.3.4 - The Risk & Opportunity Register

Having explained the relationship between the Risk/Opportunity PROCESS MAP and the working document that the project control professional is most likely to be working with, in this section we will introduce the RISK/OPPORTUNITY REGISTER.

The process of managing risk is central to all aspects of project controls and for that reason, is one of the core modules. For the Planning and Scheduling Career Path, risk management forms the basis not only for calculating durations and contingency but identifying and including activities which may serve to mitigate or avoid risk events from occurring, then end objective being to create as realistic and achievable schedule as possible. The same applies to the Cost Management Career Path.

As cost and time are inextricably linked, it means the project control practitioner needs to be comfortable with both the scheduling and cost aspects of risk and if they are not, then planner / scheduler and cost manager need to collaborate and communicate to ensure the schedule and costs are optimized based on the objectives and priorities established by the key stakeholders.

For the Forensic Analyst Career Path, invariably it is failure to anticipate and manage risk events effectively which turn into claims and disputes. Assuming everyone agrees it is preferable to prevent disputes in the first place, mastering the methodology, tools and techniques of risk management can help the forensic analyst be proactive in identifying potential disputes and claims before they happen and address them if they are employed on projects whilst they are in progress.

Figure 9 - The Risk / Opportunity Register

Source: Giammalvo, Paul D (2015) Course Materials. Contributed Under Creative Commons License BY v 4.0

The risk/opportunity management process is not complex nor difficult, however based on the documented failure rates of both projects and the products created using project management as the delivery system of choice,, this is clearly a process which is not done soon enough or frequently enough. The example above is a real risk register template developed for a nuclear power plant. It was designed to more or less follow the risk management process from start (1 WBS) to finish (12 Developing and Executing Tactical Risk Response).  As the Guild of Project Controls is focused on the working level, as done in other modules, we believe that not only is it necessary to know and understand the processes but also how the processes relate to the TEMPLATES provided, giving the project control professional not only the process map but the supporting template(s) at least to get started.

There are many other risk register templates, some with more information, some with less, but this one has been around for many years now and has been tested and proven to work.

To explain the processes as mapped against the Risk Register:

(1) WBS (Column A) -

We always START the risk/opportunity assessment process with the WBS. Why? Because if the work breakdown structure defines exactly 100% of the project scope at any given point in time, and we start the process with the WBS, from Level 1 in Phase 1 all the way down to Level 5 the Phase 5 or Execute Phase, the probability of missing a risk event OR a potential opportunity, is considerably reduced. While we start with the WBS for our risk/opportunity assessment, there are a MINIMUM of 4 dimensions or attributes we have to analyze in terms of risk/opportunity:

Figure 10 - Using Work Breakdown Structures

Source: Moine, Jean Yves, Leynaud, Xavier and Giammalvo, PD (2015) Creating and Using Multi-Dimensional WBS Structures

1. That the Scope will change (+/-)
2. That the Time will change (+/-)
3. That the Cost will change (+/-)
4. That the Quality will change (+/-) 

In addition, Safety, Health and the Environment (SH&E) is another dimension or attribute but at minimum there are 4.

By adopting or using standardized WBS structures to as great an extent as possible, it will help us in producing more consistent, complete Risk/Opportunity registers.

Because the Guild of Project Controls has adopted and endorses the use of both relational and object oriented (hybrid) databases (See Module 11 - Managing Databases) as well as the concept of multi-dimensional WBS structures, even though we start the risk analysis process using the WBS as the basis for our risk analysis it is intended that the risk analysis can also be sorted into a Risk Breakdown Structure (RBS) as well.

Figure 11 - Example of a Risk Breakdown Structure

Source: Van Eeden Q (2014) Contributed Under Creative Commons BY v 4.0

Thus by adopting a relational database approach, the “Risk Breakdown Structure” (RBS) could be created by sorting on any of the columns (A-L) in our risk register and if other sorts were deemed necessary and appropriate, additional sort fields could be added. This provides maximum flexibility to project teams in how they want to see their risks and opportunities organized and presented.

(2) Risk/Opportunity Events (Column B) -

These are the actual events which can occur which can either negatively impact our project (risks) or favourably impact them (opportunity). These can come from many sources, but in almost all cases, identifying risks/opportunities comes from historic records, testing (i.e. mean time between failures) or from expert opinions. (Lessons Learned, experience on similar projects)

The primary tools/techniques we use to IDENTIFY potential risks or opportunities are:

• Brainstorming using subject matter experts
• Past historical records
• Destructive or non-destructive testing results

(3) Risk/Opportunity Triggers (Column C) -

While not all risks or opportunities provide early warning signs most of them do and if we take the time to identify what they are it will help us anticipate and at least prepare. An example of a “risk trigger” is the yellow blinking warning light on your fuel gauge, warning that you are low on fuel. Not all risks have risk triggers or early warning signs but for project control professionals, many of the earned value metrics serve as “risk” or “opportunity” triggers, provided we know how to read and understand what they are telling us. For more on the specific Earned Value metrics which serve as early warning signs or risk triggers, refer to Module 9 - Managing Progress.

(4) Type of Risk/Opportunity (Column D) -

The type of risk or opportunity is important because not all stakeholders can possibly be aware of all the different types of risk/opportunity and not all stakeholders have the authority or knowledge to manage all risks/opportunities. For example, it is highly unlikely that the project control professional much less the project manager has the authority to address business risks. Those risks are usually the responsibility of the project sponsors or in the case of contractors, the owners of the contracting company. Generically, there are 5 categories of risks/opportunities which roughly correspond to each Phase:

• Business Risks / Opportunities
• Technical Risks / Opportunities
• Procurement Risks / Opportunities
• Constructability Risks / Opportunities
• Execution Risks / Opportunities (i.e. Safety, Health and Environmental)

While any risk/opportunity can and should be identified and captured in any phase, the list above provides the generally accepted focus of risk/opportunity brainstorming sessions.

(5) Risk/Opportunity Owner (Column E) -

Based on the fundamental concept of clear and unmistakeable ACCOUNTABILITY, (See Module 02-6 - Identifying And Engaging Stakeholders, in particular, Fayol and Johnson) every risk needs to have an owner. And that owner needs to be empowered with sufficient authority to act on the risk/opportunity. Preferably, if it is negative, to prevent it or to respond quickly if it happens or if it is positive, to act to exploit it. This is why knowing what type of risk it is (Step 4 above) is important as that will determine the appropriate person who has the level of authority to act quickly.

(6) Internal or External Risk/Opportunity (Column F) -

An INTERNAL risk or opportunity is something that the project team has reasonable control over. An example of this would be the process to analyse and make the decision to insource a work package or outsource it. An EXTERNAL risk or opportunity is an event over which no one has control over. A perfect example would be the market price of oil or the opportunity to purchase a large quantity of rebar or pipe at a favourable price. Here again, this is important information to know and understand because once a risk or opportunity has been identified, selecting the risk owner means determining in advance who has the authority to act or otherwise make a decision. We see this happening today in the oil sector. With the price of oil dropping below $50/barrel, (an EXTERNAL risk event) many projects are being postponed. Rarely is this a decision the project manager but normally a project sponsor or steering committee would be the “risk owner” and thus make the call to cancel or postpone the project.

The ultimate example of an external risk event is “Force Majeure” which is of sufficient seriousness that the contract can be set aside. (See Module 05 - Managing Contracts for more on this topic).

(7) QUANTITATIVE Risk Analysis IMPACT (Column G) -

While many organization’s still use QUALITATIVE risk analysis, those are of little or no PRACTICAL use at the project controls level. Thus the project control professional needs to QUANTIFY either in terms of MONEY or TIME or BOTH what the IMPACT of each risk or opportunity event. Without knowing the monetary or time impacts is of little practical value at the level of detail the project control professional is dealing with.

The primary tools/techniques we use to analyse IMPACT are:

• Brainstorming using the opinions of Subject Matter Experts
• Historical Records for comparable projects
• Computer Simulation

If the results of the simulation are time related, then in order to complete the risk analysis, we need to convert the number of days early or late into money. This can be done using actual costs and/or lost opportunity costs. But regardless, all risks and opportunities need to be monetized in order to enable the appropriate decision makers to determine what actions should be taken.

(8) QUANTITATIVE Risk Analysis PROBABILITY (Column H) -

The second piece of QUANTITATIVE information a project control professional needs is the PROBABILITY that a risk event or opportunity will happen. Probability can come from many sources, including historical records, testing (mean time between failures), lessons learned OR it can come from subject matter experts, such forensic analysts, field people with many years’ experience or from insurance actuarial specialists.

The primary tools/techniques we use to analyse PROBABILITY are identical to those we used to analyse IMPACT:

• Brainstorming using the opinions of Subject Matter Experts
• Historical Records for comparable projects 3) Computer Simulation

As the values for PROBABILITY are stated either in PERCENTAGES or STANDARD DEVIATIONS, we need to know how to read and use Z Tables to convert from standard deviations to percentages. Why? Because in order to complete the risk/opportunity calculations we need to have the probability expressed as a percentage.

(9) Calculate Expected Monetary Value (EMV) (Column I) -

In order to PRIORITIZE risks or opportunities and determine what risks/opportunities need to be addressed in some way, we need to determine which ones are the most important.

To do that, we multiply the IMPACT X PROBABILITY = Expected Monetary Value (EMV)

Then we RANK ORDER the risks/opportunities using EMV from the highest to the lowest and determine what strategic and tactical responses we need to develop.

This is the reason why to perform a complete risk analysis, you eventually must MONETIZE ALL RISKS and OPPORTUNITIES as well as calculate or determine the PROBABILITY in terms of PERCENTAGES. Without both these variables we are unable to calculate Expected Monetary Value (EMV)

(10) Rank Order by EMV (Column J) -

We then use the EMV to RANK ORDER the risk events from the highest EMV to the lowest EMV. Once rank ordered, we then can present to the appropriate stakeholders to make a STRATEGIC decision as to what risks need to be acted upon and what risks have either such a low probability and/or a low impact that the organization is willing to ACCEPT those risks.

(11) STRATEGIC Risk/Opportunity Response (Column K) -

Strategic Risk Responses are generally made between the project manager and project sponsors for owner organizations and for contractors, are generally determined by the contractor’s policies and procedures manual. There are 4 possible STRATEGIC RISK Responses and 4 possible STRATEGIC OPPORTUNITY Responses:

Strategic Risk Reponses

1. Deflect? 
2. Mitigate?
3. Transfer?
4. Accept?

Strategic Opportunity Responses

1. Exploit?
2. Share?
3. Enhance?
4. Ignore?

These will be explained in more detail below, but suffice it to say these are designed to be PROACTIVE- that is, they are identified in ADVANCE of the risk or opportunity with the objective to either prevent a negative event from happening or reducing the impact on the project if a negative event does happen and if the event is positive, then trying to take full advantage of it should the opportunity present itself.

The classic way to address RISK events is to build in CONTINGENCY either in terms of TIME or MONEY. These contingencies can be embedded at the project, phase or activity level OR they can be shown separately as BUFFERS.

(12) TACTICAL Risk/Opportunity Responses (Column L) -

Unlike the STRATEGIC risk responses which are designed to be PROACTIVE, the TACTICAL risk responses are designed to be REACTIVE. That is, if a negative risk event DOES happen, exactly who should be doing what and when and how should they be doing it. The classic example of this are the oil spill risk response teams all oil companies put in place after the Exxon Valdez oil spill.

Other common examples of “tactical” as opposed to “strategic’ risk responses is your local ambulance service or fire departments. Basically, they are on “standby” fully trained but are only activated if/when there is an event requiring their services or the flight emergency instructions provided to you by your cabin crew prior to any plane departing

Likewise if the event is POSITIVE, then exactly who is authorized to act promptly and exactly what are they supposed to do? In both owner and contractor organizations alike, procurement departments are often well positioned to take advantage of price discounts by consolidating groups of small purchases into a larger bulk purchase, thus taking advantage of quantity discounts. Other examples of a tactical opportunity response would be to purchase futures as hedges against price increases for bulk materials.

04.2 - Module 04-2 - Develop Risk & Opportunity Policies & Procedures Manual

04.3 - Module 04-3 - Identify Risks / Opportunities

04.4 - Module 04-4 - Assess, Prioritize and Quantify Risks / Opportunities

04.5 - Module 04-5 - Risk / Opportunity Response Strategies and Tactics

04.6 - Module 04-6 - Risk / Opportunity Monitoring and Control

GPCCAR M04-1 Managing Risk & Opportunity Process Map, Revision 1.01