National Academies Press: OpenBook

The Owner's Role in Project Risk Management (2005)

Chapter: 4 Risk Identification and Analysis

« Previous: 3 Properties of Project Risks
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

4
Risk Identification and Analysis

INTRODUCTION

Ensuring that adequate and timely risk identification is performed is the responsibility of the owner, as the owner is the first participant in the project. The sooner risks are identified, the sooner plans can be made to mitigate or manage them. Assigning the risk identification process to a contractor or an individual member of the project staff is rarely successful and may be considered a way to achieve the appearance of risk identification without actually doing it.

It is important, however, that all project management personnel receive specific training in risk management methodology. This training should cover not only risk analysis techniques but also the managerial skills needed to interpret risk assessments. Because the owner may lack the specific expertise and experience to identify all the risks of a project without assistance, it is the responsibility of DOE’s project directors to ensure that all significant risks are identified by the integrated project team (IPT). The actual identification of risks may be carried out by the owner’s representatives, by contractors, and by internal and external consultants or advisors. The risk identification function should not be left to chance but should be explicitly covered in a number of project documents:

  • Statement of work (SOW),

  • Work breakdown structure (WBS),

  • Budget,

  • Schedule,

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
  • Acquisition plan, and

  • Execution plan.

METHODS OF RISK IDENTIFICATION

There are a number of methods in use for risk identification. Comprehensive databases of the events on past projects are very helpful; however, this knowledge frequently lies buried in people’s minds, and access to it involves brainstorming sessions by the project team or a significant subset of it. In addition to technical expertise and experience, personal contacts and group dynamics are keys to successful risk identification.

Project team participation and face-to-face interaction are needed to encourage open communication and trust, which are essential to effective risk identification; without them, team members will be reluctant to raise their risk concerns in an open forum. While smaller, specialized groups can perform risk assessment and risk analysis, effective, ongoing risk identification requires input from the entire project team and from others outside it. Risk identification is one reason early activation of the IPT is essential to project success.

The risk identification process on a project is typically one of brainstorming, and the usual rules of brainstorming apply:

  • The full project team should be actively involved.

  • Potential risks should be identified by all members of the project team.

  • No criticism of any suggestion is permitted.

  • Any potential risk identified by anyone should be recorded, regardless of whether other members of the group consider it to be significant.

  • All potential risks identified by brainstorming should be documented and followed up by the IPT.

The objective of risk identification is to identify all possible risks, not to eliminate risks from consideration or to develop solutions for mitigating risks—those functions are carried out during the risk assessment and risk mitigation steps. Some of the documentation and materials that should be used in risk identification as they become available include these:

  • Sponsor mission, objectives, and strategy; and project goals to achieve this strategy,

  • SOW,

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
  • Project justification and cost-effectiveness (project benefits, present worth, rate of return, etc.),

  • WBS,

  • Project performance specifications and technical specifications,

  • Project schedule and milestones,

  • Project financing plan,

  • Project procurement plan,

  • Project execution plan,

  • Project benefits projection,

  • Project cost estimate,

  • Project environmental impact statement,

  • Regulations and congressional reports that may affect the project,

  • News articles about how the project is viewed by regulators, politicians, and the public, and

  • Historical safety performance.

The risk identification process needs to be repeated as these sources of information change and new information becomes available.

There are many ways to approach risk identification. Two possible approaches are (1) to identify the root causes of risks—that is, identify the undesirable events or things that can go wrong and then identify the potential impacts on the project of each such event—and (2) to identify all the essential functions that the project must perform or goals that it must reach to be considered successful and then identify all the possible modes by which these functions might fail to perform. Both approaches can work, but the project team may find it easier to identify all the factors that are critical to success, and then work backward to identify the things that can go wrong with each one.

Risk identification should be performed early in the project (starting with preproject planning, even before the preliminary concept is approved) and should continue until the project is completed. Risk identification is not an exact science and therefore should be an ongoing process throughout the project, especially as it enters a new phase and as new personnel and contractors bring different experiences and viewpoints to risk identification. For this reason, the DOE project director should ensure that the project risk management plan provides for periodic updates.

METHODS OF QUALITATIVE RISK ASSESSMENT

The goal of risk identification is not only to avoid omissions but also to avoid the opposite pitfall—of being distracted by factors that are not root causes but only symptoms. Treating the symptoms, rather than the root causes, will give the appearance of activity but will not solve the

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

problem. Unfortunately, identification of symptoms is far easier than identification of root causes. Project owners should ensure that the risk identification process goes beyond the symptoms. While outside, disinterested reviewers can sometimes help perform this function, the following sections describe methods that can be used by project personnel to identify risks and their causes.

Risk Screening

Following the initial risk identification phase, the project director should have a working list of risks that have been identified as potentially affecting the project. From this list, the project director should differentiate those that seem minor and do not require further attention from those that require follow-up, qualitative analysis, quantitative analysis, and active mitigation and management. This process requires some qualitative assessment of the magnitude and seriousness of each identified risk. Various methods that have been developed to assess failures in physical equipment and systems have also been applied in one form or another to project risks.

The commonly used risk tool shown in Table 4-1 is a two by two matrix that allows assigning a risk to one of four quadrants based on a qualitative assessment of its relative impact (high or low) and the likelihood of its occurrence (high or low). Risks in the upper right quadrant

TABLE 4-1 Risk Screening Based on Impact and Probability

 

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

need the most attention. Finer gradations of impact and likelihood—for example, very high, high, medium, low, and very low (a five by five matrix)—would allow a more nuanced consideration of the attention needed.

Low Impact, Low Probability

Risks that can be characterized as both low impact and low likelihood of occurrence are essentially negligible and can usually be eliminated from active consideration. The main concern of the owner’s project director is to monitor these factors sufficiently to determine that the impact or likelihood does not increase.

High Impact, High Probability

Risks that are characterized as both high impact and high likelihood of occurrence often cause a project to be terminated, or to fail if it is continued in spite of the risks. In this situation, the owner’s management must determine if the project should be terminated or if the project is so mission critical or the potential benefits are so great that taking the risks is justified. Risk management does not imply that no risks are taken; it means that the risks taken should be calculated risks. For example, an owner may decide to proceed if there is a reasonable expectation that enough engineering or management effort can reduce either the impact or the likelihood of the events, such that the risk can become either low impact, high probability or low probability, high impact. Often such a decision is contingent on achieving the necessary risk reductions by some deadline.

Low Impact, High Probability

Low-impact, high-probability risks are those largely due to uncertainties about a number of elements that may be individually minor risks but that in the aggregate could amount to a significant risk. These include uncertainties concerning the actual costs of labor and materials (such as steel), the actual durations of activities, deliveries of equipment, productivity of the workforce, changes due to design development or the owner’s preferences, and other uncertainties that are typically considered to lie within the natural variability of project planning, design, construction, and start-up (they do not include catastrophic events or radical design changes). Each of these uncertainties, taken alone, would have little impact on the project. However, taken together, there is the possibility that many of the estimates of these factors would prove to be too optimistic, leading

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

to cumulative effects such as performance shortfalls, schedule overruns, and cost overruns. Methods for dealing with such risks include

  • Provision for adequate contingencies (safety factors) for budget and schedule (contingencies are discussed in Chapter 6).

  • Improvement in the work processes in order to reduce the uncertainties. Prefabrication of major components to avoid the uncertainties of construction at a job site is one example of changing the normal process to reduce risks (although in this example the change may also introduce new risks, such as transportation of the components to the job site; thus the resolution of one risk may give rise to another).

High Impact, Low Probability

By definition, high-impact, low-probability events are rare occurrences, and therefore it is very difficult to assign probabilities to them based on historical records. Data do not exist and so subjective estimates of probabilities are necessary. However, the objective is not the scientific determination of accurate probabilities of rare events but the determination of what management actions should be taken to monitor, mitigate, and manage the risks. For example, if a certain risk is identified and management determines that some specific mitigation actions should be taken if the risk has a likelihood of more than 1 in 100 of occurring, then a precise characterization of the probability is unnecessary; the only issue is whether it is assessed to be more than 1 in 100 or less than 1 in 100.

Pareto Diagrams

One of the important uses of a good risk analysis is to determine where to apply management resources and what to leave alone, as management resources are not unlimited. One approach is to break down the uncertainties into manageable parts. Pareto diagrams are one way to show the sources of uncertainty or impact in descending order. This form of presentation makes explicit those activities that have the greatest effect on the project completion date or cost and that therefore require the greatest management attention. The project director or manager must then determine whether the high-ranking events are (1) truly root causes or (2) simply work packages or activities that may reflect underlying causes but are themselves symptoms. The resulting analysis can provide guidance for managers to reduce, mitigate, buffer, or otherwise manage these sources of uncertainty.

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

As a simple illustration, suppose we are interested in determining which work packages have the greatest effects on the uncertainty in the total cost. First, we estimate the uncertainty, or variance, in the cost of each individual work package. Second, we estimate the correlations or associations between each pair of work packages. Then, by elementary second-moment theory (Benjamin and Cornell, 1970),1 the sensitivity of the uncertainty in the total project cost with respect to each work package is proportional to the combination of the activity uncertainties and the correlations between activities. That is, the uncertainty in the total cost is affected not only by the uncertainty in each work package but also by how much each work package affects, and is affected by, the others. As an elementary example, the uncertainty in the cost of a construction project may be more sensitive to outdoor activities than to indoor activities because unusually bad weather can cause a number of outdoor activities to run over budget and over schedule simultaneously, whereas indoor activities are typically not linked so tightly to the weather. By tabulating these values for all work packages, and sorting them from largest to smallest, we can identify those work packages with the largest sensitivities, which are those to which the project manager should give the highest priority. If we do this for a project of, say, 20 work packages and sort them according to the largest values of the sensitivities, we can then plot a Pareto diagram, as shown in Figure 4-1. (The absolute values of the sensitivities have no importance; the only concern is the relative values.)

Failure Modes and Effects Analysis

In project risk assessment, a failure can be any significant event that the sponsor does not want to happen—a budget overrun, a schedule overrun, or a failure to meet scope, quality, or mission performance objectives. While risks may arise from specific causes, they may also be the result of general environmental conditions that are not limited to specific times and places but are pervasive throughout the project. The objective of failure modes and effects analysis is the identification of root or common causes, which may affect the project as a whole. Often this identification is facilitated by methodically considering the project function by function,

1  

All probability distributions may be characterized by their moments. Second-moment theory is the use of the second moments of probability distributions—that is, means, variances, and covariances (or correlation coefficients), instead of full probability distribution functions. As probability distributions are subjective and therefore not capable of precise definition, this approximate method can greatly simplify many calculations and, more importantly, provide the risk analyst with insight into the effects of uncertainty on project outcomes.

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

FIGURE 4-1 Pareto diagram.

to try to avoid omissions. Identification of potential risks that turn out, upon further assessment, to be negligible is a waste of time; however, failure to identify potential risks that turn out to be serious is a threat to the project. Therefore, the project director should err on the side of caution when identifying possible risks.

Failure modes and effects analysis (FMEA) is a discipline or methodology to assist in identifying and assessing risks qualitatively. It is a method for ranking risks for further investigation; however, it is not a method for quantifying risks on a probabilistic basis (Breyfogle, 1999). FMEA is typically based on a subjective assessment of the relative magnitudes of the impacts of the risk events on the project (often on a scale from 1 to 10), multiplied by the relative likelihood that the risk event will occur (also on a scale from 1 to 10). In addition, a third parameter may be included to assess the degree of warning that the project will have regarding the actual occurrence of the risk event (again on a scale from 1 to 10). This third parameter may give some management support by establishing early warning indicators for specific serious risks, which might not otherwise have been established.

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

The purpose of assigning these values for all significant risks is only to rank the risks and to set priorities for subsequent quantitative analysis of the significant risks. In the absence of more quantitative factors, such as sensitivity analysis, the failure modes, or better, all root causes, can be used to rank the risks. One can prepare a Pareto chart that shows the risks ordered by possible impact or by the combination of impact and likelihood of occurrence. Then risk mitigation efforts can first address the failure mode or root cause with the highest impact and work from there.

The three factors—severity, likelihood, and leading indicators—interact. For example, if the project is the construction of a facility in a flood plain or an area with poor drainage, then a failure mode could be flooding of the work site. Project management cannot affect the frequency of floods, so risk management must focus on trying to reduce the severity of the impact of a flood. If the control method is to buy flood insurance and then evacuate personnel and abandon the site if the water rises, then measuring the height of the water (the “Nilometer” method) may be a sufficient indicator. If the control method is to reduce the severity of loss by placing sandbags around the perimeter and renting pumps, then measuring the water height may have little impact on the mitigation effort; but measuring the rainfall across the watershed may be more appropriate because it allows time to implement the control. If the control method is to build a cofferdam around the site before constructing anything else, then the choice of leading indicator may be irrelevant.

Efforts to mitigate the risks will focus on the impact, likelihood, and detectability of the most serious risk or its root causes and will try to reduce these factors until this risk becomes as low as or lower than the next higher risk. As this process continues, the most important risks will be reduced until there are a number of risks essentially the same and a number of other risks all lower than the first group. The first group will require specific management actions and may require constant monitoring and attention throughout the project. The second group will be monitored, but with lower priority or frequency. The first group is considered the critical group, much like the critical-path activities in a network schedule; the second group is the noncritical group, which must be watched primarily to see that none of the risks from this group become critical.

It should be emphasized that this form of risk assessment is qualitative and relative, not quantitative and absolute. It is primarily for distinguishing between risks that require follow-up and management, because of high impact or high likelihood (or both), and risks that do not appear to require follow-up, because of both low impact and low likelihood. It should be clearly understood that there is no quantitative assessment of the overall risk to the total project: The severity factors are not estimated

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

in terms of loss of dollars, the likelihoods of occurrence are not probabilities, and there is no cost-benefit analysis of the risks versus the control methods. The analysis only identifies risk priorities in a methodical way to help direct further risk management activities. It is left to the judgment of the project engineers, designers, and managers to determine the appropriate risk mitigation and control measures to achieve an acceptable level of risk. Note especially that risks with a low likelihood of occurrence but very high severities may require follow-up and management action.

Due to changes in project conditions or perceptions, even risks that appear to have low impact and high likelihood at one time may appear differently at another. Therefore, the owner’s representatives have the responsibility to reevaluate all failure modes and effects periodically to ensure that a risk previously considered negligible has not increased in either impact or likelihood to a level requiring management attention.

Project Definition Rating Index

The Project Definition Rating Index (PDRI) is an example of an additive qualitative risk assessment tool (CII, 1996, 1999). The PDRI is used in front-end project planning to help the project team assess project scope definition, identify risk elements, and subsequently develop mitigation plans. It includes detailed descriptions of issues and a weighted checklist of project scope definition elements to jog the memory of project team participants. It provides the means to assess risk at various stages during the front-end project planning process and to focus efforts on high-risk areas that need additional definition. The PDRI facilitates the project team’s assessment of risks in the project scope, cost, and schedule. Each risk element in the PDRI has a series of five predetermined weights. Once the weights for each element are determined they are added to obtain a score for the entire project. This score is statistically correlated with project performance to estimate the level of certainty in the project baseline.

METHODS OF QUANTITATIVE RISK ANALYSIS

After risk factors are assessed qualitatively, it is desirable to quantify those determined by screening activities to be the most significant. It cannot be repeated too often that the purpose of risk assessment is to be better able to mitigate and manage the project risks—not just to compute project risk values. The assessment of risks attributed to elements completely out of project management control—such as force majeure, acts of God, political instability, or actions of competitors—may be necessary to reach an understanding of total project risk, but the risk assessment should

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

be viewed as a step toward identifying active measures to manage all risks, even those considered outside the control of project managers, not to support a passive attitude toward risks as inevitable.

It is often desirable to combine the various identified and characterized risk elements into a single quantitative project risk estimate. Owners may also be interested in knowing the total risk level of their projects, in order to compare different projects and to determine the risks in their project portfolios. (See the discussion of program risk and project portfolios in Chapter 8.) This estimate of overall project risk may be used as input for a decision about whether or not to execute a project, as a rational basis for setting a contingency, and to set priorities for risk mitigation.

While probabilistic risk assessment methods are certainly useful in determining contingency amounts to cover various process uncertainties, simple computation methods are often as good as, or even better than, complex methods for the applications discussed here. Owner’s representatives should be proficient in simple statistical approaches for computing risk probabilities, in order to be able to check the numbers given to them by consultants and contractors. When addressing probabilistic risk assessment, project directors should keep in mind that the objective is to mitigate and manage project risks and that quantitative risk assessment is only a part of the process to help achieve that objective.

There are many available methods and tools for quantitatively combining and assessing risks. Some of the most frequently used methods are discussed briefly below.

Multivariate Statistical Models

Multivariate statistical models for project costs or durations are derived from historical data. Also known as regression analysis, statistical models are one of two methods of analysis explicitly cited in OMB Circular No. A-94 (OMB, 1992). The models are typically either top-down or parametric and do not contain enough detail to validate bottom-up engineering estimates or project networks.

These methods are objective in that they do not rely on subjective probability distributions elicited from (possibly biased) project advocates. Analysts build linear or nonlinear statistical models based on data from multiple past projects and then compare the project in question to the models. The use of such statistical models is desirable as an independent benchmark for evaluating cost, schedule, and other factors for a specific project, but statistically based methods require a large database of projects, and many owners do not perform enough projects or expend the effort to create such databases. Owners who have performed many projects but have not developed usable historical project databases have an opportu-

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

nity to improve their competence in project and program management by organizing their own data. Computational methods such as resampling and bootstrapping are also used when data are insufficient for direct statistical methods.

The bootstrap method is a widely used computer-based statistical process originally developed by Efron and Tibshirani (1993) to create a proxy universe through replications of sampling with replacement of the original sample. Bootstrapping is used to estimate confidence levels from limited samples but is not applicable for developing point estimates.

Event Trees

Event trees, also known as fault trees or probability trees, are commonly used in reliability studies, probabilistic risk assessments (for example, for nuclear power plants and NASA space probes), and failure modes and effects analyses. The results of the evaluations are the probabilities of various outcomes from given faults or failures. Each event tree shows a particular event at the top and the conditions causing that event, leading to the determination of the likelihood of these events. These methods can be adapted to project cost, schedule, and performance risk assessments.

System Dynamics Models

Projects with tightly coupled activities are not well described by conventional project network models (which prohibit iteration and feedback). Efforts to apply conventional methods to these projects can lead to incorrect conclusions, counterproductive decisions, and project failures. In contrast, system dynamics models (Forrester, 1969) describe and explain how project behavior and performance are driven by the feedback loops, delays, and nonlinear relationships in processes, resources, and management. System dynamics models can be used to clarify and test project participants’ assumptions as well as to design and test proposed project improvements and managerial policies. Because system dynamics models are based on dynamic feedback the models can also be used to evaluate the impacts of various failure modes or root causes, particularly in cases where the root causes can be identified but the ripple effect of their impacts is difficult to estimate with any confidence.

System dynamics models have been effectively used for project evaluation, planning, and risk assessment (Cooper, 1980; Lyneis, Cooper, and Els, 2001; Ford and Sterman, 2003). Although the use of these models is not standard practice for project planning and risk management, they can significantly help owners to improve their understanding of project risks.

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

Sensitivity Analysis

Sensitivity analysis of the results of any quantitative risk analysis is highly desirable. A sensitivity coefficient is a derivative: the change in some outcome with respect to a change in some input. Even if the probability of a particular risk cannot be determined precisely, sensitivity analysis can be used to determine which variables have the greatest influence on the risk. Because a primary function of risk analysis is to break down the problem into essential elements that can be addressed by management, sensitivity analysis can be very useful in determining what decisions the manager should make to get the desired results—or to avoid undesired results. In the absence of hard data, sensitivity analysis can be very useful in assessing the validity of risk models.

Project Simulations

Project simulations are group enactments or simulations of operations, in which managers and other project participants perform the project activities in a virtual environment before undertaking them on the project. This type of simulation may or may not be supported by computers; the emphasis is not on the computer models but rather on the interactions of the participants and the effects of these interactions on project outcomes. For this reason, project simulations are very good for team building before a project actually starts up. They are not inexpensive, but the cost is generally comparable to the costs of the other techniques cited here, and they can be very cost-effective in the long run, compared to the typical approach of jumping into major projects with little or no preparation of the personnel and their working relationships. Engineering and construction contractors have developed project simulation methods (Halpin and Martinez, 1999), and owners can develop their own or specify that their contractors should perform such simulations before a project starts, in conjunction with the other preproject planning efforts.

Stochastic Simulation Models

Stochastic simulation models are computerized probabilistic simulations that, for computational solution, typically use random number generators to draw variates from probability distributions. Because the computer simulation is performed with random numbers, these methods are also called Monte Carlo simulations. The objective of the simulation is to find the uncertainties (empirical probability distributions) of some dependent variables based on the assumed uncertainties (subjective probability distributions) of a set of independent variables, when the relation-

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

ships between the dependent and independent variables are too complex for an analytical solution. Thus each iteration (random simulation) may be considered an experiment, and a large number of these experiments gives insights into the probabilities of various outcomes. Monte Carlo simulation is typically used to combine the risks from multiple risk factors and as such is useful to determine whether the total risk of a project is too great to allow it to proceed or to determine the appropriate amount of contingency. This technique is the second of the two methods explicitly cited in OMB Circular No. A-94 (OMB, 1992).

Stochastic simulations differ from multivariate statistical models because they are typically not based on hard data. They can be useful in the absence of real data in that they are based on subjective assessments of the probability distributions that do not require large databases of previous project information. An often-cited weakness of this method is that subjective assessments of probability distributions often lack credibility, because they may be influenced by bias. This can be overcome to some degree by a carefully structured application of expert judgment (Keemey and von Winterfeldt, 1991).

As is the case with all the other computer methods for quantitative risk analysis discussed here, the validity of the method lies entirely in the validity of the probabilistic models. Monte Carlo simulation is very versatile because it can be applied to virtually any probabilistic model. However, the validity of the results may sometimes be suspect, due to the following factors:

  • The independent variables may not actually be independent;

  • The number of iterations in the simulation may be insufficient to produce statistically valid results; or

  • The probability distributions assumed for the independent variables are subjective and may be biased if they are provided by project proponents.

It is certainly possible to develop project-specific cost models, for example, by using causal parameters that are totally independent. However, many risk analyses are not based on project-specific models but simply adopt the standard engineering additive cost models, in which the total cost is the sum of work package costs. The simulations simply add up the uncertainties associated with work packages, but they may be inaccurate because these work packages are not necessarily independent. It is computationally much easier to perform Monte Carlo simulation if the analyst avoids the need to consider interactions between variables by simply assuming that all variables are independent; however, an analysis without consideration of common mode failure can lead to an under-

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

estimation of total project risk. In project risk assessment, a common mode could be an event or environmental condition that would cause many cost variables to tend to increase (or decrease) simultaneously. It is widely recognized that a single event can cause effects on a number of systems (i.e., the ripple effect). If the event occurs, the costs of these systems will all increase, whereas if it does not occur, they will remain within the budget. Thus these affected costs are definitely not statistically independent.

Collaboration between people who are very conversant with the specific risks of the project and those who are familiar with probabilistic methods is typically required to reduce bias and to produce realistic quantification of project risks. Project owners should ensure that the probabilistic inputs are as objective and unbiased as possible and that the reasons for choosing specific probability distributions are adequately documented.

As with any method, the use of stochastic simulation requires quality control. The owner’s policies and procedures on Monte Carlo simulation should include cautions to project directors and managers about the limitations of this method as it is commonly applied. The project director is generally not a specialist in Monte Carlo simulation, and does not need to be, but should understand the advantages and limitations of this approach. This is particularly true now that Monte Carlo simulation is readily available through common spreadsheet software and so can be used by people with little knowledge of statistics. A project director should know enough to be able to critically evaluate the stochastic simulation results for plausibility and should not accept the results just because they come from a computer.

It is common for Monte Carlo simulations to use far fewer iterations than the minimum normally required to get statistically valid answers. But simulations with insufficient iterations may underestimate the probability in the tails of the distributions, which is where the risks are. (See, for example, Alder, Feldman, and Taggo, 1998.) Therefore, a simulation with fewer random samples may indicate more or less risk than one with more iterations. There are mathematical formulas (Breyfogle, 1999) that can be used to compute the minimum number of iterations for acceptable confidence limits on the means or the values in the tails of the distribution. If a consultant or contractor is performing Monte Carlo simulations for risk assessments, it would be prudent for the owner’s project director to review the confidence limits on all values computed using Monte Carlo simulation, to ensure that a sufficient number of iterations has been performed.

The use of Monte Carlo and other techniques for mathematically combining the risks of individual work packages into a single project risk number should not obscure the fact that the objective is to manage the risks.

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

As typically used, Monte Carlo simulations tend to be focused on total risk probabilities, not on sensitivity analysis, risk prioritization, or assessing possible outcomes from different proposed risk management policies.

Additive Models

Additive models, as the name implies, are those in which the combination of risk factors is based on simple addition. An example is the summation of cost elements to generate the total project cost, or the summation of activity durations to generate the total project duration. These models are relatively simple programs based on the summation of moments, derived from probability theory, to combine risks for dependent as well as independent variables. If the objective is simply to find the probability distribution of the project cost estimate as the sum of a number of work packages or activities, stochastic simulation is unnecessary. One advantage of simple additive models is that they are easily understood, and it is usually obvious which activities contribute the most to the total project uncertainty and which do not. This method is the basis for the program evaluation and review technique (PERT) for determining uncertainty in project completion times.

In bottom-up project cost estimating, the total cost is simply the sum of the costs in the WBS work packages. This is a purely linear relationship. Therefore, estimating the uncertainty in the total cost requires only summing the uncertainties in the individual cost accounts, modified by the dependencies between them. Probability theory tells us that we can compute the moments of the probability distribution of the total project cost by summing the moments of the uncertainties in all the individual cost accounts (Burlington and May, 1953; Hald, 1952). The number of moments can be approximated to some finite number. (This is a very common method of approximation in engineering—for example, the truncation of a Taylor Series after one term in order to gain a linear equation.) The second-moment approach (Benjamin and Cornell, 1970) uses the first two moments, i.e., the mean and the variance, and neglects the third (skewness) and higher. The second-moment approach does not deal with full probability distributions but uses only the means, variances, and covariances (the first two moments) to characterize uncertainties.

This approximation is justified because it is very difficult or even impossible to estimate higher moments (skewness, kurtosis, etc.) with any accuracy, even if one were in possession of large historical databases. In most cases of risk assessment, the probability distributions are largely subjective and based on judgment and experience rather than hard data. There is little point in making highly precise computer calculations on numbers that cannot be estimated accurately anyway.

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

There are some additional advantages of the second-moment approach:

  • Priorities for risk mitigation can be obtained from a Pareto analysis using just the uncertainty in each individual risk factor and the correlations between risk factors.

  • Sensitivity analyses are easily performed.

  • As a project progresses, the estimates of the uncertainties in future cost accounts or activities can readily be revised, based on the past performance of the project itself. This is one of this method’s most useful properties. By comparing the actual performance on completed work packages, activities, or milestones with the prior estimated uncertainties, one obtains revised estimates of the work packages, activities, or milestones yet to come.

Through second-moment analysis, project directors can use the information and experience on the actual project to revise the estimates of the work to go. This approach can be a valuable tool for program managers, if each project director is required to report the updated, revised cost at completion, including the confidence bounds on this estimate, for every reporting period. Because this method looks forward instead of backward, as most other project management methods do (including earned value analysis), unfavorable revisions to either the expected cost at completion or the uncertainty in the cost at completion should trigger management action. Conversely, favorable revisions to either the expected cost at completion or the uncertainty in the cost could allow management reserves to be reallocated to other projects with greater needs. (See Chapter 8 for a discussion of managing risks of project portfolios.)

The second-moment method provides a simple, convenient method for the adjustment of risks, and hence the adjustment of the required contingencies, as a project proceeds and data are obtained on how well or badly it is performing. The objective of this approach is to react as soon as possible to information on recent project performance that tends to confirm or to refute the current estimates. The key control parameter is the estimated cost (or time) at completion. For example, if the best estimate of the cost at completion, updated with the most recent progress information, is higher than the original estimate, then, assuming no scope changes, either the risk of overrunning the budget is greater than originally estimated, or program management corrective action may be needed to bring the project back on target. Conversely, if the updated best estimate of the cost at completion is the same as or lower than the original estimate, then the required contingency can be decreased. In this approach, the estimates of all future work packages are updated as the actual costs for each completed work package become available through the cost reporting system.

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

TABLE 4-2 Summary of Risk Analysis Tools

Tool

Characteristics

Two-dimensional impact/ probability

Qualitative, simple to use and most frequently used, can be expanded to three or more dimensions, and can be combined with FMEA

Pareto diagram

Simple qualitative method for prioritizing risk elements

Failure modes and effects analysis (FMEA)

Qualitative, used for initial screening only, effective in a team environment

Project Definition Rating Index

Qualitative, used in front-end project planning, effective in a team environment

Multivariate statistical model

Quantitative, requires historical database

Event tree

Quantitative, rarely used for risk analysis

System dynamics model

Both qualitative and quantitative, rarely used but effective, requires skilled modelers

Sensitivity analysis

Quantitative, useful regardless of which other process used, useful in absence of hard data

Project simulation

Both qualitative and quantitative, useful for team building, expensive to implement

Stochastic simulation

Quantitative, frequently used, often misused, so limitations must be made clear

Additive model

Quantitative, can be adjusted as project progresses

Table 4-2 provides a summary of the qualitative and quantitative methods of risk analysis reviewed in this section.

CONCLUSION

Although additive, second-moment models lack the computational complexity of stochastic risk assessment techniques, for most practical applications they are more than adequate. From the standpoint of the owner, the purpose of project risk assessment is to minimize the impact of uncertainty on the project. How this is best accomplished will vary with circumstances, but, in general, simple direct methods have proven them-

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×

selves in practice. This does not discount the value of stochastic models, but their application needs to be considered in terms of their contribution to risk management. Probabilistic simulations are of particular value when data are sparse and the full range of possible adverse events cannot be easily inferred. Provided that a sufficient number of simulations are performed, boundaries for total project risk can be established. However, for the vast majority of projects, it is the committee’s collective experience that the simpler models are more useful for generating risk estimates that can be used in day-to-day project management.

Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 22
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 23
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 24
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 25
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 26
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 27
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 28
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 29
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 30
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 31
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 32
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 33
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 34
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 35
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 36
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 37
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 38
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 39
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi: 10.17226/11183.
×
Page 40
Next: 5 Risk Mitigation »
The Owner's Role in Project Risk Management Get This Book
×
Buy Paperback | $38.00 Buy Ebook | $30.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Effective risk management is essential for the success of large projects built and operated by the Department of Energy (DOE), particularly for the one-of-a-kind projects that characterize much of its mission. To enhance DOE’s risk management efforts, the department asked the NRC to prepare a summary of the most effective practices used by leading owner organizations. The study’s primary objective was to provide DOE project managers with a basic understanding of both the project owner’s risk management role and effective oversight of those risk management activities delegated to contractors.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!