Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects (2014)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Project Risk Management: Step-by-Step Process P A R T 2 Chapter 3. Project Risk Management Planning ......................................................................... 21 Chapter 4. Project Risk Identification ........................................................................................ 32 Chapter 5. Project Risk Analysis ................................................................................................. 42 Chapter 6. Project Risk Response Planning ............................................................................... 55 Chapter 7. Project Risk Monitoring and Control ...................................................................... 62 Part 2 Objectives The chapters in this part address the following questions: • What are the steps of the project risk management process? • What are the key activities of each step? • What tools and techniques can be used throughout each step? • What outputs are expected to be developed as a result of these efforts?

21 C H A P T E R 3 Airport projects can range from routine, straightforward maintenance projects to highly com- plex, multifaceted capital projects valued in the millions of dollars. However, regardless of their type or size, all projects would benefit from some level of risk management. The objective of the risk management planning step, as described in this chapter, is to identify the optimal level of risk management to apply to a particular project. Explicitly planning the risk management effort helps to ensure that: • The level, type, and visibility of risk management activities are appropriate given both the perceived level of project risk and criticality of the project to the airport. • Sufficient resources and time for risk management activities are incorporated into the project schedule and budget. • Individuals assigned to participate in the risk management effort have an established and structured process for evaluating and responding to risks. 3.1 Key Activities 3.1.1 Process Step Overview Project risk management planning is a scalable activity with an approach and resource com- mitment commensurate with the project’s size, complexity, and criticality. The objective of the risk management planning step is to define the approach and tools used to manage risks for a particular project through each step of the project risk management process. A variety of tools and techniques are available to support each step. The selection of tools and techniques to use for each step depends in part on the project’s development phase and com- plexity, resource availability, quality of input data, and the desired level of analytical rigor. There are seven key steps in project risk management planning, whether for capital or maintenance projects: 1. Understand the Airport’s Tolerance for Risk. To establish how much risk management to apply to a particular project, it is important to first understand and view the risk posed by that project in the context of the airport’s overall tolerance or appetite for risk, by considering such questions as: • What is the risk appetite of the oversight authority and/or management? • Have any recent events (e.g., negative press, overruns on other projects, heightened public or regulatory scrutiny) increased the airport’s sensitivity to risk? • What is the financial investment in the project relative to the airport’s overall budget for capital and maintenance projects? Project Risk Management Planning Project Risk Management Planning Key Activities • Understand the airport’s risk tolerance • Review the project scope, goals, and constraints • Define the level of risk management to apply to the project • Define the tools and techniques to use • Define roles, responsibilities, and resources necessary to manage risk Inputs • Project scope or charter • Airport’s risk tolerance level Tools and Techniques • Risk management plan template Outputs • Risk management plan

22 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects The answers to these questions will help define the level and nature of risk tolerance within the airport at a given point in time. This in turn will establish a foundation for subsequent discussions on what is and is not an appropriate level of risk for the project and how to manage this risk accordingly. It is important to bear in mind that risk tolerance may change over time. Changing circum- stances (e.g., heightened public, political, or regulatory scrutiny) may trigger a reevaluation of what constitutes an acceptable level of risk for the airport. 2. Review Project Scope, Project Objectives, and Constraints. Understanding project-specific objectives and constraints will help clarify what is important to project success, which may in turn drive the selected risk management approach. For example, for a high-profile proj- ect having a fixed completion date, it may be desirable to know, with a reasonable degree of certainty, how likely the project is to reach completion within the desired time frame. If the scope of the risk management effort extends to answering such questions, the risk manage- ment plan would have to allow for adequate time and resources to perform a quantitative risk analysis. 3. Determine How Much Project Risk Management to Apply. As noted previously, project risk management is a scalable activity that can be tailored to the airport’s tolerance for risk and other project-specific factors such size, complexity, and criticality. For example, for a minor or routine project, risk management could simply entail verbally identifying risks with the goal of raising awareness of potential threats to project success among the project participants. As project size or complexity increases, the nature and objective of project risk management activities would change accordingly, as summarized in Table 3.1. 4. Determine Which Project Risk Management Tools and Techniques to Use. Table 3.2 and Table 3.3 further refine the amount of effort and, more specifically, which tools and techniques to apply to each step of the risk management process. Table 3.2 defines generic attributes associ- ated with low-, medium-, and high-risk projects, the format of which individual airports can tailor to suit their own experience and needs. Participants in the planning effort can review the factors identified in Table 3.2 to gener- ate an informal assessment of the perceived level of risk and uncertainty associated with a project. Where the project generally falls within the risk spectrum defined in Table 3.2 can then be used as an input into Table 3.3 to help establish how much risk management to apply to the Table 3.1. Possible levels of project risk management. Project Characteristics Goal of Project Risk Management Key Project Risk Management Steps Small, Routine Raise awareness of risks and opportunities Project risk identification Moderate Size or Complexity Prioritize and mitigate risks Use of a risk register to formally identify and document risks, their probability of occurrence and impact on project objectives, and the chosen risk response strategy Large or Highly Complex Develop risk-based cost and/or schedule contingency Quantitative analysis of cost and schedule risks, with the results used to establish risk- based contingencies

Project Risk Management Planning 23 Table 3.2. Typical characteristics of low-, medium-, and high-risk projects. Characteristic Low Risk Medium (Blended) Risk High Risk Project Scope Well-defined Unlikely to change Somewhat defined Small change is possible Poorly defined Likely to change Project Budget Developed by experienced personnel using proven estimation processes Established by personnel with some experience Not established by experienced personnel using proven estimation processes Market and Community Conditions Minimum variability or uncertainty Moderate variability or uncertainty High variability or uncertainty Funding Committed and realistic Marginally adequate and expected to remain relatively stable Funding is less than estimated need and/or its stability is uncertain Schedule Milestones Realistic and/or flexible dates Firm, pre- established milestones that may affect operations if missed Overly aggressive or unrealistic dates fixed by a specific operational commitment or regulatory requirements Project Manager Experience Successfully completed multiple projects of similar size, scope, and complexity Finished one project of about the same size or complexity Prior experience limited to smaller or simpler projects Project Staffing Available and committed to the specific project Key people identified Significant staffing unknowns remain or staff is overcommitted Management Support Project sponsor identified and committed, and has reasonable/ realistic expectations Project sponsor identified and generally agrees with project direction Project sponsor not identified, indecisive regarding project scope, or has unreasonable or unrealistic expectations Technical Requirements Similar to past projects undertaken by the airport Expertise available in- house Project team somewhat familiar with the subject matter Expertise readily available from internal and/or external subject matter experts New and complex subject matter that is not well known to the project team Subject matter expertise must be sought (continued on next page)

24 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects project (and by extension, which methods and tools included in this guidebook would be most beneficial in helping the team implement the chosen approach). Table 3.3 recommends a course of action for managing both low- and high-risk projects. Some projects may actually be a blend between low and high risk, and the project manager should scale the appropriate course of action. 5. Define Roles and Responsibilities. Effective project risk management requires early and con- tinual involvement of team members as well as outside help from subject matter experts, as appropriate. Establishing and documenting roles and responsibilities during the planning step will help ensure that the appropriate resources are committed to the project. Overall roles and responsibilities associated with the project risk management effort are sum- marized in Table 3.4 and are scalable to not only specific projects, but these roles and responsi- bilities can be adjusted for the risk tolerance established at the organization level. Additionally, each chapter in Part 2 contains a similar table showing the specific roles and responsibilities relevant to each step. 6. Ensure Adequate Capability for Risk Management Activities a. Provide some level of risk management training/guidance to risk management partici- pants. Organizing and training the risk management participants to follow a disciplined, repeatable process for managing risk is important, especially given the differing attitudes and tolerances most individuals will initially have toward risk. Experienced teams do not necessarily have to receive training for each implementation of project risk management, but a quick review of lessons learned from earlier assessments combined with achieving consensus on the risk tolerance and risk definitions to apply to the particular project can help avoid false starts (e.g., “high probability” and “high impact” should mean the same thing to all participants in the risk management process). b. Identify any need for subject matter experts and plan accordingly. The time of subject matter experts tends to be limited (and possibly costly if using external consultants). To efficiently make use of their time, the project team should already begin thinking during the planning stage about any need to bring internal or external subject matter experts into the risk management process and when it would be most beneficial to do so (e.g., during Characteristic Low Risk Medium (Blended) Risk High Risk Regulatory Requirements Regulations unlikely to change or changes would not affect project scope, schedule, or budget Regulations subject to change; however, minimal impact to project scope, schedule, or budget Regulations likely to change and affect the project scope, schedule, or budget Coordination with Other Projects Project independent of other projects Project tied into another project Multiple tie-ins to other projects, requiring significant coordination Contractor Has experience with type of project Has experience with airport operations Has limited experience with project type Has limited experience with airport operations Has no experience with type of project Has no experience with airport operations Table 3.2. (Continued).

Project Risk Management Planning 25 Table 3.3. How much risk management to apply. Step Low Risk (Simple or Small-Scale Projects) High Risk (Large, Critical, or Complex Projects) Project Risk Management Planning Project manager establishes the general approach to risk management that the team will follow. May or may not result in a risk management plan A formal, written risk management plan is developed and submitted to senior management for review and approval. At predetermined points and as necessary, plan is reviewed to determine if adjustments are necessary. Tool: Risk management plan Project Risk Identification Conducted by the project manager with input from project team as necessary Tool: Risk checklist Conducted during a facilitated risk workshop with internal and/or external subject matter experts Tool: Risk register Project Risk Analysis Qualitatively assess risks to identify the most critical Tool: Probability and impact matrix worksheet The team, working collaboratively with independent subject matter experts, reviews and/or validates cost and schedule estimates and identifies, characterizes, and analyzes risks. This process may involve both qualitative and quantitative tools to evaluate and prioritize risks and establish risk-based contingencies. Tool: Updated risk register (based on quantitative and/or qualitative analysis) Project Risk Response Planning Brainstorming session Tool: Updated project plan Existing standard operating procedures Perform cost–benefit analysis to determine the optimal response strategies Tool: Updated risk register Project Risk Monitoring and Control Periodic status meetings as required, including discussion of progress and issues Regularly monitor and record effectiveness of response strategies using the risk register Conduct formal after-action review workshop to identify lessons learned and best practices to apply to future project Tool: Risk register

26 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects Table 3.4. Typical project risk management roles and responsibilities. Role Typical Responsibilities Senior Management Establishes the threshold for risk tolerance for the organization. Establishes the level of rigor and discipline at which project risk management will be performed through the organization. Establishes level of importance to the process. Project Sponsor Establishes the threshold for risk tolerance on a given project and approves the risk management plan. Validates scope, schedule, and budget reasonableness. Project Manager Oversees the risk management process for the project and organizes all risk management planning sessions. Clarifies the acceptable level of risks for the project in consultation with key stakeholders. Finalizes and presents risk management plan to the project sponsor and/or other approving authorities. Incorporates the resources and time required to implement the risk management plan into the project budget and schedule. Regularly reports risk status to key stakeholders, offering recommendations for appropriate response actions to maintain acceptable risk exposure within established risk tolerance(s) of organization. Monitors the efficiency and effectiveness of the risk management process. Appoints risk owners for each identified risk. Coordinates with risk owners to monitor risks and implementation of response strategies. Project Team Members Participate in risk process, proactively identifying and managing risks in their areas of responsibility. Participate in risk workshops and risk review meetings as required. Provide input to project manager for risk reports. Assist the project manager in developing and implementing the risk management plan. Risk Owner Assumes responsibility for managing a specific identified risk. Develops and implements responses to the risk. Monitors risk status, including current likelihoods and impacts. Reports progress to the project manager by updating the risk register as necessary. Risk Analyst Defines appropriate tools and techniques for quantitative and/or qualitative risk analysis. Conducts quantitative and/or qualitative risk analysis for identified risks. Manages risk, opportunity, and response probability distributions based on outputs of risk identification, monitoring, and control. Supports risk owner and project manager in development of risk response strategies.

Project Risk Management Planning 27 risk identification or analysis). Consideration should also be given to how topics could be grouped or focused to ensure the appropriate experts are specifically reviewing those risks that would most benefit from their expertise and experience. 7. Document Decisions in a Risk Management Plan. For simple projects, the risk manage- ment planning step could simply entail the project manager establishing and communi- cating the general approach to risk management that the team will follow for a particular project. As projects increase in size and complexity, the project manager would likely develop a more formal plan in consultation with the project team, the project sponsor, and other key stakeholders. The results of the planning process should then be documented in a risk man- agement plan. Formally documenting the results of the risk planning step will help: • Ensure the completeness of the plan with respect to the needs of a given project for risk management; • Provide a means to communicate the project’s risk management approach and needs, thereby helping to ensure that risk management activities are incorporated into the project schedule, budget, and resource requirements; • Minimize the need for ad hoc decision making when implementing the other risk manage- ment steps; • Provide the rationale for why certain decisions were made; • Provide a structured road map that the project team can then use to implement the project risk management process for a particular project; and • Provide a baseline for assessments and updates as the project progresses. 3.1.2 Timing Good planning provides the foundation for implementing an organized, comprehensive, and iterative approach to managing project risk. To support project management efforts, the project risk management planning function should be performed as early as possible in the project life cycle to help identify risks and oppor- tunities in time to incorporate any necessary response actions into final designs and to help refine schedule and budgets estimates. Establishing a risk management approach during an initial planning step does not mean that this plan should remain fixed for the duration of the project. As the project progresses and new information becomes available (e.g., more or less risks materialize than originally thought), it may be beneficial to reevaluate the original plan for effectiveness and make adjustments as necessary. 3.1.3 Participants For a given project, the project manager, with assistance from the project team as necessary, should develop the risk management plan and identify the resources required to perform the risk management activities. The project manager may also wish to engage the project sponsor and other key stakeholders to obtain their buy-in and support for the plan. Although this guidebook recommends a stan- dardized approach for performing risk management, the specific processes, tools, and resources used to manage risk on a particular project will vary. It is therefore important for management and stakeholders to understand and concur with the chosen approach. Table 3.5 outlines the roles and responsibilities for the project risk management planning step.

28 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects Table 3.5. Project risk management planning roles and responsibilities. Role Typical Responsibilities Senior Management Establishes the threshold for risk tolerance for the organization. Establishes the level of rigor and discipline at which project risk management will be performed through the organization. Establishes level of importance to the process. Project Sponsor Establishes the threshold for risk tolerance on a given project and approves the risk management plan. Project Manager Oversees the risk management process for the project and organizes all risk management planning sessions. Clarifies the acceptable level of risks for the project in consultation with key stakeholders. Finalizes and presents risk management plan to the project sponsor and/or other approving authorities. Incorporates the resources and time required to implement the risk management plan into the project budget and schedule. Project Team Members Assist the project manager in developing and implementing the risk management plan. Risk Owner None Risk Analyst None Validates scope, schedule, and budget reasonableness. 3.2 Inputs Risk planning should build on and be consistent with the overall project planning and devel- opment process. As such, key inputs that would inform the project risk management plan are project charters, scopes of work, and similar documents outlining project assumptions, goals, and constraints. It may also be helpful for the project team to conduct an informal organizational and environ- mental scan to determine the airport’s current sensitivity toward risk. Recent events (e.g., negative press, budget/schedule overruns, heightened political or public scrutiny) may play a role in shaping the risk tolerance for a particular project. In addition to such project-specific information, historical data and lessons learned from past projects may also help establish the appropriate level of risk management to apply to a particular project. 3.3 Tools and Techniques Risk management planning entails developing a structured and comprehensive approach for each step in the risk management process—from identifying and analyzing risks to developing risk response plans and monitoring risks as the project progresses. Part 3 of this guidebook includes a sample risk management plan that can be used as a template to facilitate and guide the risk planning step and to capture the resulting decisions.

Project Risk Management Planning 29 3.4 Outputs Risk management planning should confirm or establish: • The purpose and objective for performing project risk management, • The risk threshold for the project, • The role and responsibilities of the project team with regard to project risk management activities, • The need for any outside technical assistance, • The timeline for performing risk management activities, • The depth of analysis required (e.g., qualitative versus quantitative risk analysis), • The approach and tools to be used to assess and manage project risks, and • Risk reporting and documentation requirements. Such results are typically documented in a risk management plan that describes how the project risk management process will be structured and performed. The content of the plan will vary based on the complexity and size of the project, but typical content includes: • A summary of the selected risk management approach that identifies the methodologies and tools that will be used, • The roles and responsibilities of the people involved, • Guidance for risk rating (e.g., high, medium, and low probability and impact) for use with the risk management tools, • The schedule and agenda for risk management milestones and periodic risk reviews, • Required formats for inputs and reporting, and • Monitoring and tracking requirements. The detail and time invested in developing a risk management plan should be balanced with the size and complexity of the project. For a small or relatively routine project, development of a formal plan may be unnecessary. For projects requiring more formal documentation, the risk management plan may serve as a repository of all decisions made if updated with the results from each step in the risk management process. 3.5 Best Practices Best practices related to the success of risk management planning include the following: • Reach Consensus on Project Goals. To design and scale a risk management process for a given project, participants in the risk management effort must share a mutual understanding of the project under evaluation. Achieving such a consensus requires, at a minimum, a defined project scope with established needs and goals. Therefore, early in the project development process, the project team, with input from other key stakeholders as necessary, should develop and refine a list of project goals, if not already articulated in a project charter or scoping docu- ment. As it is rarely possible to optimize quality, time, and cost goals on a single project, trade- offs may be necessary to ensure that the primary goal is achievable. Reaching a consensus on the relative importance of individual project goals early on will later help the project team make informed decisions regarding risk prioritization and the optimal mitigation strategies to increase the likelihood of achieving the primary project goal (e.g., enhanced quality), even if at the expense of secondary goals (e.g., cost). • Understand the Airport’s Risk Tolerance. Project risk exists within the overall context of the airport’s organizational tolerance for risk. The project team must therefore have a clear

30 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects understanding of this tolerance or appetite for risk to ensure that the appropriate management strategies are incorporated into the risk management plan to maintain risks at acceptable levels. • Achieve a Balance Between Cost (i.e., Level of Effort) and Benefit of Project Risk Manage- ment. Project risk management is a scalable activity, and the approach and resource commit- ment should be tailored to the particular project’s size, complexity, and criticality. Although it can be tempting to overdo risk management, applying unnecessary time and resources to risk management activities can be both wasteful and counterproductive to ensuring the project’s budget and schedule objectives are met. • Pay Adequate Attention to Project Opportunities. Risk management plans should not neglect project opportunities. Project uncertainty means that some things may go better than expected. In contrast to risk management, which seeks to understand what might threaten a project, opportunity management focuses on what might go better. Recognizing late in the project that a better alternative would have been available is generally of little use since it is typically too late at that point to take full advantage of the opportunity. • Engage the Project Team and Key Stakeholders. For project risk management to be effective, it must have the support of the project team. Engaging these team members during the initial planning step will help ensure their buy-in and commitment to performing the subsequent risk management activities. In addition to the project team, key stakeholders also need to be engaged throughout the project’s life cycle to ensure that the broadest view of potential risks and opportunities is obtained. By reaching out to stakeholders, industry, and subject matter experts, the project team can extract additional best practices, techniques, and information that may improve its implementation of project risk management. • Define clear roles and responsibilities. Establishing and documenting roles and responsibilities during the planning step will help ensure that the appropriate resources are committed to the project. • Ensure that project risk management resources are defined and that sufficient capacity exists. See Exhibit 3.1 for a discussion of how organizations can scale project risk management. 3.6 Summary Project risk management planning entails defining the approach, tools, and resources that will be used to perform project risk management over the course of the project. Careful and explicit planning sets the stage for and increases the likelihood of success of the subsequent project risk management steps described in Chapters 4 through 7. Planning the activities to manage risk over the entire project life cycle helps to ensure that the degree of risk management is scalable to the project’s size, complexity, and type, and is consis- tent with the airport’s risk tolerance. It also enhances the probability that sufficient resources (staff, budget, time) for project risk management are incorporated into the project budget and schedule.

Project Risk Management Planning 31 Exhibit 3.1. A Closer Look: How Organizations Can Scale Project Risk Management To streamline the risk planning step and provide a consistent framework for all project teams to follow, some organizations have chosen to standardize their project risk management practices according to project size, complexity, or some other metric. For example, both the Port Authority of New York and New Jersey (PANYNJ) and the Washington State Department of Transportation (WSDOT) specify use of a specific risk management approach based on project size, as shown here. Project Size ($ million) Required Process (Project managers may use a higher-level process if desired.) <$10 Risk assessment conducted by the project team using project management office–sponsored tools and templates. $10 to $20 Informal workshop using interdepartmental resources and specialized software to conduct the risk analysis. $20 to $100 Project risk assessment workshop using interdepartmental staff or external expert facilitation. >$100 Project parameter validation workshop using external subject matter experts to validate base costs and schedule parameters and risk analysis process and results. Source: PANYNJ, 2011 Project Size ($ million) Risk Assessment Level Notes Le ss F or m al R is k A ss es sm en t 0 to 10 Project team risk assessment Project management online guide (PMOG) risk management plan Qualitative tool The project team assesses each identified risk for its probability of occurrence and its impact on project objectives. Project teams may request assistance from subject matter experts or functional units to assess the risks in their respective fields. The self-modeling spreadsheet can be used for any project. 10 to 25 Project team risk assessment self-modeling spreadsheet M or e Fo rm al R is k A ss es sm en t 25 to 100 Cost estimate validation process (CEVP) workshop Quantitative tool The team, working collaboratively with independent subject matter experts, reviews and/or validates cost and schedule estimating and identifies, characterizes, and analyzes risks. This is accomplished in a structured workshop setting. Modeling can be accomplished with off-the- shelf software or using the self-modeling spreadsheet. Over 100 CEVP workshop Quantitative tool Source: WSDOT, 2010 Establishing such norms helps organizations institute a degree of consistency when implementing project risk management principles on a program-wide basis. However, care should be used when basing the risk management approach solely on project cost since smaller projects are often just as likely to experience scope creep, if not more so.

32 C H A P T E R 4 What can affect our plans for this project? This question captures the essence of risk identification. As introduced in Chapter 1, three elements are needed to fully define risk: • A future root cause, which, if eliminated or corrected, would prevent a potential consequence from occurring; • The likelihood or probability of that event occurring; and • The consequence or impact of that future occurrence. Project risk identification—the process of identifying and documenting the uncertainties that could affect project performance—addresses the first component of risk and is the focus of this chapter. The subsequent step of project risk analysis—the evaluation of the identified risks in terms of their likelihood of occurrence and associated impacts—is discussed in Chapter 5. 4.1 Key Activities 4.1.1 Process Step Overview Risk identification entails examining each project element to identify possible risk or oppor- tunity events and their associated root causes, beginning their documentation, and setting the stage for subsequent analysis and response, if deemed necessary. Risk identification generally consists of the following activities: 1. Determine who may have insight into project risks. 2. Gather available information on project assumptions and constraints (see inputs listed in Section 4.2) and circulate to those participating in the risk identification effort. 3. Review risk identification results from previous similar projects. 4. Determine which risk identification tools and techniques to use (see Section 4.3), if not already specified in the risk management plan. 5. Identify and document risks. (The general risk categories shown in Table 4.2 may provide a useful starting point to brainstorm project risks.) a. Review list to ensure that all known risks have been identified. 6. Proceed to risk analysis (see Chapter 5). The exact tools and techniques used to support these steps could range from an informal brainstorming exercise to a more structured and facilitated work session in which project team members and independent subject matter experts are solicited for information and insight into potential project concerns. For a given project, the approach taken to identify Project Risk Identification Project Risk Identification Key Activities • Gather available project information • Identify and document all risks and opportunities that could affect project performance Inputs • Project scope and objectives • Budget and cost estimates • Schedule • Designs and specifications • Subject matter interviews • Stakeholder input • Lessons learned from past projects Tools and Techniques • Checklists • Brainstorming • Expert judgment Outputs • Risk checklist • Risk register

Project Risk Identification 33 risks should represent a balance between project needs and the available resources and skills of the project team. 4.1.2 Timing Project risk identification should begin as soon as project management planning has defined a sufficient structure for identifying risks. However, as with each step in the risk management process, it is important to perform risk identification continuously throughout the project life cycle. As the project proceeds through project planning and preliminary engineering to construc- tion and possibly beyond to maintenance and operation, new risks may become known, or more refined information may become available that warrants revisiting the project’s original risk pro- file. Remember, risk characteristics associated with each project phase differ (see Table 2.4), reflect- ing the refinement that generally occurs as project unknowns become known and designs reach completion. 4.1.3 Participants The resources committed to the risk identification effort should be scaled to the project’s size, complexity, and criticality to airport operations. Risk identification is an iterative process that serves to capture any new risks that may emerge as the project progresses through its life cycle while dismissing previously identified risks that are resolved. The timing and frequency of these iterations and who participates in the identification process at each phase of a project’s life cycle will vary from case to case. On a routine project expected to present minimal risk, the project team may have sufficient expertise and knowledge to identify and manage risk. For more complex projects or those touching on unfamiliar ground, participants in the risk identification effort may extend beyond the project team to include internal subject matter experts from design, construction, maintenance, operations, security, environmental groups, airlines, the FAA, the Transportation Security Administration (TSA), and other affected func- tional areas, key stakeholders, business partners, and outside experts. Table 4.1 outlines the roles and responsibilities for the project risk identification step. As a proj­ ect un­ folds, new risks may emerge or uncertainties may be resolved. To address such changes over time, risk identi­ fication should be an iterative process that is conducted throughout the project life cycle. Role Typical Responsibilities Senior Management May participate in risk identification activities. Project Sponsor May participate in risk identification activities. Project Manager Validates the acceptable level of risks for the project in consultation with key stakeholders. Appoints risk owners for each identified risk. Project Team Members Participate in risk workshops. Provide input to project manager for risk reports. Risk Owner Assumes responsibility for managing a specific identified risk. Risk Analyst None Table 4.1. Project risk identification roles and responsibilities.

34 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects 4.2 Inputs A key to successful risk identification is taking the time and resources to collect realistic and high-quality data about the project and the potential risks it may face. To inform the risk identi- fication process, key inputs regarding project assumptions and constraints could include (to the extent available at the time of the risk identification): • Project scope and objectives, • Project budget/funding and cost estimates, • Preliminary schedules (and updates as the project progresses), • Designs and specifications, • Subject matter interviews, • Stakeholder input, and • Regulatory requirements pertaining to the project. In addition to such project-specific information, historical data from past projects can also serve as a rich source of information regarding potential risk events. Solid, factual data collected with discipline during earlier work generally yield the most useful historical information; how- ever, such information is often difficult to access, especially if the organization does not maintain an extensive document and records management system. Although written historical information, such as that found in lessons-learned reports and status reports from recent projects, tends to be more reliable and defensible (especially if the data are recent and relevant to the project at hand), informal information is often easier to capture. By discussing the project with colleagues or outside experts, the project team may gain insight into the possible risks facing its current project. 4.3 Tools and Techniques Various techniques and tools can be used to elicit risks, the most common of which are described in the following. These techniques may be used alone or in combination, depending on the approach that is best for the team, the project’s size and complexity, time and resource constraints, and the information available. 4.3.1 Information Gathering Techniques Brainstorming Workshops. One of the most frequently used risk identification techniques is to hold brainstorming workshops to compile a comprehensive list of risks for subsequent evaluation during the analysis step described in Chapter 5. Brainstorming can assume many forms, but it generally works as follows: 1. The project manager organizes a meeting with the project team, inviting other multidisci- plinary experts and project stakeholders as deemed necessary. 2. Under the guidance of a qualified facilitator, participants work together to uncover potential events. Group members verbally identify risks, which provide the opportunity to build on each other’s ideas. (A more structured brainstorming session, where each group member presents an idea in turn, may be used to ensure that feedback is obtained from all group members.) Early in the project development process, when relatively little information is available, the general risk factors and categories shown in Table 4.2 may provide a useful starting point to brainstorm project risks. It can take substantial effort and organizational support to collect accurate data about project risk. Risks are there­ fore often identified based on the judgment and expertise of informed individuals.

Project Risk Identification 35 Technical External Organizational Commercial R isk F ac to rs Scope definition Requirements Design Quality Safety Security Complexity Interfaces Site conditions Customer Political Public relations Market conditions Weather Environmental Property acquisition Permitting Regulatory changes Funds availability Resources Dependencies Financial capacity Revenue impacts Contractual terms and conditions Suppliers and vendors Procurement process Contractors Air service Table 4.2. Potential project risk categories. 3. The flow of ideas should proceed without comment, questions, or criticism, and without regard to the participants’ status in the organization. Ideally, every participant should be heard from. Consideration should be given to risks that could arise out of internal changes as well as to outside factors such as natural disasters, market conditions, and government or regula- tory change. 4. After all known risks are identified and posted for participants to examine during the meet- ing, the facilitator should attempt to categorize the identified risks into naturally related groupings to refine their definitions and eliminate duplication (see risk categories identified in Table 4.2). For brainstorming workshops to be most effective: • Relevant documents should be provided to the participants in advance to allow for some preparation. • The facilitator should be familiar with the risk process and should identify some risks in advance. • A note taker should be appointed to capture the ideas that are discussed. • The meeting should be structured by project segment or risk category to ensure that no poten- tial risks are overlooked. For more complex projects or situations, it may be desirable to hold multiple workshops, each focused on a specific risk category (e.g., geotechnical problems) with key subject matter experts participating. Other common tools used to identify risks in brainstorming workshops are SWOT (strengths, weaknesses, opportunities, threats) analysis, affinity diagrams, and cause-and-effect maps. Retrospective Analysis. Risks tend to recur on project after project unless something is done differently to avoid or mitigate the root cause(s). Data from earlier work, lessons learned, and close-out documents can therefore provide a rich source of risk information for the current project. A retrospective analysis of earlier projects performed either on its own or in conjunction with a brainstorming workshop can serve as a useful tool to identify risks and effective practices worth repeating and areas where improvement is possible. Scenario Analysis. Additional risks may be discovered by considering the following ques- tions while deliberately thinking through each step in the project timeline: • What might go wrong here? • What will keep me up at night during this portion of the work? • Given the possible scenarios, are the current project assumptions correct? When iden­ tifying risks, take care to avoid the following com­ mon biases that could influence results: • Status quo— making choices that perpetuate the current situation. • Confirming evidence bias— emphasizing information that reaffirms existing points of view while neglecting con­ tradictory data. • Anchoring— placing dis­ proportionate weight to the first information given. • Sunk cost— making decisions in a way to justify past choices.

36 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects Expert Consensus. This method, also known as the Delphi technique, is used to obtain the judgment of a panel of experts on a complex issue or topic such as project risk. It is a systematic method of data collection and structured discussion that aims to minimize bias and the influence any one person can have on an outcome. In brief, a Delphi analysis entails the following steps: 1. A facilitator develops and distributes a questionnaire to solicit ideas regarding perceived project risks. 2. The facilitator receives and processes the survey responses. 3. The risks identified in this first survey round are then circulated back to the experts for further comment and refinement. 4. The process is repeated until consensus is achieved on the main project risks (typically requir- ing two or three more survey rounds). The iterative nature of this process has been found to yield more reliable results than a single survey round. Interviews. Risks can also be identified by interviewing experienced project managers and sub- ject matter experts. After being briefed on the project, the interviewees can be asked to identify risks based on their experience and knowledge. Interview results can be used to validate the results of ear- lier brainstorming or other information gathering techniques or as an input to these other methods. Checklists. Risk checklists can provide useful guidance to help ensure that all major project risk areas are considered. Part 3 of this guidebook contains a sample risk checklist, but risk teams are encouraged to draw from their own historical project experience to develop lists that reflect the issues commonly encountered on their airport projects. Checklists are most effective when used as a follow-up to a brainstorming session or other risk identification technique to ensure that all areas of concern have been covered. However, for a routine project expected to present minimal risk, reviewing and completing such a checklist might suffice. When using checklists, bear in mind that not every risk included will necessarily be relevant and applicable to the current project or situation. Likewise, a standardized list may not capture all of the unique risks facing a specific project. Tapping into the experience of the project team and other stakeholders will generally always be necessary to identify the full spectrum of risks. 4.3.2 Root-Cause and Cause-and-Effect Analysis When identifying risks, it is important to seek their root causes rather than stop at what could be merely symptoms of largely underlying problems. Project teams may therefore find root-cause analysis or cause-and-effect analysis to be useful for risk discovery and subsequent risk analysis and response planning. Some common root-cause and cause-and-effect analysis techniques include the following: Failure Mode and Effects Analysis (FMEA). This technique provides a quantitative analysis that involves identifying a single risk event (failure mode) and the probabilities of the various impacts that may stem from that event. Fishbone Diagram. This is a cause-and-effect analysis technique that generally entails stat- ing an outcome the project intends to avoid (e.g., a delay or a significant increase in cost of some portion of the work), and then challenging the project team to work backward to uncover plausible sources that could cause the problem. Five Whys. The Five Whys is a simple problem-solving technique designed to quickly uncover the root of a problem. Popularized in the 1970s by the Toyota Production System, the Five Whys strategy entails evaluating a problem by repeatedly asking: “Why?” and “What caused Part 3 of this guidebook pro­ vides a sample checklist of common project risks. Check­ lists are not exhaustive. Users should look beyond the risks iden­ tified in the checklist to ensure that all possible uncer­ tainties are addressed.

Project Risk Identification 37 this problem?” (The “five” in the name comes from the empirical observation that five iterations will generally resolve the problem.) Mind Mapping. Mind mapping tools can be used to organize and document the output of a root-cause analysis exercise. A mind map is often created around a single word or text, placed in the center, to which associated ideas, words, and concepts are added. In project risk management, the single word would be the risk, and the possible inputs and influences would be the associated ideas. 4.4 Outputs Once identified, risks should be documented to produce a non-overlapping, comprehensive list of all of the perceived risks to achieving the project’s objectives. 4.4.1 Risk Checklist For a simple project, checking off the relevant risks on a predefined list of common risks may be sufficient. 4.4.2 Risk Register For more complex projects, use a risk register to begin capturing information regarding the perceived project risks and opportunities. A risk register provides a common, uniform structure for cataloging, tracking, and reporting the identified risks as the project progresses. The register, which may take the form of a spreadsheet or a table, incorporates key information regarding each risk to provide a cursory overview of what information is currently available regarding each identified risk. The level of detail to include in the risk register can be driven both by project complexity and available resources. Table 4.3 identifies the typical content found in a risk register. The risk register serves multiple purposes and will be returned to throughout the risk manage- ment process. At this stage (i.e., at the conclusion of the first iteration of the risk identification step), the register serves to warehouse all identified risks and to initiate the risk analysis step. As shown in Table 4.3, the following information may be recorded in the register at the conclu- sion of project risk identification: • Risk description, • Risk owner, and • Date identified. The risk register should be reviewed and updated throughout the project and amended to include the results from subsequent risk management steps. 4.5 Best Practices Regardless of the exact tools and techniques used, the risk identification process should gener- ally conform to the following principles and best practices: • Understand Project Objectives, Constraints, and Assumptions. To meaningfully and deliberately delve into the uncertainties facing a project, participants in the risk identi- fication effort would benefit from having a shared understanding of the objectives and Part 3 of this guidebook provides a template and completed example of a risk register.

38 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects constraints driving the project. Knowledge of the project context can help the project team focus on specific or unique sources of risks that may affect the project. For example, will political circumstances subject the project to heightened scrutiny or influence from external stakeholders? • Develop a Comprehensive List of Project Risks and Opportunities. When initially identify- ing potential risks and opportunities, consideration should be given to all factors that could affect the project’s needs and goals, regardless of how remote the possibility of their occur- rence and how minimal their expected impact. Such inclusiveness with regard to risk identifi- cation will help ensure that all factors affecting project performance are identified. This list of risks can later be screened and refined during the analysis step to focus on the critical project Heading Description Associated Risk Management Step Risk or Opportunity Description Description of the risk stated as full sentences, including both the cause and effect of the risk. For example, “As a result of [cause], [risk] may occur, which would lead to [effect on project objective].” Risk identification Risk Owner The individual responsible for identifying and implementing any response strategies and tracking their outcomes, as well as regularly reporting on the current risk status. Risk identification Date Identified The date the risk was identified. Risk identification Probability The probability of the risk occurring, typically expressed in qualitative terms (e.g., high, medium, or low likelihood of occurring). Risk analysis Impact The consequence of the risk to achieving project objectives, typically expressed in qualitative terms (e.g., high, medium, low impact). Risk analysis Risk Rating The combination of probability and impact, used to support the prioritization of individual risks relative to others. Risk analysis Risk Response Strategy Risk: mitigate, avoid, accept, transfer. Opportunity: accept, capitalize, enhance/grow, share, lose. Risk response planning Risk Response Description Description of the risk response plan to document the response strategy that was selected. Risk response planning Cost to Respond Estimated value of the cost to implement the chosen response strategy. Risk response planning Current Status Updated information on actions taken. Risk response planning Monitoring and Control Updated information on the risk (e.g., Were the risks addressed? Based on new information, should the ratings be revised? What are the residual risks, cost, and so forth?) Monitoring and control Table 4.3. Typical risk register content. Ensure that the list of project risks is not only comprehensive but also non­ overlapping and mutually exclu­ sive. Overlap­ ping risks could lead to double counting of risks.

Project Risk Identification 39 risks. Likewise, risks should not be excluded from the list on the basis that subsequent field investigations or design efforts will eliminate the potential event. • Consider Both Risks and Opportunities. The risk identification effort should not focus exclusively on potential problems. Opportunities (i.e., uncertainties that could lead to posi- tive consequences) identified early can enhance project performance. • Define Each Risk Completely and Unambiguously. Risks should be clearly stated and fully defined so as to ensure a common understanding by all parties. A single word (e.g., coordina- tion, weather) rarely provides sufficient information to fully communicate the exact nature of the risk. Instead, to the extent possible, a structured risk statement, similar to the following, should be used to define each risk: As a result of [cause, condition that is true], [risk] may occur, which would affect [effect on project objective]. In this structure, the cause is a fact or condition, without which the risk might not exist. The risk is the resulting uncertainty. The effect is the impact on a project objective such as cost, time, scope, or quality. For example: As a result of limited site investigation, subsurface contaminants may be discovered during construction, which would affect both cost and schedule. It may also be useful to identify risk triggers—warning signs that suggest a risk is becoming a near-certain event requiring implementation of a response plan or contingency measure. • Do Not Confuse Risks with Issues. If the problem event has already occurred, it is an issue that requires resolution, not a risk that may happen and that would benefit from proactive planning or action. Although issue management is a key project management activity, its focus is on applying resources to address and resolve current problems, whereas risk manage- ment applies resources to mitigate or avoid future potential problems or capitalize on oppor- tunities before they can become or escalate into issues or crises. • Ensure That You Have the Right People Participating. Participants should include proj- ect team members, subject matter experts, and stakeholders or customers of the project. To capture a wide variety of perspectives on potential risks and opportunities, the project team should consult with key stakeholders early in the identification process. • Assign Risk Owners. Each risk should be assigned a single risk owner with clear responsibility and accountability for its management. • Limit Bias When Identifying Risks and Opportunities. If participants in the risk identifica- tion effort have a vested interest in advancing (or terminating) the project or have some other conflict of interest, it could compromise the results of the risk identification exercise. To help mitigate such bias (whether conscious or not), consider using a qualified facilitator or project- independent subject matter experts to elicit risks. 4.6 Summary Risk identification is a vital component of the overall risk management process that involves identifying, categorizing, and documenting the risks and opportunities that could significantly affect project performance. Risk identification begins as early as possible and continues through- out the project with regular review and analysis. Risk identification is a scalable activity, and the approach and resource commitment applied should align with the complexity of the project and the information available. The identification process could range from a quick checklist activity to a more structured and facilitated work To convey the exact nature of a risk, the risk descrip­ tion should be defined in terms of both its cause and its effect: As a result of [cause], [risk] may occur, which would affect [effect on project objective].

40 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects session in which project team members and independent subject matter experts are solicited for information and concerns. Table 4.4 suggests how the tools and techniques discussed in this chapter can be tailored based on the perceived risk level of the project. See the following excerpt from the case study on taxiway reconstruction for an illustration of the risk management process. The full case study is presented in Appendix A. Case Study: Taxiway Reconstruction This case study will be used later in this guidebook to illustrate the various steps of the risk management process. The complete case study is presented in Appendix A. Project Overview A medium-hub airport was preparing to conduct the taxiway reconstruction as defined in the airport’s master plan. The project was scheduled to begin design in June, with construction expected to begin 6 months later. The reconstruction project was scheduled in alignment with FAA funding schedules in anticipation of receiving funds in time to begin and conduct construction. The taxiway project was originally scoped for 4,000 ft of asphalt pavement, with an estimated $6 million budget funded by the FAA and airport passenger facility charges in a 75/25 percent ratio. The funding for this project was fixed, so scope and schedule were the areas that were affected by the risks and mitigations of this project. The project was being managed by an internal airport project manager, consultants for design, construction by contractors, and inspections by consultant staff. For the scope of this project, the design–bid–build construction process was selected. The project risk management process was included in the project management of the project. Many risks were realized through the project duration and will be highlighted at each phase throughout this example. Simple or Small-Scale Projects Large, Critical, or Complex Projects Use a risk checklist to identify and document possible risks Conduct a structured risk management workshop with internal and/or external subject matter experts and independent expert facilitation Conduct an informal team meeting if necessary Compare the risks identified in the workshop to a risk checklist to ensure that all possible areas of concern have been covered Document the identified risks in the risk checklist Document the identified risks in a risk register Use or expand existing standard operating procedures Table 4.4. Scaling the risk identification step.

Project Risk Identification 41 Case Study: Taxiway Reconstruction – Project Risk Identification Background of Airport The airport was managing multiple construction projects at the same time using a combination of internal and contract staff. The airport operates two runways and receives funding based on medium-hub status. Operations are primarily origination and destination traffic. The airfield does not operate at full capacity; however, all maintenance downtime must be carefully scheduled to avoid any air traffic delays. The airport typically outsources construction design to experts outside of the airport staff. The internal procurement process works in accordance to federal regulations. Risk Identification Step The project team performed the identification of risks in a risk workshop using an outside facilitator to conduct the session. The entire internal project team was present, along with the contracted resources that would be performing project work. Risks and opportunities identified through this workshop were captured in a risk register. Each risk was assigned an owner who would take responsibility for the risk analysis and response plan and would provide monitoring and control reviews. The risk workshop took approximately 4 hours to complete and also included the risk analysis process. The identification of risks took less than 1 hour to generate the list.

42 The goal of the project risk analysis step, as discussed in this chapter, is to characterize and prioritize the previously identified risks by determining: • How likely is the risk or opportunity? • How big is the risk or opportunity (e.g., impact)? • What is the risk to (e.g., schedule, capital cost, maintenance cost, or other project goals)? • Who assumes the risk (e.g., the airport, contractor, or other stakeholder)? By providing answers to such questions, it is possible to classify risks based on their criticality to project success and importance to key stakeholders. Prioritizing risks in this manner can support subsequent decision making and aid in the risk response planning efforts described in Chapter 6. 5.1 Key Activities 5.1.1 Process Step Overview The objective of risk analysis is to evaluate risk events in terms of the probability of their occur- rence and their impacts (consequences) on cost, schedule, or other project performance objectives. This process could range from rigorous statistical methods to more subjective and qualitative methods for prioritizing risks based on the combined effect of their probability and impact. The selected method will ultimately involve a trade-off between sophistication (and hence, defensibility) and the method’s ease of use. Regardless of the method used, the project risk analysis process step generally consists of the following activities: 1. Gather any additional information needed to evaluate or analyze risks. 2. Determine which risk analysis tools and techniques (see Section 5.3) to use, if not already specified in the risk management plan. 3. Evaluate and prioritize risks using the selected methodology. 4. Determine if further evaluation would be beneficial (e.g., if a quantitative analysis should be performed). 5. Document results and proceed to risk response planning (see Chapter 6). 5.1.2 Timing Risk analysis is performed sequentially after the risk identification step. In practice, however, the distinction between risk identification and risk analysis is often blurred, with some risk analysis preceding or concurrent with the identification step. For example, in the process of C H A P T E R 5 Project Risk Analysis Project Risk Analysis Key Activities • Evaluate risks (and opportunities) in terms of their likelihood of occurrence and potential impact • Prioritize major risks for response planning • Establish risk-based cost and schedule contingencies (quantitative techniques) Inputs • List of possible risk events • Historical data Tools and Techniques Qualitative: • Probability and impact matrix Quantitative: • Modeling and simulation Outputs • Prioritized ranking of critical risks • Results of quantitative analysis

Project Risk Analysis 43 gaining input from experts, it may make sense to continue beyond the mere identification of risks to the probability of them occurring, their consequences, and, possibly, ways to respond to them. These latter actions are more formally part of the risk analysis and risk response planning steps but often begin during risk identification. Risk analysis results represent a snapshot in the project’s life cycle and may change signifi- cantly as the project progresses and more information becomes available. As with the iterative nature of all steps in the project risk management process, risk analyses should be revisited periodically to ensure that the assessment remains current and valid. 5.1.3 Participants The project team may have sufficient expertise and knowledge to provide the risk data needed to support the analysis. However, it may be desirable to seek input from internal and external subject matter experts, particularly if relevant historical data are limited, requiring increased reliance on expert judgment. If a quantitative analysis is to be performed, it may also be beneficial to use qualified proba- bilistic modelers who are well versed in statistical analysis techniques to perform simulations. Table 5.1 outlines the roles and responsibilities of the project risk analysis step. 5.2 Inputs Risk analysis generally begins with a detailed study of the risks that have been identified previ- ously and (ideally) documented in a risk register or checklist. Additional information should then be gathered as necessary to determine the root cause(s) (if not already determined during the risk identification step), likelihood, and consequence or impact of each risk. Two primary sources of data to support this analysis are interviews with subject matter experts and comparisons with similar projects. Particularly if a quantitative risk analysis is being performed, it is also important to have a defined base project against which the risks can be measured. The base project conditions should Role Typical Responsibilities Senior Management Reviews analysis results; provides guidance if necessary. Project Sponsor Reviews analysis results; provides guidance if necessary. Project Manager Oversees the completion and reviews the results of appropriate risk analysis activities as determined by the project risk management plan. Project Team Members Participate in risk analysis activities. Provide input to project manager for risk reports. Risk Owner Assumes responsibility for managing a specific identified risk. Risk Analyst Defines appropriate tools and techniques for quantitative risk analysis. Conducts quantitative risk analysis for identified risks. Table 5.1. Project risk analysis roles and responsibilities.

44 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects exclude any built-in conservatism (e.g., cost or schedule contingencies) intended to cover uncer- tainty. Such contingencies will instead be established through the analysis process described in Section 5.3.2. 5.3 Tools and Techniques As discussed previously, risk analysis involves evaluating risks (or opportunities) by consider- ing the likelihood of their occurrence and their potential impact on cost, schedule, or other key project goals. Approaches used to analyze risks are commonly classified as being either qualitative or quan- titative in nature. Each approach has its own perceived advantages and disadvantages (summa- rized in Table 5.2) that should be considered when selecting the optimal or practical approach to use for a particular project or project element. 5.3.1 Qualitative Risk Analysis Qualitative risk analysis entails prioritizing risks for further analysis or response planning on the basis of a subjective assessment of their probability (likelihood or frequency) and impact (consequence or severity). Technique Objectives Advantages Disadvantages Qualitative Subjectively evaluate the probability and impact of each risk Prioritize risks for risk response planning or for additional analysis using quantitative techniques Validate the risk management plan for risk analysis Relatively quick and simple to perform User-friendly, particularly for those less skilled in probability and statistics Indicator of need for further quantitative analysis Ratings can be ambiguous and difficult to defend. Ratings can be misperceived due to lack of consistency of those providing input. Quantitative Numerically analyze the effect of identified risks on overall project objectives Determine which activities or elements contribute the most to project objectives Reduce the uncertainty in the project input variables Less ambiguity in values Probability and impacts can be analytically combined in a rigorous manner Risk-based contingencies can be defined Reduced uncertainty in the output variables Development of models and running of simulations can be time consuming and may require external expert assistance. Table 5.2. Comparison of qualitative and quantitative techniques. Qualitative analysis is often used: • As an initial screening or review of project risks, • When a quick assessment is desired, and • As the preferred approach for simpler and smaller proj­ ects where more rigorous quantitative analysis is not necessary or practical.

Project Risk Analysis 45 To estimate probabilities and impacts, project teams may find it beneficial to review historical data from past projects. More often than not, availability of historical data is limited. Values are therefore often based on the experience and judgment of team members and other subject matter experts, as obtained by conducting risk analysis workshops, interviews, or surveys. Once probability and impact values are estimated, they are typically combined in some manner so as to assign a rating to each risk. Although in and of itself the numerical value holds little meaning, the ranking has a mean- ingful purpose—providing a simple, albeit subjective, way to rank risks relative to one another based on the perceived threat they pose to the project success criteria. Probability–Impact (P-I) Matrix. One of the most commonly used tools to qualitatively rate risks is a P-I matrix, an example of which is shown in Figure 5.1. As shown in the figure, a typical P-I matrix has probability ratings on the y-axis and impact ratings on the x-axis. The plotted position of these two measures in the matrix reflects the com- bined effect of the risk’s likelihood of occurrence and the estimated severity of its unmitigated effect on the project if it were to occur. It is important to note that those estimating the probability and impact ratings may have biases to assess with overconfidence or under confidence. Calibration techniques exist for improving skill in assessing uncertainty. To develop and use such a tool requires performing the following steps: 1. Establish Probability Scale. For each risk event identified, the likelihood or probability that the risk will happen must be determined. Typically, the project team will arrive at this assess- ment, in consultation with any subject matter experts deemed necessary, in a workshop set- ting. For such a process to be effective, all participants must share a common understanding of the probability of occurrence (e.g., “high probability” should mean the same thing to all participants). If not already specified within the risk management plan, the project team should first define the probability scale to use in the P-I matrix. Establishing this range up front lends structure to the analysis exercise and ensures that all participants are viewing likelihood in a consistent manner. Clearly, the likelihood or probability of any specific risk event occurring will fall some- where between 0% (i.e., no chance of occurrence) to 100% (foregone conclusion). For a very simple project, this could mean dividing the probability scale into just two ranges: • More likely than not to occur (50% to 100%), and • Less likely than not (0% to 49%). Probability Likely Low Medium High Moderate Low Medium Medium Unlikely Low Low Low Low Medium High Impact on Selected Objective Figure 5.1. Example P-I matrix (3  3). Part 3 provides a sample work­ sheet to use for performing qualitative risk analysis with a P­I matrix. It should be noted that the risk score itself is an arbitrary value. It should be used as a simple way to priori­ tize efforts based on per­ ceived impact to the project success criteria.

46 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects Although most project teams can quickly reach consensus on one of these choices, finer granularity is often needed to prioritize risk. For this reason, three ranges, as shown in Figure 5.1, or five ranges, as shown in Table 5.3, are more commonly used. 2. Establish Impact Scales. For each risk identified, in addition to estimating its probability of occurrence, the project team must rate the magnitude of its impact should it occur. As with estimating probabilities, all participants must share a common understanding of what impact is for the process to be effective. Therefore, if not already specified within the risk manage- ment plan, the project team should first define the impact ranges to use in the P-I matrix, bear- ing in mind that a risk event can have an impact on a project in multiple ways. (In other words, what is the impact to cost, schedule, and quality?) For example, the risk of encountering differing site conditions could result in schedule delays and cost overruns. Impacts should be considered separately for each major project objective (e.g., cost, time, scope, quality). Figure 5.2 provides an example of the scales used to assign probability and impact values on a scale of one to five. Five levels of values are shown, ranging from very low to very high, but three levels (low, medium, high) are often used. Project teams should select the range that allows them to best differentiate the probability and impact values on identified risks. 3. Estimate Probability and Impact. Once the rating scales have been established, the next step is to assess each risk on the basis of: • Its probability of occurring, using the probability ranking scale established for the project (which using Figure 5.2, would range from 1 to 5), and Level Likelihood Probability of Occurrence 5 Near certain ~90% 4 Highly probable ~70% 3 Probable ~50% 2 Low probability ~30% 1 Not probable ~10% Table 5.3. Example levels of probability criteria. Although the rating system shown in Table 5.3 reflects the impact of risk in terms of threats (or negative conse­ quences), a simi­ lar system could be established for opportuni­ ties by describ­ ing the impact in terms of schedule or quality improve- ments and cost reductions. For each risk, the probability of occurrence will remain the same for each project objec­ tive analysed. However, the risk could have an impact on multiple project objectives. For each risk, the output of this step is therefore a single proba­ bility and the impacts to the project that could result from that risk. Probability Scale ~10% Not Probable ~30% Low Probability ~50% Probable ~70% Highly Probable ~90% Near Certain Impact Scale Very Low Low Medium High Very High Figure 5.2. Example impact and probability scales.

Project Risk Analysis 47 • Its impact of occurring, using the impact ranking scale established for the project (which using Figure 5.2, would range from 1 to 5). Impact is rated separately for each objective (e.g., cost, schedule, quality). Therefore, for each risk, the output of this step is a probability and the impacts to the project that could result from that risk. 4. Plot Risk on P-I Matrix. The probabilities and impacts obtained from Step 3 can now be plot- ted on the P-I matrix established for the project. The matrix helps determine whether a risk with a certain combination of probability and impact is of high, moderate, or low priority, in order to rank them. Figure 5.3 provides an example P-I matrix, which incorporates the probability and impact rating scales. In the example matrix shown in Figure 5.3, the risk is plotted into an intersecting box that represents the value assigned for the probability of that risk (y-axis) and the value assigned for the impact of the risk (x-axis). The box where the two values intersect is the point where the risk is plotted. This matrix is then used to prioritize risks for further management using a pre-established scale that translates the risk score (probability × impact) into a risk rank (low, moderate, high risk) similar to that shown in Figure 5.4. This ranking can be completed using the organi- zation’s risk tolerance and risk threshold information. The ranges may change slightly by project. 5. Rank Risks and Update Risk Register. Once the risk score and ranking have been deter- mined for each risk, this information can be used to update the risk register to support the prioritization by which the risks should be managed or further analyzed using more rigorous techniques. 6. Review Rankings for Reasonableness. The key advantage to the P-I matrix is its user- friendliness. However, its application is limited to subjective prioritization of risks. The method also does not account for other possible risk prioritization criteria such as the imminence and ability to detect risks. For this reason, the project team should carefully review the resulting risk rankings for reasonableness prior to proceeding to the response planning step. The project team must determine if the results of the qualitative analysis indicate the need for further quantitative analysis or a recalibration of the rating scales. See the office build-out case study in this chapter (and in Appendix B) for an example of the use of risk analysis. Probability 5 4 3 2 1 1 2 3 4 5 Impact on Selected Objective R1 Figure 5.3. Example P-I matrix (5  5). Note that the mathematical combination of the probability and impact ratings does not in and of itself convey mean­ ing. It is merely used to priori­ tize risks on the basis of their relative threat levels. The proj­ ect team should carefully review the resulting risk rankings for reasonableness prior to pro­ ceeding to the response plan­ ning step. Risk Rank Range Low Moderate High Figure 5.4. Risk range categories.

48 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects Case Study: Office Build-Out The TSA recently mandated a change to the passenger screening process. In order to accommodate this mandate, a small-hub airport needed to perform an internal build-out to reconstruct the physical space where staff are located in order to create the required space. This small-hub airport services commercial air traffic and has 52 employees and a $30 million operating budget. The internal build-out is determined to be an operating project using internal maintenance staff. The changes require minor demolition to existing walls and build-out of two offices with access to the passenger concourse. Scope includes replacement of ceiling tiles; flooring; walls; power; and data; and heating, ventilation, and air conditioning (HVAC) adjustments. The area affected is approximately 400 square feet. The maintenance operating budget is $8 million, and this project is one of many in the course of the year that will be performed to maintain functional operations for the staff at the airport. A project of this scope should not exceed $12,000 in material costs and should not involve more than 3 weeks of construction time. The work effort is approximately two full-time resources for the 3 weeks, although the resources will be different talent and expertise over the duration of the project. Internal resources used include maintenance manager, superintendent, electrician, and HVAC, carpentry, and general maintenance staff. The maintenance manager assumed the role of project manager for this project. The project constraints for this office build-out are determined as schedule and budget. The maintenance manager determined that the project was relatively low risk based on the experience of the resources assigned to the project and the scope identified for the build- out. He decided to use a probability-impact matrix with the project team to identify and rank the risks. The maintenance manager conducted a project kickoff session in which the team brainstormed a list of risks and then ranked and prioritized the risks using the probability-impact matrix in order to determine if more project risk management might be needed. The project kickoff session included the team of internal resources used to perform the project activities. During the discussion, the maintenance manager described the scope of the project, and the whole group reflected on past experiences with the customer as well as the type of work to identify preventative risks and reactive impacts. The following risks were identified: Customer slow in making decisions about design, which affects schedule. Competing priorities for project work team will affect schedule and budget. Unforeseen conditions found in demolition affect scope and may cause redesign. Need for permits to perform construction activities may affect schedule. Long lead time for selected materials causes delay in start of project. Continued on next page The following probability and impact scores were applied: # Risk Description Summary ProbabilityValue Impact Value 1 Customer slow in making decisions about design, which affects schedule. 4 4 2 Competing priorities for project work team will affect schedule and budget. 4 2 3 Unforeseen conditions found in demolition affect scope and may cause redesign. 2 4 4 Need for permits to perform construction activities may affect schedule. 2 1 5 Long lead time for selected materials causes delay in start of project. 1 2

Project Risk Analysis 49 5.3.2 Quantitative Risk Analysis Project teams often have difficulty accurately predicting the ultimate cost and schedule of a project. This is particularly true early in the project development phase, when information on project conditions is limited, yet decision makers are seeking answers to key questions, such as: • Which project alternative is best? • How likely is the project to come in on budget? • Can the project be completed within the time frame allowed? The traditional practice of computing cost or schedule estimates on the basis of single data points, representing the cost or duration of each project activity, is often inadequate for provid- ing defensible answers to such questions. At best, such deterministic estimating techniques can provide an indication of the best-case, expected-case, and worst-case project scenarios. How- ever, the resulting point estimates often suggest a level of precision that is unwarranted given the uncertainty associated with the input data. To address unknowns, a contingency value is fre- quently added on top of the estimate to provide some degree of conservatism. The contingency value is typically calculated as a percentage of the total estimate on the basis of expert judgment, organizational policy, and/or historical experience. Although this practice can be used to produce conservative estimates, it can also yield mislead- ing results if several risks can simultaneously affect the project. To produce better estimates, some organizations have begun to use quantitative risk analysis techniques to more transparently and accurately account for uncertainty and allow for better, more informed decision making. Unlike the qual­ itative tech­ niques discussed in Section 5.3.1, which just allow you to prioritize risks, quantita­ tive methods allow you to answer such questions as: • What are the odds that this project will meet its cost or schedule targets? • How much of a contin­ gency reserve should be set aside? The following probability and impact scores were applied, and discussion was held to analyze the overall results. The risks were plotted with their corresponding number from the list. Case Study: Office Build-Out (Continued) The results of the discussion determined that all of the risks identified could be controlled by managing the schedule of the project very closely. The team decided to plan a schedule with realistic timelines and contingency days included. The maintenance manager also determined that clear communication was needed with the stakeholders of the project to discuss the schedule, the realistic timelines, and the risks associated with the project in order to increase awareness up front. The maintenance manager committed to a meeting with stakeholders and to holding regular progress meetings with the team as a result of this risk review. With these activities and commitments determined, no additional project risk management was determined to be necessary at this point. Impact Pr ob ab ili ty Pr ob ab ili ty

50 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects Traditional Risk Based Inputs and outputs are single values. Inputs and outputs are probability distributions. Risk and uncertainty are addressed by adding generic padding to estimates. Risk and uncertainty are explicitly and quantitatively evaluated. Risk management is ad hoc. Risk management is formalized and transparent. Cost and schedule risk are unknown. Cost and schedule risk are explicitly evaluated, documented, and monitored. Note: adapted from Sangrey et al., 2003. Table 5.4. Traditional versus risk-based estimating techniques. Quantitative analysis techniques, as discussed further in the following, generally involve the use of advanced statistical methods to determine, with a certain degree of confidence, whether the project will meet its cost or schedule targets given the combined effect of the identified project risks. As sum- marized in Table 5.4, instead of point estimates, a quantitative analysis takes a range of input values and generates a probability density function that describes all possible outcomes of an uncertain situation in terms of their likelihood of occurrence. The information resulting from a risk-based analysis would allow a project manager to com- municate, for example, that there is only a 60% chance that a project would reach completion within the desired time frame, the range of the expected completion time frame, and that provid- ing greater certainty regarding the project’s completion date would require allocating resources to mitigate key risk drivers. Such detail would provide decision makers and other project stake- holders with a much more nuanced understanding of the true nature of the project risk on which to base subsequent decisions. Probabilistic Modeling. One of the most widely accepted quantitative analysis techniques is probabilistic modeling, a computer-driven methodology of simultaneously evaluating the impact of all identified risks to arrive at a defined probability distribution of the project’s cost, completion date, or other key project input or objective. The overall process is depicted in Figure 5.5. Probabilistic modeling generally requires use of specialized risk analysis software packages and possibly outside risk analysts if such expertise is unavailable in-house. However, the associ- ated investment of time and resources can be warranted if: • Enough information is known about the risks to perform the analysis (i.e., the analysis is only as good as the input values), Figure 5.5. Simulation inputs and outputs.

Project Risk Analysis 51 • The project is highly complex or critical, or • Given project conditions and constraints, there is little flexibility or tolerance for cost or schedule overruns. The general steps involved with probabilistic modeling are described in the follow- ing to provide an indication of both the power of this technique and the level of effort involved. Figures to illustrate the specific how-to procedures related to performing prob- abilistic modeling risk analysis can be found in Appendix C. 1. Define the Desired Output from the Analysis. At the outset, the project team should identify the goals of the analysis, bearing in mind that the question to be answered must be well-suited to mathematical modeling for the simulation to be effective. Cost, schedule, and integrated cost/schedule models have been widely used by several organizations, including the Port Authority of New York and New Jersey, the Federal Transit Administration, and various state departments of trans- portation across the United States, to develop risk-based project contingencies, refine project plans, and prioritize and define optimum risk response plans. 2. Validate the Project Scope, Cost, and Schedule. Before the effects of risk can be evalu- ated, the project team must have a clear understanding of the project’s base scope, cost, and schedule. If an objective of the quantitative analysis is to develop a transpar- ent, risk-based contingency plan, the cost and schedule must be carefully reviewed to ensure that no excess reserves remain hidden in the cost or schedule. 3. Prioritize the Identified Risks. Referring to the risk register developed during the risk identification step, the main risks and uncertainties that could threaten or enhance proj- ect success are identified. Qualitative techniques may be used to support this activity. 4. Build a Base Model. Quantitative risk analysis starts with the model of the project, such as its schedule or cost estimate, depending on the problem to be addressed. As most of the commercially available risk analysis software packages act as plug-ins to programs such as Microsoft Excel, it is often best to prepare the model using a spreadsheet. 5. Define Input Distributions. Inputs into the schedule or cost models are represented by probability distributions, recognizing that the actual cost or duration of each item is more accurately represented by a range of values rather than a single point estimate. The selection of the most appropriate distribution for a given situation is best done with the assistance of a skilled risk analyst with knowledge of the project environment. For each project cost or schedule element, the probability distributions are usu- ally specified in terms of three points: the minimum, most likely, and maximum values. These values are often identified in a workshop setting with input provided by subject matter experts. 6. Run the Simulation. A number of commercially available software packages are avail- able to perform the actual simulation process that automates the process of iterating the project schedule and cost estimate computations, randomly drawing duration or cost values for each iteration from the probability distribution inputs. The details of how these tools work are outside the scope of this guidebook. The resulting output of the simulation is a probability distribution function of possible project outputs (e.g., completion dates, project costs) and their likelihood of occurrence. 7. Explore Results Using Sensitivity Analysis. The risk model can also be used to deter- mine which tasks are most responsible for affecting project output (e.g., driving up costs, increasing the overall project schedule) or otherwise positively or negatively affecting project objectives. Identifying the main risk drivers in this manner allows the project team to effectively target its proactive risk response strategies toward the most critical variables. For more informa­ tion on develop­ ing probabilistic model­ ing for cost and schedule, refer to Appendix C, which includes diagrams and figures to support the steps outlined in this section. Quantitative risk analysis tech­ niques are generally perceived as providing greater precision and analytical rigor than qualitative methods. However, the accuracy of a quantitative analysis is still limited by the quality and nature of the input data and the applicability of the model. Computer soft­ ware greatly simplifies the analysis process for skilled risk practitioners. However, for users with less prac­ tice and experience, such tools can create false confidence, leading to misinterpretation or over­reliance on model output. Quantitative tools should therefore never be used as a replacement for personal judgment.

52 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects Other common tools used to analyze risks include failure mode and effects analysis, risk bow tie, and decision analysis. These tools are described in the following. Failure Mode and Effects Analysis. This tool was introduced in the risk identification step as a way to conduct root-cause analysis to identify risks associated with a project. FMEA is also commonly used to qualitatively analyze risks. In addition to evaluating risk events based on probability and impact (as was the case with the P-I matrix technique discussed previously), FMEA adds the dimension of risk detectability (i.e., how likely you are to know if the potential risk event has occurred or is imminent) as a third analysis parameter. The product of these three parameters (impact, probability, and detection) is then used to prioritize risks. Risk Bow Tie. A risk bow tie is a diagram that visualizes the risk being dealt with in one easy-to-understand picture. The diagram is shaped like a bow tie, creating a clear differentia- tion between proactive and reactive risk management. The power of a bow-tie diagram is that it gives an overview of multiple plausible scenarios in a single picture. It provides a simple, visual explanation of a risk that would be much more difficult to explain otherwise. Decision Analysis. The decision analysis method identifies and formally assesses important aspects of a risk for prescribing a recommended course of action. The method uses prescribed steps to take a project team through the process of making a decision. The RACI (responsible, accountable, consulted, and informed) matrix helps identify and define the various roles in the decision-making process. 5.4 Outputs Two general approaches have been discussed in this chapter for assessing project risks: quali- tative and quantitative analysis. The objectives, and the hence the output, of each technique differ, as summarized in Table 5.5. Regardless of the analytical approach used, the results should be recorded in the risk register. Technique Objectives Typical Output Qualitative Subjectively evaluate the probability and impact of each risk. Prioritize risks for risk response planning or for additional analysis using quantitative techniques. Prioritized listing of risk, as recorded in a risk register. Quantitative Numerically analyze the effect of identified risks on overall project objectives. Determine which activities or elements contribute the most project objectives. Numerical analysis of the project’s likelihood of achieving its overall objectives. Possible deliverables include: - Cost and/or schedule curves showing the relative likelihood of meeting targets, - Tornado diagrams identifying the key risk drivers, and - Contingency recommendations. Table 5.5. Risk analysis output.

Project Risk Analysis 53 5.5 Best Practices The risk analysis effort should generally conform to the following principles and best practices: • Collect High-Quality Input Data and Recognize Bias. To ensure useful output is generated from the risk analysis step, it is important to start with accurate and unbiased data. Just as with the identification step, data gathered from individuals during the analysis step are subject to bias. To help mitigate such bias (whether conscious or not), consider using a qualified facilita- tor or project-independent subject matter experts to manage the analysis process. The quality of the data can also drive the analysis approach. For example, with minimal or highly subjective information, performing a quantitative analysis may not be practical or may suggest a level of precision that is not warranted from the input data. • Establish a Standard Format for Evaluating and Reporting Risks. Instructing participants to follow a disciplined, consistent process for analyzing risk is important, especially given the differ- ing attitudes and tolerances individuals may bring to the analysis step. Defining up front the risk definitions to apply to the particular project can help avoid false starts (e.g., “high probability” and “high impact” should mean the same thing to all participants in the risk management process). • Calibrate Participants Involved in Analyzing Risks. Calibrating the participants will reduce overconfidence and under confidence biases in estimating risk probability and impact. Calibra- tion is the process of setting everyone to a common starting point. Determine what the values in the probability and impact matrix mean to the group so that the process begins with equal values. • Engage Stakeholders. Increased collaboration and communication between project team members and key stakeholders can enhance the assessment of key risks and opportunities. • Modeling Is Beneficial to Understanding the Risks Resulting from Phasing Scenarios of a Large, Complex Project. Use modeling analysis techniques in order to determine critical paths for projects and additional clarity in understanding the uncertainty of project risks. Resulting tornado charts will visually provide scaled results from highest to lowest degrees of risk influence. • Review Results for Reasonableness. All risk analysis techniques are subject to some limita- tions. For this reason, the project team should carefully review the results for reasonableness prior to proceeding to the response planning step. In addition, when quantitative methods are used, the team should recognize that while computer software can greatly simplify the analysis process for skilled risk practitioners, for those users with less practice and experience, such tools can create false confidence, leading to misinterpretation of model output. Quantitative tools should therefore never be used as a replacement for expert judgment. 5.6 Summary Risk analysis provides a systematic and structured methodology by which project teams can evaluate and prioritize risks for subsequent proactive response planning. This process is an inherently scalable activity, and the approach and resource commitment applied should be commensurate with the complexity of the project and the information available. Both qualitative and quantitative risk analysis techniques have been presented in this chapter. As noted in Table 5.2, both techniques hold unique advantages and disadvantages that should be carefully weighed when considering how best to analyze project risk: • Qualitative techniques tend to be easier to apply and are generally sufficient as a screening or prioritizing tool to determine which risks are significant enough to warrant further analysis or response planning. • Quantitative analysis is an attempt to determine how much combined risk the project con- tains and to identify the key risk drivers to allow the project team to more efficiently and effectively allocate project resources. Given the greater level of effort involved in conducting quantitative analysis, it is generally reserved for larger or more complex projects.

54 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects Table 5.6 discusses how the techniques in this chapter can be tailored based on the perceived level of risk facing the project. See the following excerpt from the case study on taxiway reconstruction for a discussion of project risk analysis. Low Risk (Simple or Small-Scale Projects) High Risk (Large, Critical, or Complex Projects) Conduct an informal team meeting to determine the level of risk analysis that is necessary or if it is possible to proceed directly to risk response planning. Identify risk analysis resources based on the level of analysis defined in the risk management plan. If analysis is necessary, conduct a qualitative risk analysis of the key project risks, convening a risk workshop if necessary to obtain input data or to validate results. Conduct a structured risk analysis workshop with internal and/or external subject matter experts and outside expert facilitation. Document the identified risks in a risk register. Document results in the risk register. Table 5.6. Scaling the risk analysis step. Case Study: Taxiway Reconstruction – Project Risk Analysis Returning to the case study first introduced in Chapter 4, the following discussion focuses on how the project team applied the techniques discussed in this chapter to analyze the previously identified risks. The complete case study is presented in Appendix A. Risk Analysis Once the risks were identified, analysis was performed using the risk register. A rating of 1 through 5 was assigned to qualitatively analyze the probability of the risk occurring as well as the impact of the risk occurrence on the project. The risk rating applied was the product of the probability multiplied by the impact. This equation was used to produce a ranked list of risks for the response planning discussion. The results of this analysis allowed the team to focus on the highest combined impact and probability risks in order to determine actions for responses.

55 C H A P T E R 6 Once risks are identified and evaluated as described in Chapters 4 and 5, respectively, the following question remains: What is the best approach for managing this risk (or exploiting this opportunity)? The step of risk response planning attempts to answer this question by determining if the identified risks can be: • Accepted on the basis that the risk and its consequences are minimal or the preventative response would not be feasible; • Transferred to the contractor or other third party in a manner that is equitable and consistent with the project goals (Note: Risks that are transferred to the contractor or other third party must be managed within their project plan.); • Mitigated by taking certain actions that are expected to reduce the probability of the risk event from occurring or its expected impact; or • Avoided by eliminating the root cause. 6.1 Key Activities 6.1.1 Process Step Overview Risk response planning entails the identification, evaluation, and selection of options to set risk at acceptable levels given project constraints and objectives. Tasks to be performed under risk response planning include determination and documentation of: • What should be done, • When it should be accomplished, • Who is responsible, and • How the response should be funded (if there is an associated cost). Key steps are identified in the following and discussed in further detail in Section 6.3. • Brainstorm strategies to bring the identified risks to an acceptable level, given the organiza- tion’s risk threshold. • Estimate the cost associated with the implementation strategies. • Compare benefits of response actions to their estimated cost and benefit. • Assign individuals to take responsibility for the response action (risk owner). • Document results and proceed to risk monitoring and control (see Chapter 7). Project Risk Response Planning Project Risk Response Planning Key Activities Identify feasible response strategies for high-priority risks Allocate risks to the parties best able to manage them Input Prioritized list of risks Tools and Techniques Risk register Outputs Risk response plan

56 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects 6.1.2 Timing Risk response planning follows risk analysis, but like the other steps in the risk management process, it is iterative in nature since many of the project characteristics that could affect response strategies (e.g., scope, resources, internal and external environments) change over time. 6.1.3 Participants The project team may have sufficient expertise and knowledge to determine the appropri- ate response strategies. However, it may be necessary to seek input from internal and external subject matter experts as well as contractors and suppliers to determine the most cost-effective response approach. Table 6.1 outlines the roles and responsibilities for the project risk response planning step. 6.2 Inputs To develop a feasible risk response strategy, the project team should start with the prioritized listing of risks developed as part of the risk analysis step. In addition, as with the risk identifica- tion step, to reach consensus on the optimal response strategy, the project team must share a mutual understanding of project’s needs and goals. Information from past projects and other historical data, if available, may also provide useful insight into effective mitigation techniques. 6.3 Tools and Techniques 6.3.1 Identifying Possible Response Strategies Based on the list of prioritized risks and opportunities developed during the risk analysis step, the project team should develop the optimal response strategy that balances the consequence posed by each risk against the resources needed to manage that risk to an acceptable level. This determination is often performed in a workshop setting. Risk response strategies should be continually reviewed for their afford­ ability, achiev­ ability, and effectiveness. Role Typical Responsibilities Senior Management Reviews results; provides guidance if necessary. Project Sponsor Reviews results; provides guidance if necessary. Project Manager Approves project risk response plan. Appoints risk owners for each identified risk. Coordinates with risk owners to monitor risks and implementation of response strategies. Project Team Members Assist the project manager in developing and implementing the risk response plan. Risk Owner Assumes responsibility for managing a specific identified risk. Develops and implements responses to the risk. Risk Analyst Manages risk, opportunity, and response probability distributions based on outputs of risk identification, monitoring, and control. Supports risk owner and project manager in development of risk response strategies. Table 6.1. Project risk response planning roles and responsibilities.

Project Risk Response Planning 57 The primary options available for responding to risks include the following: • Accept. Risk acceptance involves adopting the risk, either without further action or in con- junction with establishing a contingency plan to be implemented if the risk occurs. • Transfer. Risk transference involves shifting the risk to the party that is best able to manage it. For example, an owner could transfer the risk of construction unknowns to the contractor. Such action would only reduce the risk if the contractor were capable of managing the risk. Contractor transference tools can include the use of risk premiums, insurance, performance bonds, warranties, guarantees, incentive/disincentive clauses, and A + B contracts. • Mitigate. Risk mitigation entails proactively reducing the potential impact and/or probability of the risk, recognizing that early action focused on potential causes for risks to occur is often more effective than trying to repair the damage after the risk has occurred. However, mitiga- tion may require expenditure of valuable resources or time, so any upfront investment must be balanced against the benefit of risk reduction. Examples of mitigation actions are increas- ing the number of parallel activities in the schedule, early involvement of regulatory agencies in the project, and early and continuous outreach to communities/advocacy groups. In the case of positive risk events, the approach would be to enhance opportunities to increase the likelihood that they would occur. • Avoid. Avoiding or eliminating the risk requires identification and elimination of the root cause, and typically involves design changes, process changes, or policy actions (e.g., relax- ing constraints by adding time or resources). Some risks that are identified early in the project development process can also be eliminated by obtaining more information. For example, conducting additional site investigations (at a cost to the project) may reduce uncertainties regarding unforeseen conditions. Avoidance is generally considered the most desirable response strategy; however, selecting this option requires the availability of a suit- able, cost-effective alternative to the originally planned approach. To exploit opportuni- ties, this option would entail removing the uncertainty to ensure that the opportunity will definitely occur. The primary options available for responding to opportunities include the following: • Accept. Acknowledgment of an opportunity and the possibility of being able to take advan- tage of it during the project. • Capitalize. There may be a variety of different ways an opportunity could be exploited, but every reasonable outcome is addressed such that the result is positive gain within the project scope, schedule, or budget. • Enhance/Grow. Foster the impact an opportunity has on a project so that it will occur within the duration of the project to be a benefit. • Share. Partner with some other organization or person to increase the probability of achieving the desired outcome. 6.3.2 Selecting the Optimal Risk or Opportunity Response Strategies Similar to the risk identification and analysis steps, the evaluation of response alternatives is best done in a workshop setting, with knowledgeable participants working to collaboratively identify and quantify the optimum risk response strategies. When evaluating the alternatives, the participants should consider the following: • The project’s objectives and whether the option aligns with the stated project goals; • The feasibility of the option given funding, resource, and schedule constraints; • The expected effectiveness of the risk response strategy; • The results of a cost–benefit analysis; and • The impact of the risk response strategy on other portions of the project or other ongoing/ future projects.

58 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects To make the most efficient use of resources, it is important to tailor the risk response strategies to the nature and magnitude of the risks defined in the risk analysis. A simple way for project teams to begin to think about risk response is displayed in the matrix shown in Figure 6.1. For example, for a risk falling in the upper right quadrant, representing those that have both a high likelihood of occurring and a potential for causing a large impact on project objectives, it may be best to first consider avoidance strategies. As a starting point for identifying responses, Figure 6.1 suggests some possible response strate- gies to correspond to the general airport risk categories first presented in Table 4.2. Similarly, response strategies can be categorized for opportunities. Figure 6.2 represents a guideline for opportunities. 6.3.3 Establishing Contingency For cases where risks cannot be avoided and mitigation efforts will not fully bring the risk to an acceptable level, project teams can establish and set aside contingency funds and schedule allowances to handle expected risk events. Developing risk-based contingency plans allows the project team to formally plan for risk events instead of adding generic reserves to cost and schedule estimates. When contingencies are arbitrarily established, a project’s actual cost and schedule tend to gravitate toward the estimates regardless of whether the contingencies are truly used to mitigate the identified risk. The formal- ity and transparency imposed by the quantitative analysis techniques discussed in Section 5.3.2 can help reinforce the need to control and monitor contingency usage. If used appropriately, contingency funds should only be tapped if mitigation strategies fail. Ideally, only a portion of the set aside contingency should be consumed, making it unnecessary to establish cost and schedule reserves for each and every contingency plan. If the risk management plan includes quantitative analysis, probabilistic modeling that accounts for the combined effect of all identified project risks can be used to develop the appropriate cost and/or to schedule reserves. Table 6.2 provides a list of possible risk factors for each risk group, categorized by typical project locations found on airport property. Each of these groups and factors includes a list of possible risk response strategies. This complete table can be used when planning for risk man- agement or brainstorming possible risks to consider for a project. Li ke lih oo d High Transfer Avoid Low Accept and Monitor Mitigate Small Large Impact Figure 6.1. Simple risk response matrix. Li ke lih oo d High Enhance Capitalize Low Accept Share Small Large Impact Figure 6.2. Simple opportunity response matrix.

Project Risk Response Planning 59 Table 6.2. Possible risk responses for general airport risk categories. Risk Groups Project Location Possible Risk Response Strategies Airside/Airfield Landside (Civil and Buildings) Terminal (Secure and Non-Secure) Potential Risk Factors Airline/ Aircraft Operational Impact Security Dependencies Interfaces Regulatory Interfaces Security Interfaces Coordination plans Work hour restrictions Alternate routes Continuity of Operations Site conditions Dependencies Resources Security Site conditions Dependencies Resources Dependencies Resources Coordination plans Work hour restrictions Temporary power Temporary HVAC Customer Impact Air service Customer and political Customer and political Work hour restrictions Signage Alternate routes Environmental Regulatory Customer and political Regulatory customer and political Public relations Regulatory customer and political Pollution prevention plans Regulatory Regulatory changes Suppliers and contractors Regulatory changes Suppliers and contractors Regulatory changes Suppliers and contractors Coordination design review Contract language Reputational/ Image Not a significant source of potential risk factors Customer and political Public relations Customer and political Public relations Public relations Community outreach Revenue/ Financial Funds availability Market conditions Financial capacity Market conditions Financial capacity Market conditions Phasing Project timing Safety Safety Suppliers and contractors Requirements Safety Suppliers and contractors Permitting Safety Suppliers and contractors Permitting Lock-out/tag-out Personal protective equipment (PPE) Safety briefings Security Design Security Requirements Design Design Security Requirements Training Badging Inspection Unforeseen Conditions Site conditions Site conditions Site conditions Additional site investigation Wildlife Management Design requirements Not a significant source of potential risk factors Not a significant source of potential risk factors Fence height Habitat removal Market Conditions Air service Suppliers and vendors Contractors Suppliers and vendors Contractors Outreach to business community Active recruitment Escalation clauses in contracts

60 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects 6.4 Outputs Once the alternatives have been analyzed, the selected response actions should be documented either by expanding the existing risk register or preparing a stand-alone risk response plan. The following information should be recorded (if not already included in the risk register): • A description of the identified risk (including a summary of the scope, schedule, and cost impacts; likelihood of occurrence; impact; and whether the risk is within the control of the airport or a third party); and • Identification of the chosen risk response strategy (i.e., mitigate, avoid, accept, transfer), accompanied by a description of the risk response plan; and • Cost to respond (i.e., estimated value of the cost to implement the chosen response). 6.5 Best Practices Risk response planning should generally conform to the following principles and best practices: • Consider Project Objectives. To determine the optimal response strategies, it is important to consider project objectives. It is rarely possible to optimize quality, time, and cost goals on a single project, and therefore, trade-offs may be necessary to ensure that the primary goals are achievable. Understanding the relative importance of individual project goals will help the project team make informed decisions regarding the optimal response strategies to increase the likelihood of achieving the primary project goal (e.g., enhanced quality), even if at the expense of secondary goals (e.g., cost). • Consider Risk Prioritization. The prioritization of risks resulting from the risk analysis step should, for the most part, drive the allocation of resources allocated to reducing the risks to acceptable levels. However, it may be useful to address small or insignificant risks immediately if it would be quick and low in cost to do so. • Engage Stakeholders. Increased collaboration and communication between project team members and key stakeholders can enhance the identification and development of possible risk response strategies. • Incorporate the Planned Responses into the Overall Project Management Plan. The planned responses should be incorporated into the overall project management plan to the extent that they affect the project budget, schedule, and resource assignments. • Assign a Risk Response Owner. Each risk response should be assigned a single owner who has clear responsibility and accountability for its execution. This individual may or may not be the same as the overall risk owner. 6.6 Summary Risk response planning entails identifying and implementing actions to address the identified risks and bring them to acceptable levels. Like all of the steps in the risk management process, risk response planning is a scalable activity, as summarized in Table 6.3. See the continuation of the excerpt from the case study on taxiway reconstruction for more discussion of project risk planning. The risk register included in Part 3 of this guidebook can be used to docu­ ment response planning.

Project Risk Response Planning 61 Simple or Small-Scale Projects Large, Critical, or Complex Projects Conduct an informal team meeting to brainstorm possible response strategies Conduct a structured risk management workshop with internal and/or external subject matter experts, as necessary Complete the response plan’s appropriate project document, such as the risk register or project plan Perform cost–benefit analysis to determine the optimal response strategies Consider establishing risk-based cost or schedule contingencies Document the response plan in the risk register Table 6.3. Scaling risk response planning. Case Study: Taxiway Reconstruction – Project Risk Response Planning Returning to the case study first introduced in Chapter 4, the following discussion focuses on how the project team applied the techniques discussed in this chapter to plan its response strategies. The complete case study is presented in Appendix A. Risk Response Plan During the risk workshop, after analysis was complete, actions were identified and captured in the risk register to respond to risks according to the perceived severity and probability of each risk occurring. The response was determined using a standard choice of activity, including to avoid, transfer, mitigate, or accept. A clear action to be taken was then documented along with an estimated cost for the response itself. Status was updated as the response activity occurred throughout the project progress.

62 C H A P T E R 7 Project risk monitoring entails those actions needed to respond to these questions: “How are things going?” “Do any of the steps in the project management process need to be revisited?” The step of risk monitoring and control attempts to answer these questions by: • Monitoring: – Reviewing regular project status updates; and – Reviewing implementation and effectiveness of risk response plans. • Control: – Implementing, adjusting, or choosing alternate response strategies; – Taking corrective action; – Escalating risk management activities; – Identifying and revisiting steps in the project risk management process; and – Identifying potential preventive actions. 7.1 Key Activities 7.1.1 Process Step Overview A typical element of project management is periodic project status reviews/meetings. During these reviews, progress toward implementation of risk response strategies and results should be included. This review allows the project team to: • Assess the effectiveness of the risk response strategies, • Identify if any additional risks have arisen or new risks should be added, and • Determine if risk prioritization should be adjusted. 7.1.2 Timing Risk monitoring and control continues for the life of the project, is iterative in nature, and should actively occur at routine intervals. As the project progresses, the list of project risks may change as new risks develop or previously anticipated risks fail to materialize. Risk monitoring and control activities may also be conducted when performance targets or risk thresholds are exceeded. The conclusion of this step is typically an after-action review or an assessment of lessons learned. 7.1.3 Participants The resources committed to the risk monitoring and control effort should be scaled to the complexity of the risk response plan. Project Risk Monitoring and Control Project Risk Monitoring and Control Key Activities Monitor effectiveness of response strategies Reevaluate risk response strategies as appropriate to improve outcomes Document lessons learned for application on future projects Inputs Risk register Project status reviews Project measures Tools and Techniques Risk register Outputs Updated risk response strategies Updated risk management plan Documentation of lessons learned

Project Risk Monitoring and Control 63 The responsibility for project monitoring is typically defined in the risk management plan. Control activities include input from the risk owner, project team members, and subject matter experts from design, construction, maintenance, operations, security, the FAA, the TSA, airlines, environmental groups, and other affected functional areas and business partners. Table 7.1 outlines the roles and responsibilities for the project risk monitoring and control step. 7.2 Inputs The effectiveness of the response strategies, identified on the risk register, is the key input to risk monitoring and control. Effectiveness is typically based on performance related to identified measures or standards, risk review, and project issues reporting, and is reviewed through routine project status or review meetings. 7.3 Tools and Techniques Various techniques and tools can be used to monitor and control risks, the most common of which are described in the following. These techniques may be used alone or in combination, depending on the approach that is best suited to the risk response strategies and the information and resources available. Project Management/Status Meetings. Monitoring and control activities within project management include routine review, recording, and communication of project performance, including performance of defined risk response strategies. These reviews, using the updated risk register, indicate the occurrence of new or potential risks as well as the effectiveness of risk response strategies. At the completion of a project, after-action reviews identify lessons learned and best practices to apply to future projects. Role Typical Responsibilities Senior Management Receives regular updates on status of project risk management plan. Project Sponsor Receives regular updates on status of project risk management plan. Supports resource requirements as required. Project Manager Regularly reports risk status to key stakeholders, offering recommendations for appropriate response actions to maintain acceptable risk exposure within established risk tolerance of organization. Project Team Members Participate in monitoring of risk response plans and identification of potential new risks and opportunities and provide input to project manager for risk reports. Risk Owner Monitors effectiveness of risk response plans, takes appropriate corrective actions, identifies necessary modifications to risk response strategies, and reports progress to the project manager by updating the risk register as necessary. Risk Analyst Manages risk, opportunity, and response probability distributions, based on outputs of risk identification, monitoring, and control. Table 7.1. Project risk monitoring and control roles and responsibilities.

64 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects Performance, Variance, and Trend Analysis. This analysis is used to monitor project per- formance against the schedule, budget, or technical standards defined in the project objectives or risk response plan. Significant variations or unfavorable trends may indicate the need for further risk identification, analysis, or response planning. Methods may include control charting, trend analysis, and performance-to-standard monitoring. Reserve/Contingency Analysis. Risk events may occur with a positive or negative impact on planned contingencies. Contingency analysis evaluates the sufficiency of the contingency amount by comparing planned to remaining contingency reserve to the remaining risk. Con- tingency analysis may also serve as an input to the lessons learned. Risk Audits. The effectiveness of risk responses is evaluated through predefined and sched- uled risk audits. These are typically reserved for large, complex projects, and requirements are defined in the risk management plan. 7.4 Output Risk monitoring and control documents like project status reports may include information such as risk response effectiveness measures, project progress to outcomes, and performance to schedule and budget. The risk management plan may be used to record the information necessary to close out the project’s risk management activities. For example, such information may include: • For each risk identified, information regarding whether it occurred, its impact, effectiveness of response and/or control actions, and any unplanned actions that had to be implemented; • Effectiveness of avoidance, transfer, and/or mitigation actions; • Closure of mitigation actions: – Performance bonds, – Retainage, – Compliance audits, and – Return of contingency equipment; • Unexpected or undocumented risks encountered; • Verification of warranties; • Transfer of project ownership; and • Closure of implications related to scope, schedule, and budget. 7.5 Best Practices Risk response planning should generally conform to the following principles and best man- agement practices. • Report on Risks Regularly. A fundamental aspect of project risk management is the review and timely communication of the results of risk monitoring and control activities to the project team and other key stakeholders. This provides the opportunity to give positive feedback for well-managed efforts, to escalate the response to risks that may not have been previously identified, and to make necessary revisions to risk response strategies before issues arise. • Close-Out of Contingency Activities. These activities may become part of the lessons learned. • Capture the Risk Environment. As previously described, risks are future events or potential problems creating uncertainty regarding a project’s success. In contrast, issues are problems

Project Risk Monitoring and Control 65 that have already occurred and require resolution. Risk control should include maintenance of risk documentation and capturing the environment and history when risks become issues. • After-Action Reviews. Documentation of lessons learned increases institutional knowledge and supports continuous improvement. Lessons-learned documents should include successes and opportunities for improvement. 7.6 Summary Risk monitoring and control evaluates the effectiveness of the risk management plan, provides a coordination vehicle with management and other stakeholders to reevaluate risk response strategies as appropriate, and may be used as input to lessons learned for future projects. Like all of the steps in the risk management process, risk response monitoring and control is iterative and is a scalable activity, as summarized in Table 7.2. See the following excerpt from the case study on taxiway reconstruction for more discussion of risk monitoring and control. Simple or Small-Scale Projects Large, Critical, or Complex Projects Monitor performance to standards Conduct formal project update meetings and after-action reviews to update stakeholders on the results of project risk management activities Conduct informal project status updates to update members on the results of project risk management activities Monitor performance to standards, variance analysis, and trend analysis Document monitoring results in the appropriate project document, such as the risk register or project plan Perform reserve/contingency analysis Consider inclusion of risk audits in the risk management plan Document results of monitoring and control activities in the risk register and project review reports Table 7.2. Scaling risk monitoring and control.

66 Guidebook for Successfully Assessing and Managing Risks for Airport Capital and Maintenance Projects Case Study: Taxiway Reconstruction – Risk Monitoring and Control Returning to the case study first introduced in Chapter 4, the following discussion focuses on how the project team applied the techniques discussed in this chapter to monitor the identified risks. The complete case study is presented in Appendix A. Risk Monitoring and Control The monitor and control step was managed in daily project progress meetings with all stakeholders attending. These meetings included risk review and project issues reporting. The results captured in the risk register were solely the risk review items. Project issues were documented and shared with the whole team through project management status reporting. Project progress issues were identified and conflict resolved as much as possible in the meeting. Project monitoring and control followed the project life-cycle phases, and project issues that occurred that were not identified as risks early in the planning process caused a need to revisit the project risk management plan and conduct a brief version of identification, analysis, and response to update the risk register.