Managing Uncertainty and Risk on the Project

From apppm
(Difference between revisions)
Jump to: navigation, search
(Practice of managing risk and uncertainty)
 
(105 intermediate revisions by one user not shown)
Line 1: Line 1:
 +
''Developed by Daniel Agervig Krogh''
  
== Abstract ==
 
 
One of the most challenging aspects in projects is to manage the risk and the uncertainty. Yet with the knowledge we possesses, it is a topic, which for many is difficult to handle. Many stakeholders are involved in the projects and therefore might have different opinions of what is the best solution approach is. The majority of people tends to think in deterministic terms of an optimal solution instead of probabilistic terms of a robust solution. This article will highlight the main differences of the risks and the uncertainties in a portfolio management. The risk management processes will be clarified in its four stages, where the identification of the problem, assessment of the risks, how to respond to the risks and lastly how to control the risks. To assess the risks, a risk-management process tool will be utilized and further explained.
 
  
 +
One of the most challenging aspects in projects is to manage the risk and the uncertainty. Yet with the knowledge we possesses, it is a topic, which for many is difficult to handle. Many stakeholders are involved in the projects and therefore might have different opinions of what is the best solution approach is. The majority of people tends to think in deterministic terms of an optimal solution instead of probabilistic terms of a robust solution. This article will highlight the main differences of the risks and the uncertainties, which relates to ([https://en.wikipedia.org/wiki/Project_management Project management]. The risk management processes will be clarified in its four stages, where the identification of the problem, assessment of the risks, how to respond to the risks and lastly how to control the risks. To assess the risks, a risk-management process tool will be utilized and further explained and management a tool, impact/probability matrix, will be applied to be a part of the process.
  
 
== Definition ==
 
== Definition ==
[[File:Billede_1.jpg|300px|thumb|right|'''Figure 1:''' The relationship between risk, uncertainty and the opportunities]]
+
[[File:Billede_1.jpg|300px|thumb|right|'''Figure 1:''' The relationship between risk, uncertainty and the opportunities <ref name="Elec"> Yu Shiwang, Guo Na (2013) ''Lecture Notes in Electrical Engineering'', Vol.218 PP.815-822</ref>]]
Risk and uncertainty has many different definitions and can be hard to settle down to only one way to define it. Risk management had their origins in the insurance industry in USA in the 1940s. Project Portfolio management refer not only to a single project or a single program, but all projects and programs of it. When talking about risk, people often link it together with uncertainty, while others refer to it as opportunity. Risk can also be defined as a combination of the probability of an event and its consequences. There is a relationship between risk, uncertainty and opportunities. This is illustrated in Figure 1.  
+
Risk and uncertainty has many different definitions and can be hard to settle down to only one way to define it. Risk management had their origins in the insurance industry in USA in the 1940s. Project management can be explained as a discipline where projecting or planning, organizing, motivating and controlling resources to achieve specific goals and meet the specific criteria’s. When talking about risk, people often link it together with uncertainty, while others refer to it as opportunity. Risk can also be defined as a combination of the probability of an event and its consequences. There is a relationship between risk, uncertainty and opportunities. This is illustrated in Figure 1. <ref name="Elec"> Yu Shiwang, Guo Na (2013) ''Lecture Notes in Electrical Engineering'', Vol.218 PP.815-822</ref>
  
[[File:Three_classes_of_statements.jpg‎|495px | thumb|right |'''Figure 2:''' Three classes of statements of risk and uncertainty]]
+
The definition of uncertainty is:
Risk can within Portfolio Project Management be classified into three different classes. The first class is the with the negative aspects. The second class is related to the uncertain, which is the unknown and unexpected issues. The third is correlative to possibility and result. In Figure 2, it can be seen who as classified what into the three categories.
+
  
 +
''“An unexpected event, if it occurs, may have either no effect or a good or bad effect on at least one of the project’s objectives and success.“''<ref name="Elec"> Yu Shiwang, Guo Na (2013) ''Lecture Notes in Electrical Engineering'', Vol.218 PP.815-822</ref>
  
The authors states project failure is highly connected with uncertain event (uncertainty). Uncertainty includes three different consequences, and the first is good for the project / portfolio, the second has no effect on the result for the project, and the last is harmful for a project success and objective. The first consequence of uncertainty seen as an opportunity for the project / portfolio. The second can be explained by something uncertain occurring throughout the life cycle of the project but the result of the uncertain event is either good or harmful for the project’s objective and success. And based on that we can say that uncertainty has no effect on the project. According to this section, the following definition of uncertainty is:
 
“An unexpected event, if it occurs, may have either no effect or a good or bad effect on at least one of the project’s objectives and success.“
 
 
And risk is defined as:
 
And risk is defined as:
“An uncertain event or situation, if it occurs, may have threat(s) or bad effect(s) to at least one of the project’s objectives and success”
 
  
[[File:Uncertainty.jpg‎|300px | thumb|right|'''Figure 3:''' Uncertainty over time]]
+
''“An uncertain event or situation, if it occurs, may have threat(s) or bad effect(s) to at least one of the project’s objectives and success”''<ref name="Elec"> Yu Shiwang, Guo Na (2013) ''Lecture Notes in Electrical Engineering'', Vol.218 PP.815-822</ref>
Risks and uncertainties has a big role in projects. The uncertainty is by definition the lack of the information that is available to take a decision at a given time. In Figure 3 it is illustrated the difference between the information required and the actual information available. Uncertainty have two sources and the first source is the complexity, which is where the information is available, but is too costly to collect and analyse. Second is the predictability, which is where you are able to predict uncertainties, based on previous experiences.  
+
  
[[File:Learning_loops.jpg‎|300px | thumb|right |'''Figure 4:''' Risk sources and risk events and how to approach them]]
+
[[File:Uncertainty.jpg‎|300px | thumb|right|'''Figure 2:''' Uncertainty over time <ref name="Construction"> Winch Graham M. (2010) ''Managing Construction Projects” An Information Processing Approach'', Second edition, PP. 3-8 and PP. 346-366</ref>]]
In the beginning of the a project the uncertainty is very high and depending on the size of the project and to decrease the mission uncertainty it can some extend be used e.g. standardised components and solutions etc. As a project moves forward more information will become available and therefore the dynamic uncertainty will be decreased since some parts of the project will be finished and therefore has less impact on the actual uncertainties. To understand the relation between risk and uncertainty, Figure 4 illustrates the risk sources which indicate the underlying condition that can generate a possible risk event. The management team can respond to the risk source and can plan to respond when or if the risk event occurs. The model explains in short terms how you can prepare the risk sources and events.  
+
Risks and uncertainties has a big role in projects. The uncertainty is by definition the lack of the information that is available to take a decision at a given time. In Figure 2 it is illustrated the difference between the information required and the actual information available. Uncertainty have two sources and the first source is the complexity, which is where the information is available, but is too costly to collect and analyse. Second is the predictability, which is where you are able to predict uncertainties, based on previous experiences.
 +
 
 +
[[File:Learning_loops.jpg‎|300px | thumb|right |'''Figure 3:''' Risk sources and risk events and how to approach them <ref name="Construction"> Winch Graham M. (2010) ''Managing Construction Projects” An Information Processing Approach'', Second edition, PP. 3-8 and PP. 346-366</ref>]]
 +
In the beginning of the a project the uncertainty is very high and depending on the size of the project and to decrease the mission uncertainty it can some extend be used e.g. standardised components and solutions etc. As a project moves forward more information will become available and therefore the dynamic uncertainty will be decreased since some parts of the project will be finished and therefore has less impact on the actual uncertainties. To understand the relation between risk and uncertainty, Figure 3 illustrates the risk sources which is an element that is alone or in combination with others to rise to risk. <ref name="Guide">  (2009) “ISO Guide 73” – Risk management Vocabulary </ref> The management team can respond to the risk source and can plan to respond when or if the risk event occurs. The risk event is an occurrence or change of the circumstances. An event can be one or more occurrences and have several causes and can be referred as an incident or accident, but can also be without consequences. That can be a near miss, incident, a near hit or close call. The model explains in short terms how you can deal with the risk sources and events.  
 
   
 
   
[[File:Four_stages.jpg‎‎|300px | thumb| right|'''Figure 5:''' Four stages of knowledge]]
+
[[File:Four_stages.jpg‎‎|300px | thumb| right|'''Figure 4:''' Four stages of knowledge <ref name="Construction"> Winch Graham M. (2010) ''Managing Construction Projects” An Information Processing Approach'', Second edition, PP. 3-8 and PP. 346-366</ref>]]
The relationship between risk source is thus the dimensions of the risk source, the impact of the risk and the to which extent the management team can respond to the risk source and events.
+
The relationship between risk source is thus the dimensions of the risk source, the impact of the risk and to which extent the management team can respond to the risk source and events.
 
The understanding of risk in relation the probability is divided up into four terms:
 
The understanding of risk in relation the probability is divided up into four terms:
 +
 
* The objectivist believes that a sample of previous observations can be used for predicting the future risk sources. The predictions rely therefore on statistics inferred from experience.
 
* The objectivist believes that a sample of previous observations can be used for predicting the future risk sources. The predictions rely therefore on statistics inferred from experience.
* The logical could be an engineer who is solving problems with an engineered system. Engineers’ understanding of the design and the scientific properties they might be able to identify risk sources and therefore possible risk events. It rely closely up against the basis of FMEA.
+
* The logical could be an engineer who is solving problems with an engineered system. Engineers’ understanding of the design and the scientific properties they might be able to identify risk sources and therefore possible risk events. It rely closely up against the basis of ([https://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis Failure mode and effects analysis]).
 
* The subjectivist rely mostly on subjective decisions. That means that despite from the information available, the observer might consider other factors than just historical facts. Therefore might there not be a clear result from two different subjectivists in the same situation unless it is an obvious decision.  
 
* The subjectivist rely mostly on subjective decisions. That means that despite from the information available, the observer might consider other factors than just historical facts. Therefore might there not be a clear result from two different subjectivists in the same situation unless it is an obvious decision.  
* The behavioural has focus on the actual behaviour with the decision-making under uncertainty. Therefore it is relied on how decisions are made in practise.  
+
* The behavioural has focus on the actual behaviour with the decision-making under uncertainty. Therefore it is relied on how decisions are made in practice.  
 
When managing risks and uncertainties, the four different terms is important when looking at decision-making. There is a difference between the definition of uncertainty and risk where there is probability of a risk event could occur.  The reason is the subjective term where the decision-maker has an impact on the outcome where the decision is not relied on historical event and statistics.
 
When managing risks and uncertainties, the four different terms is important when looking at decision-making. There is a difference between the definition of uncertainty and risk where there is probability of a risk event could occur.  The reason is the subjective term where the decision-maker has an impact on the outcome where the decision is not relied on historical event and statistics.
The underlying definition of risk and uncertainty can be divided into four different stages of standpoints, which is defined as the cognitive standpoint. They are stated as follows:
+
When trying to understand the underlying definition of risk and uncertainty can be divided into four different stages of knowledge of the risk and uncertainty, which is defined as the cognitive standpoint. They are stated as follows:
 
* Known knowns is the condition of the risk where the risk source has been identified and a probability can be assigned to certain risk event. This is the standpoints which has most concentration because many advocates the use of subjective probabilities.
 
* Known knowns is the condition of the risk where the risk source has been identified and a probability can be assigned to certain risk event. This is the standpoints which has most concentration because many advocates the use of subjective probabilities.
 
* Known unknowns is where the uncertainty plays its role where a risk source has been identified but cannot be assigned to the risk event.
 
* Known unknowns is where the uncertainty plays its role where a risk source has been identified but cannot be assigned to the risk event.
 
* Unknown knowns is a condition where the uncertainty appears because somebody knows about the risk source and its chances to appear. Therefore, the information is kept private instead of sharing the information.
 
* Unknown knowns is a condition where the uncertainty appears because somebody knows about the risk source and its chances to appear. Therefore, the information is kept private instead of sharing the information.
 
* Unknown unknowns is the uncertainty where the risk source has not been identified and therefore the risk event cannot because of that be known. That phenomenon has been called the ‘black’ swan.
 
* Unknown unknowns is the uncertainty where the risk source has not been identified and therefore the risk event cannot because of that be known. That phenomenon has been called the ‘black’ swan.
The four different standpoints is illustrated in Figure 5.
+
The four different standpoints are illustrated in Figure 4.
  
When looking at the figure, the y-axis illustrates occurrence of any future events is either certain, impossible or in between the two. It happens rarely that a proper data set is available and is not possible to make any changes in the data set so that the objectivist only have a point between certainty and impossibility.
+
When looking at the figure, the y-axis illustrates occurrence of any future events is either certain, impossible or in between the two. It happens rarely that a proper data set is available and is not possible to make any changes in the data set so that the objectivist only have a point between certainty and impossibility. <ref name="Construction"> Winch Graham M. (2010) ''Managing Construction Projects” An Information Processing Approach'', Second edition, PP. 3-8 and PP. 346-366</ref>
  
 
<div style="clear:both">&nbsp;</div>
 
<div style="clear:both">&nbsp;</div>
  
 
== Practice of managing risk and uncertainty ==
 
== Practice of managing risk and uncertainty ==
[[File:Mangement_process.jpg|300px | thumb|right |'''Figure 6:''' A stakeholder matrix, mapping stakeholders by their power and interest, towards a project.]]
+
[[File:Mangement_process.jpg|300px | thumb|right |'''Figure 5:''' A stakeholder matrix, mapping stakeholders by their power and interest, towards a project. <ref name="Construction"> Winch Graham M. (2010) ''Managing Construction Projects” An Information Processing Approach'', Second edition, PP. 3-8 and PP. 346-366</ref>]]
When you have the knowledge and insight of what you are dealing with regarding the potential uncertainties and risks in a project there is several protocols of how to manage them in a proper way. When looking at known unknowns, it can without problem be managed proactively and also be able to mitigate the impact of unknown unknowns. One of the basic models in the risk management process is showed in Figure 6, which has four main elements.
+
When you have the knowledge and insight of what you are dealing with regarding the potential uncertainties and risks in a project there is several protocols of how to manage them in a proper way. When looking at known unknowns, it can without problem be managed proactively and also be able to mitigate the impact of unknown unknowns. One of the basic models describing the risk management process is illustrated in Figure 5, which has four main elements.
 +
This is not a tool in its self, but a process of the procedure when handling with risks.
  
 
* Identify and classify the what risks sources that has to be managed
 
* Identify and classify the what risks sources that has to be managed
Line 51: Line 51:
 
* Respond to the risks sources and decide what to do about them if they occurs.
 
* Respond to the risks sources and decide what to do about them if they occurs.
 
* Control the risks throughout the whole project, so that they have minimum impact on the project.
 
* Control the risks throughout the whole project, so that they have minimum impact on the project.
The model is like a loop learning model, where it is a process through time.  
+
The process is like a loop learning model, where it is a process through time. <ref name="Construction"></ref>
  
;Identify and classify the risk sources
+
<div style="clear:both">&nbsp;</div>
  
This is one of the crucial elements in the model to actual succeed in being able to discover the risk sources. However, it is one of the less formalized elements in risk management, which in itself can have consequences. Normally this area is done by experienced employees within the actual field, which can be a problem when you thinking in e.g. knowledge sharing. It can also be done by workshops etc. and when the information gathering is done, a risk register is made with all the knowns, which is a document or a log where all the available information is accessible.  
+
== Application ==
[[File:Matrix.jpg|300px | thumb|right |'''Figure 7:''' A stakeholder matrix, mapping stakeholders by their power and interest, towards a project.]]
+
[[File:Matrix.jpg|300px | thumb|right |'''Figure 6:''' A stakeholder matrix, mapping stakeholders by their power and interest, towards a project. <ref name="Construction"> Winch Graham M. (2010) ''Managing Construction Projects” An Information Processing Approach'', Second edition, PP. 3-8 and PP. 346-366</ref>]]
;Assess the risk sources
+
This section will guide the reader through the different stages there is when using the impact/probability matrix tool. The tool is being used every day whether either consciously or unconsciously.
When the risk sources has been identified, there is a large number of tools for assessing them. A tool to get an easy overview of the known risk source is the probability/impact matrix. The matrix is illustrated in Figure 7, and the model is divided up in four different areas.
+
The purpose of impact/probability matrix is used to rank the risk sources, risk events and the treatments based on the level of the risk. <ref name="Assessment">  (2009) “ISO 31010” – Risk Assessment Techniques, Edition 1.0 </ref> It is a common tool when screening a project for many risks which makes it is easier for the management team to plan how and when to handle the risk sources and risk events. The tool is illustrated in Figure 6. 
 +
The tool is also a great when it comes to communication. It helps the organization with the decision about the risk appetite on the specific project.
 +
The impact/probability matrix is used for a bigger purpose. It is used for a criticality analysis in Failure mode, effects, and criticality analysis ([https://en.wikipedia.org/wiki/Failure_mode,_effects,_and_criticality_analysis FMECA]) or to set priorities in Hazard and operability study ([https://en.wikipedia.org/wiki/Hazard_and_operability_study HAZOP]). The tool is also an effective way to handle risks when the available data is not good enough or when there the resources available cannot fulfil qualitative analysis.<ref name="Assessment"> </ref>. Many of the risks have different outcomes and have different level of consequence. It is therefore important to some projects to distinguish between unlikely catastrophic risk events and the common problems, which has a more serious impact and therefore a threat. <ref name="Assessment"> </ref>
 +
=== Identify and classify the risk sources ===
 +
The risk identification involves the identification of risk sources, event and their causes and potential consequences. <ref name="Guide"> </ref> The identification stage is one of the crucial elements in the model to actual succeed in being able to discover the risk sources. However, it is one of the less formalized elements in risk management, which in itself can have consequences. Normally this area is done by experienced employees within the actual field, which can be a problem when you thinking in e.g. knowledge sharing. It can also be done by workshops etc. and when the information gathering is done, a risk register is made with all the knowns, which is a document or a log where all the available information is accessible. It is important that risks sources be identified even though the risks are evident. <ref name="Principles">  (2009) “ISO 31000” – Risk management Vocabulary, Edition 1.0 </ref> The identification must include identification of the knock-on effects of a possible consequence, with that including the cascade and cumulative effects. <ref name="Assessment"> </ref>
  
The different risk sources are identified and is classified in terms of their probability of occurrence and the magnitude of their impact on the project. The model can be used for assessing known unknowns whether it has high impact or probability when it occurs. Hence, it will be possible for the managers to prioritize the risk sources and schedule the risk sources.
+
=== Assess the risk sources ===
 +
When the risk sources has been identified, the next task is to assess and analyse the identified risks. The tool can be shown in ([https://en.wikipedia.org/wiki/Risk_Matrix  different forms]) but it illustrates the impact of the risk and the likelihood <ref name="Principles"> </ref> for occurrence of the risk. <ref name="Assessment">  (2009) “ISO 31010” – Risk Assessment Techniques, Edition 1.0 </ref> The tool has in this case four different groups, where risk is being evaluated. <ref name="Assessment"></ref>
  
;Respond to the risk sources
+
The different risk sources are identified and are classified in terms of their probability of occurrence and the magnitude of their impact on the project. The model can be used for assessing known unknowns whether it has high impact or probability when it occurs. Hence, it will be possible for the managers to prioritize the risk sources and schedule the risk sources. The decision of the risk level and its sensitivity to predictions and assumptions should be included in the analysis and be communicated to the decision makers and stakeholders. <ref name="Principles"> </ref> The level of risk can variate from project to project and is dependent on the purpose of the analysis, the information, data and resources available. An analysis is either qualitative, semi-quantitative or quantitative or a combinations of these. <ref name="Principles"> </ref>
When the risk sources has been identified the next task is what to do with each of them. In addition, the options to do that when using the tool in Figure 7 are as follows:
+
 
 +
=== Respond to the risk sources ===
 +
When the risk sources has been identified and analysed the next task is what to do with each of them. To be able to place the risk sources in the right area in the impact/probability matrix that is illustrated in Figure 6, a further explanation of areas are described as follows:  
 
* Accepting the risk as it is, and plan to respond to the risk. Since it is bad luck, there is not much to do.
 
* Accepting the risk as it is, and plan to respond to the risk. Since it is bad luck, there is not much to do.
* Externalise the risk down the supply chain by subcontracting. This is only done when the subcontractor is in a better position than the principal. When externalising the risk, the subcontractor has to have better managerial capability otherwise it can have fatal consequences and in extreme cases is when the subcontractor is bankrupted because of a risk event. The general rule is to communicate with the actors who is closest to the risk source and motivate them to manage them effectively so that they have as small as possible impact.  
+
* Externalise the risk down the supply chain by subcontracting. This is only done when the subcontractor is in a better position than the principal is. When externalising the risk, the subcontractor has to have better managerial capability otherwise it can have fatal consequences and in extreme cases is when the subcontractor is bankrupted because of a risk event. The general rule is to communicate with the actors who is closest to the risk source and motivate them to manage them effectively so that they have as small as possible impact.  
* Mitigating the risk by changing the project mission or scope to minimise the probability for the risk to happen. When mitigating the risk a systematic reduction of the risk and also called a risk reduction. This kind of risk can also be associated with e.g. the choice of technology etc. and as mentioned earlier if using the technique like FMEA, then would make the solution more robust.
+
* Mitigating the risk by changing the project mission or scope to minimise the probability for the risk to happen. When mitigating the risk a systematic reduction of the risk and also called a risk reduction. This kind of risk can also be associated with e.g. the choice of technology etc. and as mentioned earlier if using the technique like Failure mode and effects analysis ([https://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis FMEA]), then would make the solution more robust.
 
* Rare catastrophes cannot be controlled of the actors, such as fire on construction projects and therefore insurance is a normal way to solve that. By mitigating the risk, it will almost be possible to avoid the risk event. A classic way is an indemnity insurance and if that is not an option, then mitigation is preferable. The last option will only be suitable if the magnitude of the risk event would not bring the company down.   
 
* Rare catastrophes cannot be controlled of the actors, such as fire on construction projects and therefore insurance is a normal way to solve that. By mitigating the risk, it will almost be possible to avoid the risk event. A classic way is an indemnity insurance and if that is not an option, then mitigation is preferable. The last option will only be suitable if the magnitude of the risk event would not bring the company down.   
* Delay the decision until the needed information is available. This will make as mentioned earlier more secure and will make the risks more known. This is crucial for high-impact risks.  
+
* Delay the decision until the needed information is available. This will make as mentioned earlier more secure and will make the risks more known. This is crucial for high-impact risks.
  
;Plan to respond to the risk event
+
The treatment of the risk sources variate from risk to risk. Sometimes it will involve selecting one or more options to modify the risks.
If the risk has been accepted in the assessment or a residual of the management responses to the risk source, the plans will also be laid out to be ready to respond to the risk events. On way to do it is to put in a slack in the time schedule in case if the event will delay the project and have higher expenses than first assumed.  
+
When choosing the treatment, it involves the balancing of the costs and efforts for implementation and what the benefits are. But the decisions are not only bounded by economic grounds e.g. the high negative consequences, but low likelihood risks. When treating the risks, secondary risks could occur, and those should be treated together with the original risk since the link between the two risks should be identified and maintained. <ref name="Principles"> </ref>
Control and monitor the risk source
+
The final phase is to monitor the risk source throughout the whole project life cycle, so the information becomes available and when the probability and impact can be reassessed once the point where risk event could have been occurred has passed it can be removed from the risk document. To monitor risk sources a risk owner has to be selected to do the supervision. The rest of the management team has to have full engagement since this is the phase where the unknown unknowns will grow. The job is not a desk job, and this will include following:
+
* The management team has to be visible on sight noticing what is going on the be able to identify both threats to schedule and budget, but also see opportunities to do things better if possible.
+
* Do routine informal meetings to freely exchange views without take any minutes or recordings. This can help reveal potential problems that would be there to discover and can have a potential progress for the project.
+
* Spotting behavior that might be improper and interpreting the correctly.
+
  
<div style="clear:both">&nbsp;</div>
+
=== Monitoring and Controlling ===
  
== Process to manage risk in project portfolio ==
+
The final phase is to monitor the risk source throughout the whole project life cycle, so the information becomes available and when the probability and impact can be reassessed once the point where risk event could have been occurred has passed it can be removed from the risk document. To monitor risk sources a risk owner has to be selected to do the supervision. It involves regular checking or surveillance and can be periodic and ad hoc. <ref name="Assessment"> </ref> The rest of the management team has to have full engagement since this is the phase where the unknown unknowns will grow. The job encompasses all the aspects of the risk management process and the following points is highly relevant:
[[File:Risk_mangement_process_of_a_project_portfolio.jpg|500px | thumb|right |'''Figure 8:''' The process in risk management portfolio]]
+
Another but similar way to look at risks in project portfolio is like in Figure 8
+
  
 +
* The management team has to be visible on sight noticing what is going on to be able to identify both threats to schedule and budget, but also see opportunities to do things better if possible.
 +
* Do routine informal meetings to freely exchange views without take any minutes or recordings. This can e.g. help reveal potential problems that would be there to discover and can have a potential progress for the project.
 +
* Spotting behaviour that might be improper and interpreting the correctly.
 +
* Ensuring that controls are effective and efficient in the design and operation.
 +
* Gathering information to improve the risk assessment.
 +
* Analysing and learning from events, including the near-misses, changes, trends, success and failures.
 +
* Observation of the external and internal changes and the changes in the current risk criteria and the risk it self.
 +
* Identifying upcoming risks.
  
The construction is like in the Figure 6 but have two really important aspects which is not included in the previous model. The first thing which separates this model is to understand the portfolios strategic and business objectives and each project’s or program’s objectives. Secondly, the last stage is summarize of the process of the risk management, and record risks and response of them in risk database. This is a very important aspect since this is part of learning, knowledge sharing and therefore people who work with this every day can over time develop a more systematic way of reaching out to these projects.
+
All the observations during the project should be recorded so that it can be evaluated what went good and bad. This could help the organization in the future projects and also improve the management culture. <ref name="Principles"> </ref>
  
<div style="clear:both">&nbsp;</div>
+
== Strengths and Limitations ==
 +
 
 +
=== Strengths ===
 +
The tool is an easy tool to use and does not need to educate the users to use it in practice. It gives a good overview of the risks and therefore makes it easier to scrutinise the project to a desired level.
 +
Moreover, it is a good tool to communicate with when it comes to decision making about what to do regarding the different risk sources that might occur. <ref name="Assessment"></ref>
 +
 
 +
=== Limitations ===
 +
A matrix can be design for different purposes, which is why the same tool exists in different forms depending on which kind of project it is.
 +
It is hard to make a common matrix that fits every project, and can therefore have limitations if uses the tool wrong. The scales can be understood differently and therefore the ratings/decisions can vary depending on who is rating the consequences and impact on the project. Another limitation on the tool is that if a low impact risk is being repeated, then the level of impact can be a medium impact but the tool does not consider those elements on a project.
 +
The results differs depending on how detailed the analysis is. The more detailed the scenarios are, the lower is the risk event to actually occur. It is for this important for the raters to define the risk and which factors that applies. <ref name="Assessment"></ref>
 +
 
 +
== Annotated bibliography ==
 +
 
 +
''Yu Shiwang, Guo Na (2013) Lecture Notes in Electrical Engineering, Vol.218 PP.815-822'' - This book has a very interesting section, which explains the differences between the uncertainty and risks.
 +
 
 +
''Winch Graham M. (2010) Managing Construction Projects” An Information Processing Approach, Second edition, PP. 3-8 and PP. 346-366'' - This book explain how risks can be handled on advanced projects and have to manage them.
 +
 
 +
''(2009) “ISO Guide 73” – Risk management Vocabulary'' - This standard has clear definitions of the different aspects in risk management, which is great when understanding the different articles and books.
 +
 
 +
''(2009) “ISO 31010” – Risk Assessment Techniques, Edition 1.0'' - This standard explains how to approach a given project. In this case the usage of the tool Impact and Probability matrix.
 +
 
 +
''(2009) “ISO 31000” – Risk management Vocabulary, Edition 1.0'' - This standard supported the ISO 31010 very good for further explanation.
 +
 
 +
== References ==
 +
 
 +
<references />

Latest revision as of 16:25, 18 December 2018

Developed by Daniel Agervig Krogh


One of the most challenging aspects in projects is to manage the risk and the uncertainty. Yet with the knowledge we possesses, it is a topic, which for many is difficult to handle. Many stakeholders are involved in the projects and therefore might have different opinions of what is the best solution approach is. The majority of people tends to think in deterministic terms of an optimal solution instead of probabilistic terms of a robust solution. This article will highlight the main differences of the risks and the uncertainties, which relates to (Project management. The risk management processes will be clarified in its four stages, where the identification of the problem, assessment of the risks, how to respond to the risks and lastly how to control the risks. To assess the risks, a risk-management process tool will be utilized and further explained and management a tool, impact/probability matrix, will be applied to be a part of the process.

Contents

[edit] Definition

Figure 1: The relationship between risk, uncertainty and the opportunities [1]

Risk and uncertainty has many different definitions and can be hard to settle down to only one way to define it. Risk management had their origins in the insurance industry in USA in the 1940s. Project management can be explained as a discipline where projecting or planning, organizing, motivating and controlling resources to achieve specific goals and meet the specific criteria’s. When talking about risk, people often link it together with uncertainty, while others refer to it as opportunity. Risk can also be defined as a combination of the probability of an event and its consequences. There is a relationship between risk, uncertainty and opportunities. This is illustrated in Figure 1. [1]

The definition of uncertainty is:

“An unexpected event, if it occurs, may have either no effect or a good or bad effect on at least one of the project’s objectives and success.“[1]

And risk is defined as:

“An uncertain event or situation, if it occurs, may have threat(s) or bad effect(s) to at least one of the project’s objectives and success”[1]

Figure 2: Uncertainty over time [2]

Risks and uncertainties has a big role in projects. The uncertainty is by definition the lack of the information that is available to take a decision at a given time. In Figure 2 it is illustrated the difference between the information required and the actual information available. Uncertainty have two sources and the first source is the complexity, which is where the information is available, but is too costly to collect and analyse. Second is the predictability, which is where you are able to predict uncertainties, based on previous experiences.

Figure 3: Risk sources and risk events and how to approach them [2]

In the beginning of the a project the uncertainty is very high and depending on the size of the project and to decrease the mission uncertainty it can some extend be used e.g. standardised components and solutions etc. As a project moves forward more information will become available and therefore the dynamic uncertainty will be decreased since some parts of the project will be finished and therefore has less impact on the actual uncertainties. To understand the relation between risk and uncertainty, Figure 3 illustrates the risk sources which is an element that is alone or in combination with others to rise to risk. [3] The management team can respond to the risk source and can plan to respond when or if the risk event occurs. The risk event is an occurrence or change of the circumstances. An event can be one or more occurrences and have several causes and can be referred as an incident or accident, but can also be without consequences. That can be a near miss, incident, a near hit or close call. The model explains in short terms how you can deal with the risk sources and events.

Figure 4: Four stages of knowledge [2]

The relationship between risk source is thus the dimensions of the risk source, the impact of the risk and to which extent the management team can respond to the risk source and events. The understanding of risk in relation the probability is divided up into four terms:

  • The objectivist believes that a sample of previous observations can be used for predicting the future risk sources. The predictions rely therefore on statistics inferred from experience.
  • The logical could be an engineer who is solving problems with an engineered system. Engineers’ understanding of the design and the scientific properties they might be able to identify risk sources and therefore possible risk events. It rely closely up against the basis of (Failure mode and effects analysis).
  • The subjectivist rely mostly on subjective decisions. That means that despite from the information available, the observer might consider other factors than just historical facts. Therefore might there not be a clear result from two different subjectivists in the same situation unless it is an obvious decision.
  • The behavioural has focus on the actual behaviour with the decision-making under uncertainty. Therefore it is relied on how decisions are made in practice.

When managing risks and uncertainties, the four different terms is important when looking at decision-making. There is a difference between the definition of uncertainty and risk where there is probability of a risk event could occur. The reason is the subjective term where the decision-maker has an impact on the outcome where the decision is not relied on historical event and statistics. When trying to understand the underlying definition of risk and uncertainty can be divided into four different stages of knowledge of the risk and uncertainty, which is defined as the cognitive standpoint. They are stated as follows:

  • Known knowns is the condition of the risk where the risk source has been identified and a probability can be assigned to certain risk event. This is the standpoints which has most concentration because many advocates the use of subjective probabilities.
  • Known unknowns is where the uncertainty plays its role where a risk source has been identified but cannot be assigned to the risk event.
  • Unknown knowns is a condition where the uncertainty appears because somebody knows about the risk source and its chances to appear. Therefore, the information is kept private instead of sharing the information.
  • Unknown unknowns is the uncertainty where the risk source has not been identified and therefore the risk event cannot because of that be known. That phenomenon has been called the ‘black’ swan.

The four different standpoints are illustrated in Figure 4.

When looking at the figure, the y-axis illustrates occurrence of any future events is either certain, impossible or in between the two. It happens rarely that a proper data set is available and is not possible to make any changes in the data set so that the objectivist only have a point between certainty and impossibility. [2]

 

[edit] Practice of managing risk and uncertainty

Figure 5: A stakeholder matrix, mapping stakeholders by their power and interest, towards a project. [2]

When you have the knowledge and insight of what you are dealing with regarding the potential uncertainties and risks in a project there is several protocols of how to manage them in a proper way. When looking at known unknowns, it can without problem be managed proactively and also be able to mitigate the impact of unknown unknowns. One of the basic models describing the risk management process is illustrated in Figure 5, which has four main elements. This is not a tool in its self, but a process of the procedure when handling with risks.

  • Identify and classify the what risks sources that has to be managed
  • Assess the risks so that you have a fully understanding of the risks and how they can affect each other.
  • Respond to the risks sources and decide what to do about them if they occurs.
  • Control the risks throughout the whole project, so that they have minimum impact on the project.

The process is like a loop learning model, where it is a process through time. [2]

 

[edit] Application

Figure 6: A stakeholder matrix, mapping stakeholders by their power and interest, towards a project. [2]

This section will guide the reader through the different stages there is when using the impact/probability matrix tool. The tool is being used every day whether either consciously or unconsciously. The purpose of impact/probability matrix is used to rank the risk sources, risk events and the treatments based on the level of the risk. [4] It is a common tool when screening a project for many risks which makes it is easier for the management team to plan how and when to handle the risk sources and risk events. The tool is illustrated in Figure 6. The tool is also a great when it comes to communication. It helps the organization with the decision about the risk appetite on the specific project. The impact/probability matrix is used for a bigger purpose. It is used for a criticality analysis in Failure mode, effects, and criticality analysis (FMECA) or to set priorities in Hazard and operability study (HAZOP). The tool is also an effective way to handle risks when the available data is not good enough or when there the resources available cannot fulfil qualitative analysis.[4]. Many of the risks have different outcomes and have different level of consequence. It is therefore important to some projects to distinguish between unlikely catastrophic risk events and the common problems, which has a more serious impact and therefore a threat. [4]

[edit] Identify and classify the risk sources

The risk identification involves the identification of risk sources, event and their causes and potential consequences. [3] The identification stage is one of the crucial elements in the model to actual succeed in being able to discover the risk sources. However, it is one of the less formalized elements in risk management, which in itself can have consequences. Normally this area is done by experienced employees within the actual field, which can be a problem when you thinking in e.g. knowledge sharing. It can also be done by workshops etc. and when the information gathering is done, a risk register is made with all the knowns, which is a document or a log where all the available information is accessible. It is important that risks sources be identified even though the risks are evident. [5] The identification must include identification of the knock-on effects of a possible consequence, with that including the cascade and cumulative effects. [4]

[edit] Assess the risk sources

When the risk sources has been identified, the next task is to assess and analyse the identified risks. The tool can be shown in (different forms) but it illustrates the impact of the risk and the likelihood [5] for occurrence of the risk. [4] The tool has in this case four different groups, where risk is being evaluated. [4]

The different risk sources are identified and are classified in terms of their probability of occurrence and the magnitude of their impact on the project. The model can be used for assessing known unknowns whether it has high impact or probability when it occurs. Hence, it will be possible for the managers to prioritize the risk sources and schedule the risk sources. The decision of the risk level and its sensitivity to predictions and assumptions should be included in the analysis and be communicated to the decision makers and stakeholders. [5] The level of risk can variate from project to project and is dependent on the purpose of the analysis, the information, data and resources available. An analysis is either qualitative, semi-quantitative or quantitative or a combinations of these. [5]

[edit] Respond to the risk sources

When the risk sources has been identified and analysed the next task is what to do with each of them. To be able to place the risk sources in the right area in the impact/probability matrix that is illustrated in Figure 6, a further explanation of areas are described as follows:

  • Accepting the risk as it is, and plan to respond to the risk. Since it is bad luck, there is not much to do.
  • Externalise the risk down the supply chain by subcontracting. This is only done when the subcontractor is in a better position than the principal is. When externalising the risk, the subcontractor has to have better managerial capability otherwise it can have fatal consequences and in extreme cases is when the subcontractor is bankrupted because of a risk event. The general rule is to communicate with the actors who is closest to the risk source and motivate them to manage them effectively so that they have as small as possible impact.
  • Mitigating the risk by changing the project mission or scope to minimise the probability for the risk to happen. When mitigating the risk a systematic reduction of the risk and also called a risk reduction. This kind of risk can also be associated with e.g. the choice of technology etc. and as mentioned earlier if using the technique like Failure mode and effects analysis (FMEA), then would make the solution more robust.
  • Rare catastrophes cannot be controlled of the actors, such as fire on construction projects and therefore insurance is a normal way to solve that. By mitigating the risk, it will almost be possible to avoid the risk event. A classic way is an indemnity insurance and if that is not an option, then mitigation is preferable. The last option will only be suitable if the magnitude of the risk event would not bring the company down.
  • Delay the decision until the needed information is available. This will make as mentioned earlier more secure and will make the risks more known. This is crucial for high-impact risks.

The treatment of the risk sources variate from risk to risk. Sometimes it will involve selecting one or more options to modify the risks. When choosing the treatment, it involves the balancing of the costs and efforts for implementation and what the benefits are. But the decisions are not only bounded by economic grounds e.g. the high negative consequences, but low likelihood risks. When treating the risks, secondary risks could occur, and those should be treated together with the original risk since the link between the two risks should be identified and maintained. [5]

[edit] Monitoring and Controlling

The final phase is to monitor the risk source throughout the whole project life cycle, so the information becomes available and when the probability and impact can be reassessed once the point where risk event could have been occurred has passed it can be removed from the risk document. To monitor risk sources a risk owner has to be selected to do the supervision. It involves regular checking or surveillance and can be periodic and ad hoc. [4] The rest of the management team has to have full engagement since this is the phase where the unknown unknowns will grow. The job encompasses all the aspects of the risk management process and the following points is highly relevant:

  • The management team has to be visible on sight noticing what is going on to be able to identify both threats to schedule and budget, but also see opportunities to do things better if possible.
  • Do routine informal meetings to freely exchange views without take any minutes or recordings. This can e.g. help reveal potential problems that would be there to discover and can have a potential progress for the project.
  • Spotting behaviour that might be improper and interpreting the correctly.
  • Ensuring that controls are effective and efficient in the design and operation.
  • Gathering information to improve the risk assessment.
  • Analysing and learning from events, including the near-misses, changes, trends, success and failures.
  • Observation of the external and internal changes and the changes in the current risk criteria and the risk it self.
  • Identifying upcoming risks.

All the observations during the project should be recorded so that it can be evaluated what went good and bad. This could help the organization in the future projects and also improve the management culture. [5]

[edit] Strengths and Limitations

[edit] Strengths

The tool is an easy tool to use and does not need to educate the users to use it in practice. It gives a good overview of the risks and therefore makes it easier to scrutinise the project to a desired level. Moreover, it is a good tool to communicate with when it comes to decision making about what to do regarding the different risk sources that might occur. [4]

[edit] Limitations

A matrix can be design for different purposes, which is why the same tool exists in different forms depending on which kind of project it is. It is hard to make a common matrix that fits every project, and can therefore have limitations if uses the tool wrong. The scales can be understood differently and therefore the ratings/decisions can vary depending on who is rating the consequences and impact on the project. Another limitation on the tool is that if a low impact risk is being repeated, then the level of impact can be a medium impact but the tool does not consider those elements on a project. The results differs depending on how detailed the analysis is. The more detailed the scenarios are, the lower is the risk event to actually occur. It is for this important for the raters to define the risk and which factors that applies. [4]

[edit] Annotated bibliography

Yu Shiwang, Guo Na (2013) Lecture Notes in Electrical Engineering, Vol.218 PP.815-822 - This book has a very interesting section, which explains the differences between the uncertainty and risks.

Winch Graham M. (2010) Managing Construction Projects” An Information Processing Approach, Second edition, PP. 3-8 and PP. 346-366 - This book explain how risks can be handled on advanced projects and have to manage them.

(2009) “ISO Guide 73” – Risk management Vocabulary - This standard has clear definitions of the different aspects in risk management, which is great when understanding the different articles and books.

(2009) “ISO 31010” – Risk Assessment Techniques, Edition 1.0 - This standard explains how to approach a given project. In this case the usage of the tool Impact and Probability matrix.

(2009) “ISO 31000” – Risk management Vocabulary, Edition 1.0 - This standard supported the ISO 31010 very good for further explanation.

[edit] References

  1. 1.0 1.1 1.2 1.3 Yu Shiwang, Guo Na (2013) Lecture Notes in Electrical Engineering, Vol.218 PP.815-822
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 Winch Graham M. (2010) Managing Construction Projects” An Information Processing Approach, Second edition, PP. 3-8 and PP. 346-366
  3. 3.0 3.1 (2009) “ISO Guide 73” – Risk management Vocabulary
  4. 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 (2009) “ISO 31010” – Risk Assessment Techniques, Edition 1.0
  5. 5.0 5.1 5.2 5.3 5.4 5.5 (2009) “ISO 31000” – Risk management Vocabulary, Edition 1.0
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox