Skip to content

Chapter 14 - Risk Analysis

Part 2

Typical project risks

Projects are associated with far higher levels of risk than routine activities, since projects are undertakings being carried out for the first time. For example, if you are planning to enter new markets and acquire new customers you inevitably have to undertake innovative and risky activities.

Project risks can be as followed:

  • Events with an uncertain outcome.
  • Situations that can have potentially negative (detrimental) effects on the
    • success of the project as a whole,
    • individual project objectives,
    • results or
    • events.
  • Defined in terms of the probability of the occurrence of the event and the impact if it does occur (occurrence of the event refers to a situation where the risk actually comes to pass).

Types of risks

Many attempts to classify risks can be found in project management literature. One is to distinguish between commercial, technical, time-related, resource-related and political risks.

Commercial risks

A customer who has ordered a large-scale piece of equipment runs into cashflow problems during the course of the project. As a result, he is no longer able to fulfil his contractually agreed payment obligations.

Technical risks

Flooding suddenly occurs during the construction of a road tunnel, despite a positive geological report.

Time-related risks

A supplier does not deliver in time an important tool for a new injection-moulded part that is needed in a product development project.

Resource-related risks

The manager of a product development project has counted on specific employees for his project team. However, these employees are not available now, because a customer has found a defect in another product that has already been delivered. This defect has to be remedied as quickly as possible.

Political risks

In a large-scale plant construction project, an executive selects a supplier with a reputation for sub-standard product quality, despite concerns expressed by the project manager. The reason is that the executives of both companies are old school friends.

Dependencies between various risk types

Dependencies exist between the various risk types. Here are some examples:

  • If a competitor headhunts a highly-qualified member of the project team during an R&D project (= resource-related risk), this can have a considerable impact on meeting deadlines (= time-related risk) and achieving agreed quality levels (= technical risk).
  • Flooding during the construction of a tunnel (= technical risk) leads to cost overruns (= commercial risk).
  • If an organisation fails to meet a contractually-agreed deadline (= time-related risk), it will have to pay a contractual penalty (= commercial risk).
  • In order to make up delays in meeting deadlines (= time-related risk), additional assembly workers are necessary in a plant construction project. However, they are not available at short notice due to the amount of time required to train them (= resource risk).

Risk analysis and risk management

Project risk analysis and management recognizes a formal approach to the process as opposed to an intuitive approach.

A risk analysis delivers facts relating to potential damage caused by individually identified risks and translates them into costs, i.e. risks are assessed. However, it neither directly addresses nor does it take into account the effects, which are very difficult to quantify, of personal or group attitudes towards the project.

Risk management occurs in all phases of the project life cycle and is a process of safeguarding the project by documenting and evaluating all potential risks and implementing measures to avert, insure, minimise or transfer these risks.

Risk management is based on risk analysis and assessment.

Risk identification

In project management practice, people often imagine that it is sufficient to identify risks at the outset of the project. Many project managers do not take into account that the project is exposed to different risks during different phases and that their significance or weighting can change during the project. Risk management should therefore be practised in all phases of a project.


Checklists are an important tool for risk identification during the start-up phase. Every organisation should systematically analyse projects that have already been completed and prepare checklists on the basis of their findings.

Risk checklists should not be filled in by you, the project manager, nor by the nominated risk manager alone. It's important that the entire project team supports this task. The best way of guaranteeing that a wide range of risks is identified, is that you involve representatives of all departments concerned (including the commercial departments). One important aspect of team-oriented risk management is the pooling of the knowledge of all project team members - as a type of knowledge management.

Risk workshop

Many organisations fail to introduce project checklists even if they have regularly implemented similar projects. Instead of dispensing entirely with risk analysis - a situation that often happens - it is a good idea for these companies to hold a risk workshop both in the start-up phase and the later phases of the project. You can combine a risk workshop with the start-up workshop. The project team should also take advantage of experience gained in similar projects at other organisations.

A risk workshop is also a good idea if an organisation is planning an entirely new project.

When implementing a risk workshop following instructions should be followed
  1. The project manager presents his project and distributes documents such as the work breakdown structure, milestone plan, customer specification or preliminary supplier specification.
  2. In a kind of brainstorming session, people from all the departments involved in the project write down on cards all the things that they believe could go wrong in the project.
  3. In a third stage, an assessment is made of the probability that the various risks could occur, the financial consequences and the measures to be implemented in the worst-case scenario of the risk actually occurring.

Analysis and assessment

Generally, the risk identification process produces an extensive list of risks, irrespective of the method you use to identify them (e.g. checklist, workshop, etc.). It is then necessary that you assess these risks so that priorities can be set and to create appropriate risk response planning structures.

Monetary assessment

Monetary assessments are frequently used as a method of risk quantification. The question is, what monetary loss will the organisation incur (impact or extent of the losses) if the risk event actually occurs? More specifically, what contractual penalty would have to be paid if the agreed project finish date were delayed by four weeks? What effect would a three-month delay in the market launch of a product have on the project's profit margin?

Assessment of probability

It is most commonly recommended to do both, a quantitative assessment and an assessment of the probability of the risk event occurring. A project risk is a combination of the probability of a specific event occurring and its impact on the project objectives.

In many cases, probability of occurrence - which is a subjective probability - is expressed in terms of a range extending from zero percent to 100 percent. Zero percent means that the assessor is absolutely certain that the risk event will not occur. 100 percent means that the risk event will definitely occur. It is therefore no longer a risk. Both figures, the loss (e.g. in CHF) and the probability (in %) can now be multiplied, to provide a risk value. The formula is:

  • risk value = probability of an event occurring (%) x impact if it does occur (CHF)

Risk response planning strategies

In the process of risk response planning, a distinction is made between

  • risk avoidance,
  • risk reduction,
  • risk mitigation,
  • risk transfer and
  • risk acceptance.

Risk avoidance

The priority aim of this strategy is to avoid risk exposure entirely. In extreme cases, this can mean that the organisation decides, after a detailed bid review process not to submit a bid to a potential customer. Another option would be to delete certain requirements from the customer specification that are associated with high risks.

Risk reduction

This strategy reduces the probability of identified project risks occurring by implementing preventive measures. For example, the risk of cost overruns can be considerably reduced by making regular residual cost estimates and calculating anticipated cost at completion.

Risk mitigation

Risk mitigation is intended to allow the project team to lower the impact of an event. They therefore take effect when a risk event has already occurred. One means of mitigating damage is to allow for redundant activities.

Risk transfer

An organisation implements risk transfer measures to transfer project risks to other organisations. For example, it can take out an insurance policy when project work commences. Obviously, risks can only be insured if they are associated with a low probability of occurrence but high potential losses. An appropriate contract structure can also enable a contractor to transfer the risk to the customer. The degree to which risk transfer will be successful depends, first and foremost, on the contractor's market position.

Risk acceptance

Some risks in a project will be accepted by the management team, which is why no risk response planning measures will be implemented to deal with them. These risks are generally associated with only small-scale losses and are unlikely to occur.

Risks shown in a graph according to their probability of occurance and impact. Risks can be accepted, transferred, reduced, mitigated or avoided.

How the story ends…

John listens carefully to the story of Dr. Rogers. But, as always, he still has a question to ask the project manager: "And if, despite good planning and assurances, an accident occurs, what needs to be done?" "That can't be answered in general terms, but of course it's important to manage the crisis somehow. It is important to try to avoid the crisis getting that far in the first place. Most crises occur because the project is not clearly defined and because the leaders have insufficient leadership skills or because the communication is not working well enough. Therefore, it is important to prevent these problems by appropriate communication - with the stakeholders and among each other and with a good working atmosphere."