Managing Project Risks

Moving on to managing threats and opportunities. Risks can either be threats or they can still be opportunities because the risk is an uncertain event, sometimes it's that opportunities arise, so I'll go into how we manage threats and opportunities differently, because of course they're opposite.

These are the four threat response strategies. We can avoid a threat, and when we avoid the threat we essentially reduce its likelihood of occurrence or impact to 0. There's a pre threat response strategy status so its potential to impact a technical schedule and our cost. That's what we reduce when we avoid, and the post start response strategy status is that after we avoid the risk, there's no residual threat, we essentially eliminated it. Transferring a threat, we would essentially transfer the whole or part of the threat to other work breakdown structures or to an external organisation. So we would essentially lift it off our shoulders and give it to someone else more appropriate to deal with it. So then there is reduced or no residual threat for our organisation. We can mitigate the threat where we reduce the likelihood of occurrence or impact, but we do not take it down to 0. There's still some potential to impact, but the residual thread after we mitigate it is lower than the original threat.

And if there's nothing we can do, or if the threat is not important enough and dealing with it can cost us more than the actual threat because that is the case sometimes, we decided to accept the consequences of the threat we accepted, so then in this way, it's still may impact in the same way the cost or the schedule or the technical aspects of the project, and the residual threat is exactly the same as the original threat.

So when we have an opportunity on the other hand, we can either exploit it which is the most preferable of course, share it, enhanced it or ignore it. So these are essentially the opposite strategies used in threats. When we exploit an opportunity, we increase its likelihood of occurring to 100%. This way we end up with a realised opportunity, so we have enhanced technical aspects of the project or schedule aspects of the project or cost. Its like an opportunity to save money or finish quicker or to have a better technical outcome.

We can share the opportunity because sometimes it's easier in for us to work with another work breakdown structure and external organisation in order to achieve the opportunity, so we don't take full credit of it essentially but we share it with others so we enhance the chance to realise the shared opportunity. We share the benefit to someone else, then we can enhance the opportunity which is essentially increasing the likelihood of occurrence or impact but not to 100% so then we have a greater opportunity than the original one.

If we cannot do anything to help realise this opportunity, we ignore it. So then the residual opportunity is the same as the original opportunity. And if it happens it's a good thing if it, if it doesn't happen it's all right, it wasn't in the plan.

Moving on to quantitative risk analysis. I'm going to touch upon quantitative risk analysis on cost and schedule, QCRA and QSRA.

Quantitative cost risk and analysis. The purpose is to help estimate the project's likely final cost and set appropriate monetary contingencies so we can this way review remaining contingencies post award of main works contract. The key sources of error are cost risk, which are chance events that may or may not occur and impact the cost and cost estimating uncertainty, which essentially is the accuracy of estimating quantities all right, which is influenced by the project definition and estimating methods. Essentially that means that when we have our QS's or when we estimate the cost, we are not 100% sometimes that this would actually cost this much. It could end up costing less, or unfortunately more. We need to take into account risk estimating uncertainty and their potential and the potential impacts of risk to build a risk model.

Quantitative cost risk analysis. We can model it using the Monte Carlo simulation, which essentially how it works is that you build this model and you simulate the project as many times as required. It's usually 1000 or 10,000 iterations depending on the project, depending on the client. You put in the software, at risk is usually used for quantitative cost risk analysis, except you want to build a combined model of schedule, which I'm happy to touch upon which software's I personal recommend. At risk is a simple excel add on which solely does cost. Basically in Monte Carlo simulation you can repeat multiple times the project, so each time randomly each risk event does or does not occur based on the probability we input and the cost of various activities or materials falls in a different place within distributions of the uncertainty. That's how we take risk and uncertainty into account.

The steps in terms of risk, we provide qualitative risk assessments then we describe impact scenarios, best case, worst case, most likely case to create distributions. Then we use best fit probability distributions. We quantify the risk and we build an analyser risk model. After we've also added on uncertainty, we can run sensitivity analysis to identify the key risk drivers, so the key risks that would drive the cost up. Cost estimating uncertainty, we need first to agree on an uncertainty classification scheme. The one I've used most of the time is AAC and apply the scheme to the cost plan items and build a combined uncertainty cost risk model.

That's how we get the holistic value of how our costs could be affected and the outputs are essentially a distribution, where we could get the P50 value or the P80 value. This means that the statistic of if you were to run the project 50% of the times, your cost would not exceed that much. That's your P50 value. If you want to be more conservative, you could use the P80 value. So 80% of the time your cost would not exceed that much, so that's how the what the P values represent. You can get these sort of statistics and which risks impact the most when you do your sensitivity analysis.

Quantitative schedule risk analysis. Again, we do it with Monte Carlo simulation. Its purpose is to help estimate project completion dates and schedule milestones and the sources of error would be schedule risk and duration estimating uncertainty. Similarly to cost, we've got chance events that may or may not occur that they put the schedule and duration estimating uncertainty we are not certain 100% about the accuracy of the task durations we have assigned in our plan. Again, using the Monte Carlo simulation, very similar technique with different software. Schedule is always most complex because you've got dependencies from each activity to another where for cost items you have dependencies and correlations which you can model but when you run schedule risk analysis, you've also got links in the game and milestones and stuff that moves that carry other stuff forward so it's a bit more complex to model and you need a different software.

There are software's that offer cost and schedule risk analysis together like Saffron, but you can model schedule risk analysis on Primavera risk analysis, which is essentially an Oracle software aligned with PCs quite well but is quite outdated because hasn't been updated since 2012, but it is very still very commonly used. Scheduled risks provide quantitative assessment of significant risks, then we describe impact scenarios again. Similar to cost, the steps are very similar to cost. We quantify the scenarios in terms of time, we use best fit probability distributions and we assign risks. That's what we don't do in costs. We do risk mapping in schedule because in cost it just affects the overall number. That is the challenge in schedule risk analysis risk mapping. So you need to assign risks in relevant tasks in the schedule.

Then you would build an analytic risk model after you also build in the duration uncertainty. You would agree again in a duration of certainty classification scheme and you would apply that to tasks. You'd prioritise critical path activities or those with minimal float. Then you would build a combined model. You'd run the model, as many iterations as required, and then again your outputs would be similar. You'd get a distribution with the P50 date or P80 date or other statistics. You can choose whichever is more relevant to your project. You can run again a sensitivity analysis and identify your key risk drivers on the end date of the schedule, so it's very similar again using the Monte Carlo simulation.

Strengths and limitations of Monte Carlo sampling. Strengths are Monte Carlo is flexible, is able to model complex systems and processes, it provides a range of outcomes with associated probabilities. It incorporates multiple sources of uncertainty and variability, and is useful for sensitivity analysis, so essentially decision making. Sensitivity analysis would show you a chart so you can see what to prioritise.

Limitations are it's very sensitive to data quality and assumptions. In projects that are not as mature, maybe you don't get the best value essentially out of it, so data maturity is quite important. Your output, your analysis is as good as your input really so quality of input plays a super important role. It can make it or break it essentially. It relies on complete and unbiased data. It comes to the same point that is super important, it's super sensitive to the quality of your input. Also current tools may not capture complex risk interactions, that of course depends on the tool you'd be using because risk interactions can get very, very complex. Correlations between them and interactions, you can model some, but sometimes might be challenging. So that's about Monte Carlo sampling and quantitative risk analysis.