Project risk management

Project Risk Management

Second Edition

Project Risk

Management

Processes, Techniques and Insights

Second edition

Chris Chapman and Stephen Ward

School of Management, University of Southampton, UK

Copyright # 2003 John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester,

West Sussex PO19 8SQ, England

Telephone (þ44) 1243 779777

Email (for orders and customer service enquiries): [email protected]

Visit our Home Page on www.wileyeurope.com or www.wiley.com

All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval

system or transmitted in any form or by any means, electronic, mechanical, photocopying,

recording, scanning or otherwise, except under the terms of the Copyright, Designs and

Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency

Ltd, 90 Tottenham Court Road, London W1T 4LP, UK, without the permission in writing of

the Publisher. Requests to the Publisher should be addressed to the Permissions Department,

John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ,

England, or emailed to [email protected], or faxed to (þ44) 1243 770620

This publication is designed to provide accurate and authoritative information in regard to

the subject matter covered. It is sold on the understanding that the Publisher is not engaged

in rendering professional services. If professional advice or other expert assistance is

required, the services of a competent professional should be sought.

Other Wiley Editorial Offices

John Wiley & Sons Inc., 111 River Street, Hoboken, NJ 07030, USA

Jossey-Bass, 989 Market Street, San Francisco, CA 94103-1741, USA

Wiley-VCH Verlag GmbH, Boschstr. 12, D-69469 Weinheim, Germany

John Wiley & Sons Australia Ltd, 33 Park Road, Milton, Queensland 4064, Australia

John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop #02-01, Jin Xing Distripark, Singapore 129809

John Wiley & Sons Canada Ltd, 22 Worcester Road, Etobicoke, Ontario, Canada M9W 1L1

Wiley also publishes its books in a variety of electronic formats. Some content that appears

in print may not be available in electronic books.

British Library Cataloguing in Publication Data

A catalogue record for this book is available from the British Library

ISBN 0-470-85355-7

Project management by Originator, Gt Yarmouth, Norfolk (typeset in 10/12pt Garamond)

Printed and bound in Great Britain by Antony Rowe Ltd, Chippenham, Wiltshire

This book is printed on acid-free paper responsibly manufactured from sustainable forestry

in which at least two trees are planted for each one used for paper production.

Contents

Foreword to the first edition vii

Foreword to the second edition ix

Preface xi

Acknowledgements xvii

Part I Setting the scene 1

1 Uncertainty, risk, and their management 3

2 The project life cycle 17

3 Motives for formal risk management processes 33

4 An overview of generic risk management processes 55

Part II Elaborating the generic process framework 77

5 Define the project 79

6 Focus the process 91

7 Identify the issues 105

8 Structure the issues 137

9 Clarify ownership 155

10 Estimate variability 169

11 Evaluate overall implications 203

12 Harness the plans 231

13 Manage implementation 247

Part III Closing the loop 253

14 Risk management initiated at different stages in the project life cycle 255

15 Effective and efficient risk management 277

16 Ownership issues: a contractor perspective 323

17 Organizing for risk management 343

References 361

Index 369

Foreword to the first edition

All projects involve risk—the zero risk project is not worth pursuing. This is not

purely intuitive but also a recognition that acceptance of some risk is likely to

yield a more desirable and appropriate level of benefit in return for the resources

committed to the venture. Risk involves both threat and opportunity. Organiza￾tions that better understand the nature of the risks and can manage them more

effectively cannot only avoid unforeseen disasters but can work with tighter

margins and less contingency, freeing resources for other endeavours, and

seizing opportunities for advantageous investment that might otherwise be re￾jected as ‘too risky’.

Risk is present in every aspect of our lives; thus risk management is universal

but in most circumstances an unstructured activity, based on common sense,

relevant knowledge, experience and instinct. Project management has evolved

over recent years into a fully-fledged professional discipline characterized by a

formalized body of knowledge and the definition of systematic processes for the

execution of a project. Yet project risk management has, until recently, generally

been considered as an ‘add-on’ instead of being integral to the effective practice

of project management.

This book provides a framework for integrating risk management into the

management of projects. It explains how to do this through the definition of

generic risk management processes and shows how these processes can be

mapped onto the stages of the project life cycle. As the disciplines of formal

project management are being applied ever more widely (e.g., to the manage￾ment of change within organizations) so the generic project risk management

processes set out here will readily find use in diverse areas of application.

The main emphasis is on processes rather than analytical techniques, which

are already well documented. The danger in formalized processes is that they

can become orthodox, bureaucratic, burdened with procedures, so that the

practitioner loses sight of the real aims. This book provides the reader with a

fundamental understanding of project risk management processes but avoids

being overprescriptive in the description of the execution of these processes.

Instead, there is positive encouragement to use these generic processes as a

starting point for elaboration and adaptation to suit the circumstances of a

particular application, to innovate and experiment, to simplify and streamline the

practical implementation of the generic processes to achieve cost-effective and

efficient risk management.

The notion of risk efficiency is central to the theme. All risk management

processes consume valuable resources and can themselves constitute a risk to

the project that must be effectively managed. The level of investment in risk

management within projects must be challenged and justified on the level of

expected benefit to the overall project. Chris Chapman and Steve Ward docu￾ment numerous examples drawn from real project experience to substantiate the

benefits of a formal process-oriented approach. Ultimately, project risk manage￾ment is about people making decisions to try to optimize the outcome, being

proactive in evaluating risk and the possible responses, using this information to

best effect, demonstrating the need for changes in project plans, taking the

necessary action and monitoring the effects. Balancing risk and expectation is

one of the most challenging aspects of project management. It can also be

exciting and offer great satisfaction, provided the project manager is able to

operate in a climate of understanding and openness about project risk. The

cultural change required in organizations to achieve this can be difficult and

lengthy, but there is no doubt that it will be easier to accomplish if risk manage￾ment processes are better understood and integrated into the practice of project

management.

This book is a welcome and timely addition to the literature on risk manage￾ment and will be of interest to all involved in project management as well as

offering new insights to the project risk analyst.

Peter Wakeling

Director of Procurement Policy (Project Management)

Ministry of Defence (Procurement Executive)

viii Foreword to the first edition

Foreword to the second edition

The analysis of risk and the development of risk management processes have

come a long way over the last 10 years, even since the late 1990s. Hence the

need for a second edition of Chapman and Ward’s Project Risk Management, first

published in 1997.

They not only continue to push back the boundaries, Chapman has also been

involved in the development of work aimed at practitioners—PRAM (Association

for Project Management) and RAMP (Institution of Civil Engineers and Faculty/

Institute of Actuaries). They importantly make comparisons between their work

and both PRAM and RAMP, as well as with the Project Management Institute’s

PMBOK 2000. They have developed and named the generic framework SHAMPU

(Shape, Harness, and Manage Project Uncertainty) process and compare it with

PRAM, RAMP, and PBOK 2000. I suggest that the authors of these three will want

to use SHAMPU as a challenge to their own further thinking.

Chapman and Ward say that their book is largely about how to achieve

effective and efficient risk management in the context of a single project.

Determining what can be simplified, and what it is appropriate to simplify, is

not a simple matter! In their final chapter they adopt a corporate perspective on

project risk management processes. Thus they mirror the work already under

way by the ICE/Actuaries team who have embarked on the development of

STRATrisk, designed to enable prime decision makers to deal more systematically

with the most important opportunities and threats to their business.

They quote Walsham who has suggested a management framework which

views organizational change as a jointly analytical, educational and political

process where important interacting dimensions are the context, content and

process of the change. They conclude by stating that ‘most project risk is gen￾erated by the way different people perceive issues and react to them.’ Those of

us who have driven such projects as the Hong Kong Mass Transit Railway (very

successfully) and the Channel Tunnel (less so) will say ‘hear, hear’ to all of that.

Professor Tony M. Ridley

Imperial College London

Past President, Institution of Civil Engineers

Preface

Projects motivating this book

The projects that motivated initial development of many of the ideas in this book

were primarily large engineering projects in the energy sector: large-scale Arctic

pipelines in the far north of North America in the mid-1970s, BP’s North Sea

projects from the mid-1970s to the early 1980s, and a range of Canadian and US

energy projects in the early 1980s. In this period the initial focus was ‘the project’

in engineering and technical terms, although the questions addressed ranged

from effective planning and unbiased cost estimation to effective contractual

and insurance arrangements and appropriate technical choices in relation to

the management of environmental issues and related approval processes.

The projects that motivated evolution of these ideas from the mid-1980s to the

present (August 2003) involved considerable diversification: defence projects

(naval platforms, weapon systems, and information systems), civil information

systems, nuclear power station decommissioning, nuclear waste disposal, deep

mining, water supply system security, commodity trading (coffee and chocolate),

property management, research and development management, civil engineering

construction management systems, electric utility long-term and medium-term

corporate planning, electric utility generation unit construction and installation

or enhancement, commercial aircraft construction, the construction of Channel

Tunnel rolling stock, and the risk and benefit management of a major branch

banking information systems project, to mention a few that are used directly or

indirectly as examples in this book. In this period the focus was on what aspects

of project risk management are portable, in the sense that they apply to garden

sheds and nuclear power stations, and in what way do ideas have to be tailored

to the circumstances, in the sense that garden sheds and nuclear power stations

require some clear differences in approach.

The reader may be concerned with projects with features well beyond our

experience, but we believe that most of what we have to say is still directly

relevant, provided the projects of concern involve enough uncertainty to make

formal consideration of that uncertainty and associated risk worthwhile. Even if

this condition is not satisfied, informal or intuitive project risk management will

benefit indirectly from some of the insights offered.

What this book is about

This book makes no attempt to cover all aspects of project management.

However, it addresses project risk management as a process that is an ‘add-in’

to the project management process as a whole, rather than an ‘add-on’. The need

to integrate these processes is central to the argument and to the basic position

adopted by this book.

The need to start to understand project risk management by understanding

processes is also central to our case. The details of models or techniques or

computer software are important, but they are not of direct concern here.

Senior managers who want to make intelligent use of risk management pro￾cesses without depending on their risk analysts need to understand most of this

book (the exceptions are signposted). Those who wish to participate effectively

in risk management processes also need to understand most of this book. Those

who wish to lead risk management processes need to understand this book in

depth and a wide range of additional literature on technique, model and method

design, and computer software.

A very important message emphasized here is that project risk management in

the context of any particular project can be viewed as a project in its own right,

as part of a multiproject environment concerned with all other aspects of project

management, such as planning resources, building teams, quality management,

and so on. An immediate implication of this view is a need to ‘plan the risk

management process’ as part of a process of ‘planning the project planning

process’. In the absence of another source of quality audit for project manage￾ment, this also implies using the risk management process to make sure all other

desirable aspects of project management are in place. A more subtle and

far-reaching implication is that everything we know about project management

in general, and multiproject management in particular, applies to the project risk

management process itself.

There is an inevitable circularity in the ideal structure for such a book, largely

because of the iterative nature of risk management processes. The authors have

restructured it several times to avoid approaches that overtly failed. We believe

the present structure works, but the reader will have to be the judge. A range of

different approaches to this book might be suggested, from ‘work your way

through each chapter in detail before going on to the next’, to ‘skim the

whole book and then go back to the bits of most interest’. We leave the

readers to judge what best suits their inclinations, with a few hints we hope

are useful.

The layout of this book

The book is in three parts. Part I sets the scene and introduces a generic risk

management process. Part II examines each phase of this process in detail. Part

xii Preface

III addresses assumptions used in Part II and considers modifications to the

generic process in order to achieve efficiency as well as effectiveness, ‘closing

the loop’.

Part I Setting the scene (Chapters 1–4)

Chapter 1 identifies the need for a broad approach to project risk management.

One feature of this breadth is addressing opportunities as well as threats. Another

is addressing uncertainty, including ambiguity, wherever it matters. A third is a

concern for the roots of uncertainty in terms of a project’s six Ws: the who

(parties), why (motives), what (design), whichway (activities), wherewithal

(resources), and when (timing) questions.

Chapter 2 considers the implications of the Project Life Cycle (PLC), using an

eight-stage framework. This helps to clarify the context in which risk manage￾ment operates and a range of project management issues that risk management

needs to address. For example, the nature of the process used to manage project

risk should be driven by when in the PLC it is used.

Chapter 3 describes the key motives for formal Risk Management Processes

(RMPs). These include the benefits of documentation, the value of quantitative

analysis that facilitates distinguishing between targets, expectations, and commit￾ments, the pursuit of risk efficient ways of carrying out a project, and related

culture changes. Effective exploitation of risk efficiency implies highly proactive

risk management that takes an integrated and holistic approach to opportunity

and threat management with respect to all six Ws.

Chapter 4 outlines the nine-phase generic process framework employed to

discuss RMPs. This framework is compared with a number of other published

frameworks, as a basis for understanding the transferable nature of the concepts

developed in the rest of this book for users of alternative RMP frameworks and

as a basis for understanding the choices available when developing RMP frame￾works for particular organizations.

Part II Elaborating the generic process (Chapters 5–13)

Part II elaborates the nine-phase generic process of Chapter 4, one chapter per

phase. The elaborations are a distillation of processes we have found effective

and efficient in practice. This is ‘theory grounded in practice’, in the sense that it

is an attempt to provide a systematic and ordered description of what has to be

done in what order to achieve the deliverables each phase should produce. It is

a model of an idealized process, intended to provide an understanding of the

nature of risk management processes. This model needs to be adapted to the

specific terrain of specific studies to be useful. Examples are provided to help

link the idealized process back to the practice they are based on, to facilitate

their application in practice.

Preface xiii

Much of what most experienced professional risk analysts do is craft, based on

craft skills learned the hard way by experience. Part II is an attempt to explain

systematically as much as we can in a particular generic process context, indicat￾ing along the way areas where craft skills are particularly important. Some

specific technique is also provided, but technique in terms of the ‘nuts and

bolts’ or mechanics of processes is not the focus of this book.

Part III Closing the loop (Chapters 14–17)

Part II makes a number of assumptions about application context to facilitate a

description of the nine-phase generic framework outlined in Chapter 4. Part III

addresses relaxing these assumptions. However, other ‘unfinished business’ also

has to be addressed, concerned with designing and operating efficient and

effective risk management processes.

Chapter 14 explores the implications of initiating a risk management process

at different stages in a project’s life cycle.

Chapter 15 considers making risk management processes efficient as well as

effective, providing two extended examples to illustrate what is involved in

practice.

Chapter 16 addresses uncertainty and risk ownership issues, considering a

contractor’s perspective, and the need to align client and contractor motivation.

Chapter 17 takes a corporate perspective of project risk management

processes and considers what is involved in establishing and sustaining an

organizational project risk management capability.

As its title suggests, the emphasis of this book is processes, in terms of the

insight necessary to use risk management processes effectively and develop

efficiency in doing so. It uses examples to focus on very specific lessons pro￾vided by practice. These examples may be viewed as the basis for, or evidence

of, ‘theory grounded in practice’, or they may be viewed as ‘war stories with a

moral’, depending on the reader’s preferences.

Changes for the second edition

The basic structure for the second edition in terms of chapters is the same as for

the first edition, except that the contents of Chapters 15 and 16 have been

reversed. However, the text has been substantially revised throughout, and

there has been some rearrangement of material between chapters. An important

aspect of these revisions has been to take an uncertainty management perspec￾tive that addresses uncertainty associated with ambiguity in a wide variety of

forms and considers opportunity management as well as threat management.

xiv Preface