A construction–specific extension to a standard project risk management process
Article Category: Research Paper
Published Online: Oct 15, 2022
Page range: 2666 - 2674
Received: Dec 11, 2020
Accepted: Jul 28, 2022
DOI: https://doi.org/10.2478/otmcj-2022-0011
Keywords
© 2022 Dina Alfreahat et al., published by Sciendo
This work is licensed under the Creative Commons Attribution 4.0 International License.
A lack of proper risk management often leads to financial and resource losses in projects. This, in turn, has a negative impact on the organisation's reputation and relations with stakeholders (Ebrahimia et al. 2012). Therefore, the implementation of risk management is essential for projects to succeed and reach their expected goals and results. Risk management assists project managers in identifying potential project risks, tools and approaches to minimise the impact of these risks on the project. In addition to these, it promotes planning, prioritisation procedures, and decision-making with employing a methodical and extensive understanding of project tasks, and recognising the risks in both directions: the potential damage caused and business opportunities. Additionally, the decent implementation and possible extension of the risk management process with new phases provide significant benefits, such as cost reductions and increased stakeholder involvement. Because of the system's lack of formality, comprehensive, and standardised uniform risk management procedures, which applies to all project participants, most construction risk management decisions are made primarily with the use of the manager's previous experience, intuition and judgment (Choudhry and Iqbal 2013; Jarkas and Haupt 2015). The primary purpose of the project risk management process in the construction sector is to detect and manage risks in a better, more intelligent and appropriate manner. These projects must also comply with the iron triangle (time, budget, specifications) (Zhao and Duan 2008). Moreover, in the initial phase of the project, it is important to start managing risks (contracts covering the risks must be concluded with the actors involved in this process, e.g. insurance firms) (Serpell et al. 2019).
The risk management process typically follows standard steps in the construction sector as well. This is supported not only by extensive practical application but also by many sources in the literature. The risk management process in this sector also goes through very similar phases regardless of which standard or other methodology found in the literature is followed. The tremendous need in industry practice to define the risk management processes for projects has triggered the literature to address the stages of the process in detail. This paper briefly but systematically summarises and compares the overlapping risk management steps found in various sources. In fact, it is not surprising that there is a massive overlap between the approaches discussed in the various works of literature, but essentially, it almost does not matter which one is selected for use as a basis for risk management. However, in the case of construction projects, a number of real-life cases have demonstrated an obvious need to extend this consensus-based series of risk management steps. The needs for real projects inspire the additional steps proposed by this research, but the literature has also helped justify them. The recommendations were validated through in-depth interviews with project managers.
Construction risk management is a proactive and structured system for regulating, reducing and preventing the consequences of risks. These stages of risk management are performed during the total project time. Undoubtedly, some risks exist inside the projects, while others exist outside the projects while remaining within the organisation; moreover, other risks are even external to the organisation. The identified risks are not only addressed but also managed by the risk owner at the appropriate level. The risk owner and the project owner are different actors; they should not be considered identical, especially given that their risk perceptions are different. The risk owner assigned to a project risk generally addresses and manages the risk best, and also determines the countermeasures that will be used.
Table 1 shows four risk management standards adopted and recommended by prestigious standardising institutions or professional associations. These standards are intended to be applied to projects or organisations in any field of operation.
Elements of standards.
| Risk Management Standard | Institute of Risk Management (IRM)/National Forum for Risk Management in the Public Sector (ALARM)/Association of Insurance and Risk Managers (AIRMIC), UK. | 2002 |
Risk Assessment
Risk Analysis
Risk Identification Risk Description Risk Estimation Risk Evaluation Risk Reporting Threats and Opportunities Decision Risk Treatment Residual Risk Reporting Monitoring |
| Project Risk Analysis & Management (PRAM) Guide 2nd edition | Association for Project Management (APM), UK. | 2004 |
Initiate Identify Assess Plan responses Implement responses |
| Guide to the Project Management Body of Knowledge (PMBoK®) | Project Management Institute, USA. | 2016 |
Plan risk management Risk identification Qualitative risk analysis Quantitative risk analysis Plan risk responses Implement risk responses Monitoring risks |
| ISO 31000 | International Organization for Standardization. | 2018 |
Communication and consultation Scope, context and criteria Risk assessment Risk treatment Monitoring and review Recording and reporting |
The Project Risk Analysis and Management (PRAM) Guide introduces the procedures involved in project risk management. It provides an easy-to-use and practical framework to assist new practitioners in starting up the risk management process. The total procedure is divided into two components or phases: analysis and management of risks. Risk analysis in the assessment phase contains estimation and evaluation of the processes (Association for Project Management 2018).
The ISO 31000 Guidelines are offered as a narrative collection of principles, frameworks and processes. It provides specific instructions on the risk management system's planning, implementation, measurement and learning aspects, but less clear information on the context, leadership and support features required of a management system standard. There is, however, no step-by-step checklist for implementing the risk management plan. Risk assessment and risk treatment are described as being at the core of the risk management process in ISO 31000, which is concerned with the risk management process. This section also contains guidance on (1) scope, context and criteria; (2) communication and consultation; (3) monitoring and review; and (4) recording and reporting. The tasks of risk assessment and risk treatment are important to the risk management process. Risk assessment is divided into three stages: risk identification, risk analysis and risk evaluation. ISO 31000 describes each of the three stages in detail, providing valuable insight into how risks can be identified, analysed in terms of likelihood and consequences and finally evaluated with regard to the established risk criteria (risk appetite) to decide whether additional action is necessary. Risk treatment is also an essential component of the risk management process, and it covers the selection of risk treatment solutions, as well as the design and implementation of risk treatment plans (Institute of Risk Management 2018).
As shown in Table 1, the processes and steps described by the various standards are similar. However, there are some differences in their terminology. The significant degree of similarity and consistency across the standards shows the formation of an international consensus on how risk management should be carried out. In this article, we mainly follow the risk management procedures of PMI, which effectively integrates and synthesises the standards of other associations.
Identifying risks and selecting risk management methods are simultaneous processes. The organisation defines how risk management is important to the participants by articulating their appetite for risk. The project's stakeholders may have different points of view on project risk, so they can be categorised according to their appetite for risk. Some stakeholders are risk-tolerant and have a strong desire to take risks, others minimise extreme outcomes (Kendrick 2003). During this phase, the scope of the process and the participating staff define the degree, type and visibility of risk management. As part of the traditional risk management process, the necessary resources and responsibilities are assigned to the processes, but then it is worth taking some additional risk management steps as there is a definite need for this in the construction industry. The extended processes should be included in the risk management plan. The local risk management plans for activities must be consistent with the project risk management plan at the global level.
The risk management plan supports the project management team on how to employ risk management by developing the initial schedule (baseline) and implementing the changes in the plan. During plan development, the project management team recognises that risk management is a formal part of a standardised planning process (Mubarak 2010). According to the PMI, the risk tolerance of all participants (including stakeholders and even the owners) should be documented, and it is a fundamental element of a risk management plan. Risk tolerance, similar to risks in the quantitative assessment phase, can be defined, measured and effectively quantified. In certain organisations, this process is not considered seriously in daily practice. One of the many reasons is that project managers often ignore or underestimate project risks; moreover, no departments with specialists are dedicated to risk management.
Risks happen and escalate during the whole duration of the project; therefore, the risk identification process continuously focuses on all the risk events by assessing their sources and consequences. Therefore, risk identification is a continuous process in projects. According to a study conducted by Serpell, Ferrada & Rubio, in 2019, risk identification is considered one of the most critical stages of risk management for construction projects and influences the successful execution of the next stages of this process. However, identifying and managing all risks in construction projects is impossible. It can be inefficient, time-consuming and unproductive. Therefore, it is critical to concentrate solely on the most important risks (El-Sayegh and Mansour 2015). All project stakeholders are urged to participate in the risk management process and identify low-level (individual) and high-level (global) risks. The PMI identifies the project manager, project risk specialists, project team members, external experts from the application area, customers, end-users, risk management specialists and operations managers as relevant stakeholders (Project Management Institute 2017). It is recommended that other stakeholders be recognised in the identification phase, such as:
The functions or organisations that are responsible for decision-making, financing, risk management services (e.g. outsourced providers) and policy (i.e. regulators). The organisations or groups that are touched by the risk's implications, either directly or indirectly, but are not in these classes (secondary stakeholders).
It is necessary to take a more all-encompassing approach to project management, and one way to do this is to involve the head of the department as early as possible in the process. Departmental heads must promote higher levels of communication across departments in order to reduce the likelihood of risks occurring (Kayis et al. 2007). There are several ways to categorise construction project risks. These categories are, for example, the construction stages when risks occur or their nature (Zhi 1995). As shown in Table 2, there are several ways to classify risks for different purposes.
Risk identification categories.
| Investor's risk, Contractor's risk, Material supplier's risk, Project manager's risk, Government's risk, Other project stakeholder's risk | Lin et al. (2011) |
| Preliminary design, Detailed design, Tender, Financing the investment, Construction works | Banaitiene and Banaitis (2012) |
| Design, Resources, Productivity, Technical, Payment, Managerial, Client, Subcontractors | Dikmen et al. (2007) |
| Engineering, Project management, Suppliers, Execution | Nieto-Morote and Ruz-Vila (2011) |
| Construction management, Construction safety-related, Engineering design, Social and economic, Natural hazards | Kuo and Lu (2013) |
| Environment-related, Quality-related, Time-related, Cost-related, Safety-related | Zou et al. (2007) |
| Internal (Owner's, Contractor's, Subcontractor's, Designer's, Supplier's), External (Economic, Social and Cultural, Natural, Political, Others) | El-Sayegh (2008) |
This process is about ranking the identified and analysed risks in the project. Analysis is a continuous process during the whole project, and one of its objectives is to keep the project effective by implementing the most important modifications. There are several methods for conducting the ranking process. Organisations even have their own unique ways. All of the methodologies, however, are based on determining the most significant elements for a calculation (possibility of occurrence, impact). They classify risks into primary and secondary categories based on both the amount of time allotted to respond to risk events and the level of risk tolerance. This process is sufficient for risk classification. It enables professionals to rank the risks from most to least important (Kendrick 2003). Risk classification is a critical step in this procedure. Categorisation can be carried out in a variety of methods, with the goal of identifying underlying causes or typical features.
The probability–impact matrix and hierarchical charts are two examples of category-based risk management techniques. This matrix aids in visually categorising hazards into groups based on probability and impact. Once risk management is classified in a three-dimensional space, a two-dimensional matrix becomes inadequate. Hierarchical charts, on the other hand, show risks in two dimensions, along two axes, with the third dimension represented by the size of a graphical figure (typically a disk or bubble) (e.g. level of acceptance). Using three dimensions helps to trigger effective risk responses by concentrating attention and effort on areas of most substantial risk exposure or by establishing standardised risk responses. This helps to trigger effective risk responses more quickly. After the determination of the highest risks, this category might receive more attention (Project Management Institute 2017).
The work breakdown structure (WBS) or risk breakdown structure (RBS) serves as a guiding concept for risk grouping, and this approach tries to allocate the groups to appropriate risk management plans and actions. The WBS is constructed based on functional disciplines that are maintained by increasing the attention of leadership and organisational engagement, while the RBS typically concentrates on the causes of risks, which are given a larger degree of attention by management (Bissonette 2016). In construction practice, the hierarchical structure is particularly effective because there are so many risk factors, especially in large projects, and the ability of humans to examine numerous factors simultaneously is restricted (Zhi 1995). Comparison of priorities to objectives or other criteria can be used to assess risk management performance, highlight risks that require additional investigation and guide the development of action plans and resource allocation (Cooper et al. 2005).
The phase of performing quantitative risk analysis is based on the multidimensional concept of qualitative risk assessment. Basically, this optional step is a numerical analysis. Quantitative risk analysis allows for a more accurate assessment. It is performed after the qualitative analysis of assessing the impacts on the decision-making process. The availability of appropriate, quantitative ratio scale data is a precondition for this assessment. Typically, the analysis is based on sensitivity analysis, a decision tree, a simulation that assesses the consequences of risks, or more formal statistical approaches giving a deeper understanding of project risks. Risk classification is a common stage in quantitative or qualitative risk analysis. A good strategy to handle risks in a project is to repeat the risk management process periodically to guarantee that the risks are under control.
Decision-making stakeholders require a quantitative process many times. After conducting the relevant actions for quantitative risk analysis, an effective tool is to establish and continuously update the risk register. The quantitative risk analysis phase produces a record of quantifiable risks, which can be prioritised based on a combination of the project's probability analysis, the likelihood of reaching the cost-time targets, and their implications (Mubarak 2010). Clearly, risk analysis is a necessary stage in determining effective risk management strategies. Organisations recognise the value of risk management in building projects. Formal risk analysis and management approaches are rarely applied due to a lack of awareness, inexperience and doubts regarding their suitability for construction projects (Banaitiene and Banaitis 2012).
The risk analysis verification process reviews the risk analysis calculations by repeating the analysis to check whether the listed risks are correct and cause real threats (Al-Hawari et al. 2008). Many methods help verify the correctness of the calculations, such as sensitivity analysis, internal results comparison as well as simulation (Fenz and Ekelhart 2011). On the other hand, the risk analysis validation process reviews the output of risk analysis to define whether the listed risks are relevant to the organisation's objectives and satisfy its expected requirements (Fenz and Ekelhart 2011). There are some ambiguities in the literature about the verification process. Some authors defined reliability rather than verification, such as Aven and Heide (2009). They defined reliability as ‘the extent to which the risk analysis yields the same results when repeating the analysis,’ which yields the same result of the verification process. Aven and Heide (2009) pointed out three criteria for reliability and four criteria for validity, which must be fulfilled so that risk analysis can be scientifically sound. The three reliability criteria are the repeatability of the outcomes within the estimated uncertainty by an analyst team, reproducibility of the outcomes within the combined estimated uncertainties when analysed by different teams with the same scope and methods and reproducibility of the outcomes within the combined estimated uncertainties when analysed by different teams who are free to choose the scope and methods. Validity includes the four following criteria:
To what degree the derived risk is consistent with the real risk within the estimated uncertainties. To what degree the subjective probabilities describe the uncertainty of analysts. The extent to which epistemic uncertainties, such as model parameters, are complete. The extent to which the sensitive quantities are addressed.
Suokas (1985) suggested several approaches for assessing the pragmatic validity of risk analysis. The first two approaches are a complete benchmark exercise, which is a comparison with a comprehensive parallel analysis of the same system or activity, and a partial benchmark exercise, which is a comparison with a comprehensive parallel analysis of selected parts of the same system or activity. These two approaches are specifically aimed at assessing the analysis methods, including all the risks, the reliability of results, highlighting the uncertainty of the model and identifying practices for dealing with uncertainties. The third approach is reality check, which compares the outcomes of risk analysis with the operational experience of corresponding systems, and justifies the validity of the general analysis (e.g. how well it identifies risks and their contributors). The fourth approach is the independent peer review, which is a review of risk analysis output by several technical experts. The fifth approach is quality assurance. This checks the analysis process with regard to the similarities between the risk analysis and the production method. Based on comprehensive practical experience, Lathrop and Ezell (2017) proposed a framework approach to risk analysis validation to ensure confidence in risk management. The flowchart highlights 16 essential elements in the validation tests. In this approach, the activity domains are the analysts, the users and the community analysis. Analysts and community analysis are essential to establish analysis quality culture. This process aims to filter out all the risks not related to the organisation's objectives. The filtering approach provides valuable and useful resources whose aim it is to address significant risks related to business goals, and can save organisation resources by focussing only on risks relevant to the objectives of the organisation (Al-Hawari et al. 2008).
This phase attempts to discover the proper actions and techniques to handle the risks listed in the risk register based on their relevance and priority. Responses involve reviewing possibilities, selecting strategies and techniques and triggering actions. Appropriately chosen responses are directly responsible for maximising opportunities and mitigating threats posed by risk. The optimal response can be picked from a collection of strategies and techniques. However, if any potentially negative consequences occur, the project manager can avoid, transfer, minimise or accept them. When there are opportunities, however, very similar techniques are used: escalate, exploit, share, enhance and accept. Based on its willingness to accept or tolerate risk, the organisation should decide how to incorporate risks into its overall plan. Individual managers should not make policy decisions like this, therefore, these decisions should be made at the senior level of the organisation (Cooper et al. 2005). Moreover, the organisation should ensure that the confrontation cost is commensurate with risk intensity. The confrontation cost should not be more than the losses that the risk can generate, and the appropriate time for confrontation should be determined to avoid future losses. Several adjustments are made to the risk register after the most appropriate approach to manage each risk is selected, and the adjustments are typically based on factors such as specific risks, their clarity, the areas of the project affected, the causes of risk and the means by which they may affect the project objectives. Moreover, it should include the approved risk response methods, how to implement the chosen strategy, financing and time necessary to implement the chosen strategies, contingency plans, backup plans in cases when the specific response approach is ineffective, and precautions. Documenting the decisions should involve developing and implementing a risk mitigation plan for the unresolved issues. Unresolved risks may be monitored to ensure that they do not constitute an impediment to production or cause a delay (Mubarak 2010). According to risk management standards, the stakeholders reach an agreement based on which risk treatment is accepted. A detailed treatment plan defines the execution of the risk response plan. Also, during this stage, reporting and communication are established with the stakeholders. The purpose is to share the knowledge obtained during the execution process (Institute of Risk Management 2002). Therefore, in any project, the design and execution of comprehensive risk mitigation action plans are the keys to successful and effective project risk management in practice (Cooper et al. 2005).
Risk plan experimentation examines whether the planning performed in the previous step is accurate and comprehensive. Assumptions that have not been tested are a common source of project risks. Therefore, this process highlights the importance of early approval of the response plan, and this could be done efficiently through the design, construction and execution of experiments focussed on performance and flexibility. Retrospectives help the team find and identify the most important mitigation plan for optimising risk management output, rather than predicting whether they will benefit before implementing them on a large scale. Teams run trials to see if these risk management plans are promising. It also aims to prevent wasting resources during the implementation phase by ensuring the validity of the risk response plan (Al-Hawari et al. 2008).
This phase focuses on putting in place the most appropriate and strictest controls and procedures for the identified risks. The acceptable and planned responses are carried out here in order to reduce individual project risks and raise individual project opportunities. Risk control during the execution phase may necessitate altering the existing execution plan, eliminating the risk or even launching a contingency plan if the present plan is proven to be ineffective. In some cases, a newly identified risk may require starting the risk management process from the beginning (Perera and Holsomback 2005). The risk management process entails extensive risk identification and analysis, as well as risk planning (with lessons learned register, risk register and risk report). One of the most significant errors at this level is that the risk management procedure is incomplete. For instance, some construction organisations start the risk management plan without efforts to finish it.
Monitoring risks is a process for tracking the implementation of the risk response plan. This process attempts to monitor residual risks and identify new risks and sources that may arise following the action. Moreover, it allows us to evaluate if there is a follow-up to ensure that risk management processes are in place, bringing the required adjustments to the project management plan, and effectively modifying emergency reserves when changes occur. A proper tracking methodology leads to decisions based on current project risk information. The performance information obtained during project implementation should be communicated to the stakeholders to evaluate the effectiveness of risk management on all project aspects. Monitoring tools and techniques include audits and meetings, in addition to data analysis. Undoubtedly, this stage is crucial for creating the database of lessons learnt (Yildiz et al. 2014).
A risk management planning process, a risk management organisational mechanism and a risk management functional division should all be established by construction enterprises. Besides that, the risk management department should be constructed with a full-time expert and team responsible for risk identification, management and control, as well as contribute to coordinating and resolving risk management issues that arise in the relevant departments and with the parties involved (Zhao and Duan 2008). Furthermore, construction projects include a wide range of partners, a high level of complexity and a tremendous amount of information. As a result, project participants must rapidly and effectively learn each other's information, plus, project decision-makers must have timely project information in order to be able to make the best decision. To lower the cost of gathering, exchanging and transmitting project information, a project risk information system should be established.
Training is the core of the risk management approach. Without proper training, the risk management approach is unlikely to be accepted or implemented. Therefore, training should be provided at the beginning of the risk management process, which also includes a regular educational session to present any policy changes, lessons learned or discovered leading practices. Refresher workshops are also essential to keep employees informed about risk management policies and procedures as well as to ensure that organisations are committed to risk management. It is critical to put in place a standard procedure, since it would ensure uniformity and eliminate reporting duplication. The project team, including the project manager, identifies the critical project risks and responds appropriately. The risk department is responsible for assigning only one person to ensure that there is a focus on that risk and it will not be neglected. Some project managers attempt to handle all risks on their own. Therefore, it is critical to identify and recruit risk owners who have the knowledge and abilities to develop and execute risk response plans in an effective and efficient manner.
Five interviews support the suggestions of this research. The interviewees work on large and complex projects in the construction sector. The interviews included the following questions, among others:
Does the company follow the classic phases of risk management by PMBOK? How would they extend the original risk management process tailored to their project? Does the organisation organise training in risk management for the employees? Is the risk appetite of the company articulated and communicated clearly inside the company? Is there a department dedicated to risk management? Does the company assign risk owners to their projects?
All five interviews are about the assessment of the practice of construction project risk management. The first investigated project is a EUR 1.2 billion industrial megaproject in the petrochemical field. Nearly 300 engineers have been working for 3 years on building a new polyol complex. The second is a EUR 600 million road and bridge construction project aiming to build a mobility and development centre for a well-known European car producer. The third respondent is involved in medium and large transport engineering and civil engineering projects involving mainly construction and traffic engineering planning (e.g. the extension of motorway lanes, or temporary traffic engineering plans for an international cycling race). The next interviewed project manager is responsible for electrical installation in the automotive sector (e.g. officially licensed investments, production hall extensions and production line construction). The last interviewee is from a public construction company in a European city centre. Their project consists of the renovation of an emblematic building under heritage protection operating as a five-star hotel.
Let us summarise the lessons learned from these projects and present the information in an aggregated way emphasising only the relevant and significant results of this research. Large projects employ a formal, corporate project risk management process and mostly follow the PMBOK phases. In the case of the largest projects, they would definitely extend the risk management process if they could revise the risk management process of the organisation. On the one hand, the new phase, the experimentation, is considered part of the project risk management process to justify risk management plans and examine the results compared to what is expected (suggesting simulation as a tool). On the other hand, continuous reassessment is necessary, which could be served best by an additional validation or verification phase. In the participants’ projects, there are risk owners assigned to risks, and there is an evident and general need to articulate and communicate the organisation's risk appetite clearly if this has not already happened.
The importance and necessity of risk management training for employees are inherent in projects almost without exception. The interviewees stressed the need for project-wide risk management training. Therefore, these answers reconfirmed the concept of project risk management and justified the suggestions of new phases. However, contrary to expectations, there is not much consensus on having a separate department dedicated to managing risks. The respondents presented arguments both for and against such a department.
Organisations are required to handle risks properly. They must adopt scientific approaches to deal with risks and secure the success of their projects. They can accomplish this only by incorporating risk management into their projects. Effective risk management, particularly in the construction industry, aids in the proper execution of projects and brings benefits to all project stakeholders. Effective risk management does not imply avoiding risks; rather, it entails properly recognising them, and organisations must be aware of all the potential and negative effects associated with them. In this paper, we introduced an extension of standard risk management from the construction perspective and suggested two more processes—risk analysis verification and validation, and risk plan experimentation—to help make implementing risk management smoother and help achieve project objectives. Furthermore, we made some other suggestions (e.g. targeted training, articulated and communicated risk appetite), which can effectively improve construction risk management and help execute the risk management plan.