Project Risk and procurement -Assignment 1
Transcript of Project Risk and procurement -Assignment 1
Project Risk and procurement - Assignment 1
MSc. Procurement, Logistics, and Supply Chain Management
Student: @00429168 22-Feb-15
Table of Contents 1. Introduction ................................................................................................................. 3
2. Definition of risk: ........................................................................................................ 3
3. Conclusion ................................................................................................................. 14
4. References ................................................................................................................. 15
1. Introduction
In the last two decades, the world economy has significant changes on how organizations
are managed and new strategies has been introduced and implemented to successfully
manage and deliver the projects within schedule and budget allocated. One of the most
important factors that affect the project execution and cause a loss and fail is risk factor.
After the global financial crisis in 2008, global organizations started focusing on risk
management and the importance of analysing and controlling the risks in their premises
and projects. Many strategies and standards for risk management have been developed
and implemented to form part of any successful organization. Also, the proper and
successful planning of any project shall consider the potential impact of all types of risks
on all activities during the life of project and shall provide the ways to reduce project
risk.
In this paper we will demonstrate the concept of risk, how it can be measured and ranked,
and how a project risk management strategy may be constructed
2. Definition of risk:
The Risk is part of our lives and exists in many forms whether considered as small or
high risk. Most of us have the risks on daily basis (i.e. in work, while driving, eating,
playing, travelling by plane / boat, etc.). Risk can be personal risk, social risk, business
risk, financial risk, etc. Hence, there are many definitions for risk and how it can be
managed.
The risk can impact any activity during project in the short, medium and long term.
Risk can be defined as “an uncertain event or condition that, if it occurs, has an effect on
project objectives”. Effect may be positive or negative impact. (Salford, Project Risk and
Procurement Management, 2015)
The definition of risk set out in ISO 31000:2009, Risk management - Guide 73 is that risk
is the “effect of uncertainty on objectives”. (Management) (The Institute of Risk Management).
An effect may be positive, negative or a deviation from the expected, and that risk is
often described by an event, a change in circumstances or a consequence. The negative
events can be classified as risks while positive events are classified as opportunities.
The PRINCE2 definition of risk is „uncertain event or set of events that, should it occur,
will have an effect on the achievement of objectives‟ (primer)
The OHSAS defined the risk as the “combination of the likelihood of an occurrence of a
hazard event or exposure and the severity of injury or ill health that may be caused by the
event or exposure.” (Expert, 2015)
The risk in any organization / project can be internally or externally. For example, the
data base of any organization especially the sensitive data related to employees, contracts,
financial statements, and the like can be at risk from both internally and externally. The
internal risk can be by disclosing the data to external source through employee without
authorization from the organization. External risk can be by accessing the data due to non
protection by IT department of that organization. Such access to the data can highly
impact the operation of the organization and its employees and can affect the future
vision, relationship with other organization, and cause a threat on all levels.
Risk Management:
INVESTOPEDIA explains Risk Management that is “the process of assessing, managing
and mitigating losses”. (Investopedia, 2015)
Another definition for Risk Management by Michael Stanleigh is “The process of
identifying, analyzing and responding to risk factors throughout the life of a project and
in the best interests of its objective”. (Stanleigh, 2015)
OHSAS defines the Risk assessment as the “process of evaluating the risks arising from a
hazard, taking into account the adequacy of any existing controls, and deciding whether
or not the risk is acceptable.” (Expert, 2015)
In order to identify the risk, assess, control and managed it, a process to be initiated by
organizations regardless their sizes to successfully deliver the projects with minimum
losses, injuries, cost, etc.
The idea of identifying and managing the risk is to provide a system that allows the
organization and project to avoid or minimize the effect of risk identified with cost-
effective approaches.
The process cycles of risk management are as below:
Risk Identification
Risk Analysis
Risk Response
Risk monitoring and control
(Salford, 2015)
Risk Identification:
The first step in risk management process is identifying the risk. The project team and/or
risk professionals shall identify all of the possible risks that might affect the success of
the project.
The risk identification may include the following 10 Ps of risk management to have a
comprehensive list or as per project requirements. . The 10 Ps are as follows:
- Physical properties – premises/product/purchasing supplies
- People elements – people/procedures they follow/protection
- Actions or processes – processes/performance against targets
- Management issues – policy and strategy/planning and organizing. (Jeynes, 2012)
Example: Microsoft announced before two years that they will stop the technical support
for windows XP. The organization I worked for started upgrading the windows on their
systems to the latest versions. One of the programs we are using in procurement is JD
Edwards Oracle system. After upgrading the operating system, the JD Edward version
causes technical issues with new version of windows so the decision was to upgrade the
JDE to the latest version as well. Below listed are some risks involved in this project:
- Compatibility of new system with the installed operating system
- Data base losses during system upgrade
- Delays on system upgrade completion date due to technical issues
- Adequate IT staff to complete the task
- Availability of technical support from oracle during system upgrade when
required
- Training of company staff after completion of system upgrade
- Unsuccessful of system upgrade and the ability to use the old system again
- Availability of alternative power supply and ups in case electrical power is down
- Availability of staff for night shift during system upgrade
Risk Analysis:
Once the project risks are identified and listed by project team and/or risk professional,
the analysis of risk shall start
The risk analysis is based on the attitude of the person who is involved in the assessment.
The culture can indicate how the person will act against identified risks.
There are risk seekers (lover) who would like to take the risks, risk adverse (avoider)
who‟s avoiding the risks. The project managers seeking usually to have balancing risks
and rewards (risk neutral). (Salford, 2015)
Risk analysis can be verified by using two techniques:
- Qualitative analysis
- Quantitative analysis (Salford, 2015)
Qualitative analysis:
Qualitative analysis can be defined as the technique concerned with discovering the
probability of a risk event occurring and the impact the risk will have if it does occur.
The qualitative risk analysis prioritizes the identified project risks using a pre-defined
rating scale.
The qualitative analysis based on several techniques to determine the probability and
impact of risk. For instance, brainstorming, historical data by consulting educated opinion
and expert judgement, etc. (Wikipedia)
One of the techniques is using the risk matrix. The risk matrix examines identified risks
from the viewpoint of probability (i.e. the chance of something happening) and
consequence (i.e. the impact if that something happens). (Salford, 2015)
The project team based on this technique shall start analyzing the defined risks and
specify the importance of each risk and the impact on project if it occurs. The team can
rank the impact on project using the category “High to Low”. Significant impact of
identified risk can be ranked as High, while the low category can be ranked if the risk can
be occurred on extreme condition.
Another risk matrix can be used based on numbering by replacing the categories (H, M,
L) to numbers from (1-5) or above and then multiple the numbers to get a risk number.
The high score of risk number is; the importance and action required is higher. (Salford,
2015).
Example: using the same example mentioned in Risk identification, the importance of
risk can be ranked as below:
Compatibility of new system with the installed operating system. Medium
Data base losses during system upgrade. High
Delays on system upgrade completion date due to technical issues. High
Adequate IT staff to complete the task. Low
Availability of technical support from oracle during system upgrade when required.
Medium Training of company staff after completion of system upgrade. Low
Unsuccessful of system upgrade and the ability to use the old system again. Medium
Availability of alternative power supply and ups in case electrical power is down.
Medium Availability of staff for night shift during system upgrade. Low
Below is risk analysis using the category risk matrix which reflect the result above
Risk ID Risk Description Impact/Probability
Low Medium High
1 Compatibility of new system with the installed
operating system M
2 Data base losses during system upgrade H
3 Delays on system upgrade completion date due to
technical issues H
4 Adequate IT staff to complete the task L
5 Availability of technical support from oracle during
system upgrade when required M
6 Training of company staff after completion of system
upgrade L
7 Unsuccessful of system upgrade and the ability to use
the old system again M
8 Availability of alternative power supply and ups in case
electrical power is down M
9 Availability of staff for night shift during system
upgrade L
Table 1: Category risk matrix
Below is risk analysis using the number risk matrix
Risk ID Risk Description Probability (1-5)
Impact (1-5)
Value
1 Compatibility of new system with the installed
operating system 2 4 8
2 Data base losses during system upgrade 3 5 15
3 Delays on system upgrade completion date due to
technical issues 4 3 12
4 Adequate IT staff to complete the task 2 2 4
5 Availability of technical support from oracle during
system upgrade when required 2 3 6
6 Training of company staff after completion of system
upgrade 2 2 4
7 Unsuccessful of system upgrade and the ability to use
the old system again 3 4 12
8 Availability of alternative power supply and ups in case
electrical power is down 2 3 6
9 Availability of staff for night shift during system
upgrade 2 2 4
Table 2: Number risk matrix
The project team based on above ranking shall start prioritizing the risks in order to
prepare the action plan and monitor the risks
Quantitative analysis:
A quantitative risk analysis is a further analysis of the highest priority risks during a
which a numerical or quantitative rating is assigned in order to develop a probabilistic
analysis of the project.
A quantitative analysis:
- quantifies the possible outcomes for the project and assesses the probability of
achieving specific project objectives
- Provides a quantitative approach to making decisions when there is uncertainty
- Creates realistic and achievable cost, schedule or scope targets. (Belinda)
Quantitative risk analysis is the decision tree which is a visual representation of the
choices, probabilities and consequences we are facing. (Salford, 2015)
Quantitative risk analysis tends to deal with the avoidance of low probability events with
serious consequences to the plant and the surrounding environment. (Executive)
Below is risk analysis sample using the decision tree model
Figure 1: Simple Decision Tree Model. (Salford, 2015)
Risk response:
After identifying and analysing / assessing the potential risks which may affect the
project execution, the project team shall prepare the action plan on how to respond to the
assessed risks.
The strategy of risk response is to start with the high impact risk leading to low impact
risk. The project team shall decide the criteria of how to respond to each potential risk
and what is the urgency of response required.
The risk responses are divided into two categories, negative risks (threats) and positive
risks (opportunities).
The PRINCE2 suggests nine response categories that may be chosen for both threats and
opportunities:
Risk responses for threats are:
Risk Avoidance
Risk Share
Risk Reduce (mitigate)
Risk Acceptance
Fallback (contingent action)
Risk Transference
Risk responses for opportunities are:
Risk Share
Risk Enhance
Risk Exploit
Risk Reject
As PRINCE2 indicated that which response the project team choose should be based on a
balance between the cost and time investment of a particular response and the probability
and impact (including risk severity) of the risk, and included within the risk management
strategy. (primer)
The ISO 31000:2009 gives a list on how to deal with risk:
1. Avoiding the risk by deciding not to start or continue with the activity that gives
rise to the risk
2. Accepting or increasing the risk in order to pursue an opportunity
3. Removing the risk source
4. Changing the likelihood
5. Changing the consequences
6. Sharing the risk with another party or parties (including contracts and risk
financing)
7. Retaining the risk by informed decision. (Wikipedia, Wikipedia)
Example:
Below is risk response matrix for above example
Risk ID Risk Description Consequences Strategy
1 Compatibility of new system with the installed
operating system System not working Avoidance
2 Data base losses during system upgrade Loss in company data Avoidance
3 Delays on system upgrade completion date due to
technical issues delay on system launch mitigate
4 Adequate IT staff to complete the task delay on system launch accept
5 Availability of technical support from oracle during
system upgrade when required delay on system launch accept
6 Training of company staff after completion of system
upgrade
delay in company operation
mitigate
7 Unsuccessful of system upgrade and the ability to use
the old system again
system not working, stop
the operation of company Avoidance
8 Availability of alternative power supply and ups in case
electrical power is down delay in system launch mitigate
9 Availability of staff for night shift during system
upgrade delay in system launch accept
Table 3: Risk response matrix
Risk monitoring and control:
Risk Control is an action/device/strategy intended to eliminate/alleviate/ reduce the
negative impact on the business or individual of a situation or event. (Jeynes, 2012)
Risk monitoring and control form part of the risk response. For instance, injury of labours
during construction is a risk; the response is to mitigate the injury and loss by initiating a safety programs that seek solely to reduce losses. Continue inducting the safety program
and control the risk will lead by time to minimise it and reach to zero level injuries.
Example: in my organization, we have an HSE department looking for all potential risks
arises in all levels. One of their tasks is to control and reduce the loss and injury during
project construction. This control has lead the organization to exploit the risk to be one of
the opportunities by breaking the records and reach to 25 million hours without LTI. This
achievement put the organization on top of the safest organizations in the country.
The action plan prepared to respond to project risks shall be reviewed before and after the
implementation and project team shall make revisions and updates on the risks included
in the plan.
Risk management is a continuous process. Therefore, in order to keep tracking the
process and controlling the risk during the life of the project, project risk team can use the
technique of top ten risk tracking.
Top ten risk tracking technique is to maintain awareness of risks throughout the life of a
project.
Establishes a periodic review of the top 10 project risk items
Lists the current ranking, the previous ranking, number of times the risk appears on the
list over time, and summarizes the progress made in resolving the risk item. (Salford,
2015)
After preparing the top ten risk tracking, project team shall create a risk register
document, which acts as a permanent record of project risks.
Document contains the results of various risk management processes: often displayed in a
table or spreadsheet. It contains a list of the risks, ranking of the risks and information
about these risks. It is also used to manage risk and to store all the information pertinent
to risk managing the project in one place so that it can be accessed and used to manage
future projects. (Salford, 2015)
The PRINCE2 defined the risk register as a project management tool used to contain
information on all of the identified threats and opportunities within a project. It will
contain information such as the category and description of the risk, its probability,
impact and expected value, its proximity and risk responses, its current status and the risk
owner. Project support will normally maintain this for the project manager. (primer,
Prince2 primer)
Below is risk register for above sample
Risk ID Risk Description Consequences Strategy Probability Action
1 Compatibility of new system
with the installed operating
system
System not
working Avoidance 2
insure that system installed
are compatible to operating
system
2 Data base losses during system
upgrade
Loss in
company data Avoidance 3
take backups for all data in
the system
3 Delays on system upgrade
completion date due to technical
issues
delay on
system launch mitigate 4
make backup plan to start
before schedule and solve
the technical issue as fast
as possible
4 Adequate IT staff to complete
the task
delay on
system launch accept 2 prepare staff on call basis
5 Availability of technical support
from oracle during system
upgrade when required
delay on
system launch accept 2
insure that oracle team are
available during system
upgrade
6 Training of company staff after
completion of system upgrade
delay in
company
operation
mitigate 2 provide intensive classes
before and during system
upgrade
7 Unsuccessful of system upgrade
and the ability to use the old
system again
system not
working, stop
the operation
of company
Avoidance 3
keep the old system
working until system
successfully upgraded and
tested
8 Availability of alternative power
supply and ups in case electrical
power is down
delay in
system launch mitigate 2
provide generators and ups
near the location of servers
9 Availability of staff for night
shift during system upgrade
delay in
system launch accept 2
prepare staff on call basis
and replacement where
necessary
Table 4: Risk register
Project risk management strategy:
From the above comprehensive analysis to project risk and risk management, the risk
management strategy determine how risks will be handled during the project.
Risk management strategy starts with identifying the risk, measure it, plan how to
respond and the action required and by whom, and implementing the strategy.
Below chart illustrate the risk management strategy as defined by PRINCE2
Figure 2: Risk management strategy chart (primer, Prince2 primer)
Case study:
In 2011, I was working as lead procurement in one of mega projects in UAE, as part of
the project we have to build a control building to monitor the process of plant. One of the
tasks was to provide complete fitout solution to control room which is the core of the
project.
After analysing the package we found that budget allocated was 5 million dollars while
the proposals received from bidders around 12 million dollars. This was big loss on the
project and formed a high risk factor which will affect project cash flow. We had a
meeting with all concerns and raised the alarm that a big loss expected from this package.
After identifying and assessing the risk, myself and project director decided to take a risk
and provide alternative solution from overseas. We have contacted many factories in
Europe and found a very good solution that will match the project budget. The other risk
involved was the logistics as long as the material quality. The risk response was to accept
the risk and control it by providing samples from different countries and assemble the
system on site, as well as instruct the factories to provide warranties and defect liabilities.
We have successfully completed the task with no impact on budget or project schedule.
This risk considered as positive risk and project team exploit it to the benefit of the
project.
3. Conclusion
The project risk and risk management and their strategies form part of project execution
plan. The projects do not involve project risks and implement the responses on findings
shall fail to deliver the project objectives.
Project risk management can be summarized to main four steps:
Risk identification.
Risk analysis and evaluation
Risk control (determination of control)
Risk management (implementation).
4. References
Bibliography Belinda. (n.d.). Passionatepm. Retrieved February 17, 2015, from
http://www.passionatepm.com/blog/qualitative-risk-analysis-vs-quantitative-risk-analysis-pmp-
concept-1
Executive, H. a. (n.d.). Health and Safety Executive. Retrieved February 20, 2015, from
www.hse.gov.uk/quarries/education/.../topic5.ppt
Expert, O. 1. (2015). OHSAS 18001 Expert. Retrieved February 20, 2015, from
http://ohsas18001expert.com/2007/07/14/new-requirements-for-risk-assessment/
Investopedia. (2015). Retrieved February 19, 2015, from Investopedia:
http://www.investopedia.com/terms/r/riskmanagement.asp
Jeynes, J. (2012). Risk Management: 10 Principles. Woburn: Butterworth-Heinemann.
Management, T. I. (n.d.). Retrieved February 21, 2015, from
https://www.theirm.org/media/886062/ISO3100_doc.pdf
primer, P. (n.d.). Retrieved February 20, 2015, from Prince2 primer:
http://www.prince2primer.com/risk-management-strategy
primer, P. (n.d.). Prince2 primer. Retrieved February 20, 2015, from
http://www.prince2primer.com/managing-prince2-project-risk
Salford, U. o. (2015). Project Risk and Procurement Management. University of Salford.
Stanleigh, M. (2015). Business Improvement Architects. Retrieved February 18, 2015, from
http://www.bia.ca/articles/rm-risk-management.htm
Wikipedia. (n.d.). Wikipedia. Retrieved February 15, 2015, from
http://en.wikipedia.org/wiki/Qualitative_risk_analysis
Wikipedia. (n.d.). Wikipedia. Retrieved February 18, 2015, from
http://en.wikipedia.org/wiki/ISO_31000