Project Risk and procurement -Assignment 1

Project Risk and procurement - Assignment 1

MSc. Procurement, Logistics, and Supply Chain Management

Student: @00429168 22-Feb-15

Table of Contents 1. Introduction ................................................................................................................. 3

2. Definition of risk: ........................................................................................................ 3

3. Conclusion ................................................................................................................. 14

4. References ................................................................................................................. 15

1. Introduction

In the last two decades, the world economy has significant changes on how organizations

are managed and new strategies has been introduced and implemented to successfully

manage and deliver the projects within schedule and budget allocated. One of the most

important factors that affect the project execution and cause a loss and fail is risk factor.

After the global financial crisis in 2008, global organizations started focusing on risk

management and the importance of analysing and controlling the risks in their premises

and projects. Many strategies and standards for risk management have been developed

and implemented to form part of any successful organization. Also, the proper and

successful planning of any project shall consider the potential impact of all types of risks

on all activities during the life of project and shall provide the ways to reduce project

risk.

In this paper we will demonstrate the concept of risk, how it can be measured and ranked,

and how a project risk management strategy may be constructed

2. Definition of risk:

The Risk is part of our lives and exists in many forms whether considered as small or

high risk. Most of us have the risks on daily basis (i.e. in work, while driving, eating,

playing, travelling by plane / boat, etc.). Risk can be personal risk, social risk, business

risk, financial risk, etc. Hence, there are many definitions for risk and how it can be

managed.

The risk can impact any activity during project in the short, medium and long term.

Risk can be defined as “an uncertain event or condition that, if it occurs, has an effect on

project objectives”. Effect may be positive or negative impact. (Salford, Project Risk and

Procurement Management, 2015)

The definition of risk set out in ISO 31000:2009, Risk management - Guide 73 is that risk

is the “effect of uncertainty on objectives”. (Management) (The Institute of Risk Management).

An effect may be positive, negative or a deviation from the expected, and that risk is

often described by an event, a change in circumstances or a consequence. The negative

events can be classified as risks while positive events are classified as opportunities.

The PRINCE2 definition of risk is „uncertain event or set of events that, should it occur,

will have an effect on the achievement of objectives‟ (primer)

http://www.prince2primer.com/

The OHSAS defined the risk as the “combination of the likelihood of an occurrence of a

hazard event or exposure and the severity of injury or ill health that may be caused by the

event or exposure.” (Expert, 2015)

The risk in any organization / project can be internally or externally. For example, the

data base of any organization especially the sensitive data related to employees, contracts,

financial statements, and the like can be at risk from both internally and externally. The

internal risk can be by disclosing the data to external source through employee without

authorization from the organization. External risk can be by accessing the data due to non

protection by IT department of that organization. Such access to the data can highly

impact the operation of the organization and its employees and can affect the future

vision, relationship with other organization, and cause a threat on all levels.

Risk Management:

INVESTOPEDIA explains Risk Management that is “the process of assessing, managing

and mitigating losses”. (Investopedia, 2015)

Another definition for Risk Management by Michael Stanleigh is “The process of

identifying, analyzing and responding to risk factors throughout the life of a project and

in the best interests of its objective”. (Stanleigh, 2015)

OHSAS defines the Risk assessment as the “process of evaluating the risks arising from a

hazard, taking into account the adequacy of any existing controls, and deciding whether

or not the risk is acceptable.” (Expert, 2015)

In order to identify the risk, assess, control and managed it, a process to be initiated by

organizations regardless their sizes to successfully deliver the projects with minimum

losses, injuries, cost, etc.

The idea of identifying and managing the risk is to provide a system that allows the

organization and project to avoid or minimize the effect of risk identified with cost-

effective approaches.

http://www.bia.ca/associate-michael-stanleigh2.htm

The process cycles of risk management are as below:

Risk Identification

Risk Analysis

Risk Response

Risk monitoring and control

(Salford, 2015)

Risk Identification:

The first step in risk management process is identifying the risk. The project team and/or

risk professionals shall identify all of the possible risks that might affect the success of

the project.

The risk identification may include the following 10 Ps of risk management to have a

comprehensive list or as per project requirements. . The 10 Ps are as follows:

- Physical properties – premises/product/purchasing supplies

- People elements – people/procedures they follow/protection

- Actions or processes – processes/performance against targets

- Management issues – policy and strategy/planning and organizing. (Jeynes, 2012)

Example: Microsoft announced before two years that they will stop the technical support

for windows XP. The organization I worked for started upgrading the windows on their

systems to the latest versions. One of the programs we are using in procurement is JD

Edwards Oracle system. After upgrading the operating system, the JD Edward version

causes technical issues with new version of windows so the decision was to upgrade the

JDE to the latest version as well. Below listed are some risks involved in this project:

- Compatibility of new system with the installed operating system

- Data base losses during system upgrade

- Delays on system upgrade completion date due to technical issues

- Adequate IT staff to complete the task

- Availability of technical support from oracle during system upgrade when

required

- Training of company staff after completion of system upgrade

- Unsuccessful of system upgrade and the ability to use the old system again

- Availability of alternative power supply and ups in case electrical power is down

- Availability of staff for night shift during system upgrade

Risk Analysis:

Once the project risks are identified and listed by project team and/or risk professional,

the analysis of risk shall start

The risk analysis is based on the attitude of the person who is involved in the assessment.

The culture can indicate how the person will act against identified risks.

There are risk seekers (lover) who would like to take the risks, risk adverse (avoider)

who‟s avoiding the risks. The project managers seeking usually to have balancing risks

and rewards (risk neutral). (Salford, 2015)

Risk analysis can be verified by using two techniques:

- Qualitative analysis

- Quantitative analysis (Salford, 2015)

Qualitative analysis:

Qualitative analysis can be defined as the technique concerned with discovering the

probability of a risk event occurring and the impact the risk will have if it does occur.

The qualitative risk analysis prioritizes the identified project risks using a pre-defined

rating scale.

The qualitative analysis based on several techniques to determine the probability and

impact of risk. For instance, brainstorming, historical data by consulting educated opinion

and expert judgement, etc. (Wikipedia)

One of the techniques is using the risk matrix. The risk matrix examines identified risks

from the viewpoint of probability (i.e. the chance of something happening) and

consequence (i.e. the impact if that something happens). (Salford, 2015)

The project team based on this technique shall start analyzing the defined risks and

specify the importance of each risk and the impact on project if it occurs. The team can

rank the impact on project using the category “High to Low”. Significant impact of

identified risk can be ranked as High, while the low category can be ranked if the risk can

be occurred on extreme condition.

Another risk matrix can be used based on numbering by replacing the categories (H, M,

L) to numbers from (1-5) or above and then multiple the numbers to get a risk number.

http://en.wikipedia.org/wiki/Probability

http://en.wikipedia.org/wiki/Risk

The high score of risk number is; the importance and action required is higher. (Salford,

2015).

Example: using the same example mentioned in Risk identification, the importance of

risk can be ranked as below:

Compatibility of new system with the installed operating system. Medium

Data base losses during system upgrade. High

Delays on system upgrade completion date due to technical issues. High

Adequate IT staff to complete the task. Low

Availability of technical support from oracle during system upgrade when required.

Medium Training of company staff after completion of system upgrade. Low

Unsuccessful of system upgrade and the ability to use the old system again. Medium

Availability of alternative power supply and ups in case electrical power is down.

Medium Availability of staff for night shift during system upgrade. Low

Below is risk analysis using the category risk matrix which reflect the result above

Risk ID Risk Description Impact/Probability

Low Medium High

1 Compatibility of new system with the installed

operating system M

2 Data base losses during system upgrade H

3 Delays on system upgrade completion date due to

technical issues H

4 Adequate IT staff to complete the task L

5 Availability of technical support from oracle during

system upgrade when required M

6 Training of company staff after completion of system

upgrade L

7 Unsuccessful of system upgrade and the ability to use

the old system again M

8 Availability of alternative power supply and ups in case

electrical power is down M

9 Availability of staff for night shift during system

upgrade L

Table 1: Category risk matrix

Below is risk analysis using the number risk matrix

Risk ID Risk Description Probability (1-5)

Impact (1-5)

Value


operating system 2 4 8

2 Data base losses during system upgrade 3 5 15


technical issues 4 3 12

4 Adequate IT staff to complete the task 2 2 4


system upgrade when required 2 3 6


upgrade 2 2 4


the old system again 3 4 12


electrical power is down 2 3 6


upgrade 2 2 4

Table 2: Number risk matrix

The project team based on above ranking shall start prioritizing the risks in order to

prepare the action plan and monitor the risks

Quantitative analysis:

A quantitative risk analysis is a further analysis of the highest priority risks during a

which a numerical or quantitative rating is assigned in order to develop a probabilistic

analysis of the project.

A quantitative analysis:

- quantifies the possible outcomes for the project and assesses the probability of

achieving specific project objectives

- Provides a quantitative approach to making decisions when there is uncertainty

- Creates realistic and achievable cost, schedule or scope targets. (Belinda)

Quantitative risk analysis is the decision tree which is a visual representation of the

choices, probabilities and consequences we are facing. (Salford, 2015)

Quantitative risk analysis tends to deal with the avoidance of low probability events with

serious consequences to the plant and the surrounding environment. (Executive)

Below is risk analysis sample using the decision tree model

Figure 1: Simple Decision Tree Model. (Salford, 2015)

Risk response:

After identifying and analysing / assessing the potential risks which may affect the

project execution, the project team shall prepare the action plan on how to respond to the

assessed risks.

The strategy of risk response is to start with the high impact risk leading to low impact

risk. The project team shall decide the criteria of how to respond to each potential risk

and what is the urgency of response required.

The risk responses are divided into two categories, negative risks (threats) and positive

risks (opportunities).

The PRINCE2 suggests nine response categories that may be chosen for both threats and

opportunities:

Risk responses for threats are:

Risk Avoidance

Risk Share

Risk Reduce (mitigate)

Risk Acceptance

Fallback (contingent action)

Risk Transference

Risk responses for opportunities are:

Risk Share

Risk Enhance

Risk Exploit

Risk Reject

As PRINCE2 indicated that which response the project team choose should be based on a

balance between the cost and time investment of a particular response and the probability

and impact (including risk severity) of the risk, and included within the risk management

strategy. (primer)

The ISO 31000:2009 gives a list on how to deal with risk:

1. Avoiding the risk by deciding not to start or continue with the activity that gives

rise to the risk

2. Accepting or increasing the risk in order to pursue an opportunity

3. Removing the risk source

4. Changing the likelihood

5. Changing the consequences

6. Sharing the risk with another party or parties (including contracts and risk

financing)

7. Retaining the risk by informed decision. (Wikipedia, Wikipedia)

Example:

Below is risk response matrix for above example

Risk ID Risk Description Consequences Strategy


operating system System not working Avoidance

2 Data base losses during system upgrade Loss in company data Avoidance


technical issues delay on system launch mitigate

4 Adequate IT staff to complete the task delay on system launch accept


system upgrade when required delay on system launch accept


upgrade

delay in company operation

mitigate


the old system again

system not working, stop

the operation of company Avoidance


electrical power is down delay in system launch mitigate


upgrade delay in system launch accept

Table 3: Risk response matrix

Risk monitoring and control:

Risk Control is an action/device/strategy intended to eliminate/alleviate/ reduce the

negative impact on the business or individual of a situation or event. (Jeynes, 2012)

Risk monitoring and control form part of the risk response. For instance, injury of labours

during construction is a risk; the response is to mitigate the injury and loss by initiating a safety programs that seek solely to reduce losses. Continue inducting the safety program

and control the risk will lead by time to minimise it and reach to zero level injuries.

Example: in my organization, we have an HSE department looking for all potential risks

arises in all levels. One of their tasks is to control and reduce the loss and injury during

project construction. This control has lead the organization to exploit the risk to be one of

the opportunities by breaking the records and reach to 25 million hours without LTI. This

achievement put the organization on top of the safest organizations in the country.

The action plan prepared to respond to project risks shall be reviewed before and after the

implementation and project team shall make revisions and updates on the risks included

in the plan.

Risk management is a continuous process. Therefore, in order to keep tracking the

process and controlling the risk during the life of the project, project risk team can use the

technique of top ten risk tracking.

Top ten risk tracking technique is to maintain awareness of risks throughout the life of a

project.

Establishes a periodic review of the top 10 project risk items

Lists the current ranking, the previous ranking, number of times the risk appears on the

list over time, and summarizes the progress made in resolving the risk item. (Salford,

2015)

After preparing the top ten risk tracking, project team shall create a risk register

document, which acts as a permanent record of project risks.

Document contains the results of various risk management processes: often displayed in a

table or spreadsheet. It contains a list of the risks, ranking of the risks and information

about these risks. It is also used to manage risk and to store all the information pertinent

to risk managing the project in one place so that it can be accessed and used to manage

future projects. (Salford, 2015)

The PRINCE2 defined the risk register as a project management tool used to contain

information on all of the identified threats and opportunities within a project. It will

contain information such as the category and description of the risk, its probability,

impact and expected value, its proximity and risk responses, its current status and the risk

owner. Project support will normally maintain this for the project manager. (primer,

Prince2 primer)

Below is risk register for above sample

Risk ID Risk Description Consequences Strategy Probability Action

1 Compatibility of new system

with the installed operating

system

System not

working Avoidance 2

insure that system installed

are compatible to operating

system

2 Data base losses during system

upgrade

Loss in

company data Avoidance 3

take backups for all data in

the system

3 Delays on system upgrade

completion date due to technical

issues

delay on

system launch mitigate 4

make backup plan to start

before schedule and solve

the technical issue as fast

as possible

4 Adequate IT staff to complete

the task

delay on

system launch accept 2 prepare staff on call basis

5 Availability of technical support

from oracle during system

upgrade when required

delay on

system launch accept 2

insure that oracle team are

available during system

upgrade

6 Training of company staff after

completion of system upgrade

delay in

company

operation

mitigate 2 provide intensive classes

before and during system

upgrade

7 Unsuccessful of system upgrade

and the ability to use the old

system again

system not

working, stop

the operation

of company

Avoidance 3

keep the old system

working until system

successfully upgraded and

tested

8 Availability of alternative power

supply and ups in case electrical

power is down

delay in

system launch mitigate 2

provide generators and ups

near the location of servers

9 Availability of staff for night

shift during system upgrade

delay in

system launch accept 2

prepare staff on call basis

and replacement where

necessary

Table 4: Risk register

Project risk management strategy:

From the above comprehensive analysis to project risk and risk management, the risk

management strategy determine how risks will be handled during the project.

Risk management strategy starts with identifying the risk, measure it, plan how to

respond and the action required and by whom, and implementing the strategy.

Below chart illustrate the risk management strategy as defined by PRINCE2

Figure 2: Risk management strategy chart (primer, Prince2 primer)

Case study:

In 2011, I was working as lead procurement in one of mega projects in UAE, as part of

the project we have to build a control building to monitor the process of plant. One of the

tasks was to provide complete fitout solution to control room which is the core of the

project.

After analysing the package we found that budget allocated was 5 million dollars while

the proposals received from bidders around 12 million dollars. This was big loss on the

http://www.prince2primer.com/risk-management-strategy


project and formed a high risk factor which will affect project cash flow. We had a

meeting with all concerns and raised the alarm that a big loss expected from this package.

After identifying and assessing the risk, myself and project director decided to take a risk

and provide alternative solution from overseas. We have contacted many factories in

Europe and found a very good solution that will match the project budget. The other risk

involved was the logistics as long as the material quality. The risk response was to accept

the risk and control it by providing samples from different countries and assemble the

system on site, as well as instruct the factories to provide warranties and defect liabilities.

We have successfully completed the task with no impact on budget or project schedule.

This risk considered as positive risk and project team exploit it to the benefit of the

project.

3. Conclusion

The project risk and risk management and their strategies form part of project execution

plan. The projects do not involve project risks and implement the responses on findings

shall fail to deliver the project objectives.

Project risk management can be summarized to main four steps:

Risk identification.

Risk analysis and evaluation

Risk control (determination of control)

Risk management (implementation).

4. References

Bibliography Belinda. (n.d.). Passionatepm. Retrieved February 17, 2015, from

http://www.passionatepm.com/blog/qualitative-risk-analysis-vs-quantitative-risk-analysis-pmp-

concept-1

Executive, H. a. (n.d.). Health and Safety Executive. Retrieved February 20, 2015, from

www.hse.gov.uk/quarries/education/.../topic5.ppt

Expert, O. 1. (2015). OHSAS 18001 Expert. Retrieved February 20, 2015, from

http://ohsas18001expert.com/2007/07/14/new-requirements-for-risk-assessment/

Investopedia. (2015). Retrieved February 19, 2015, from Investopedia:

http://www.investopedia.com/terms/r/riskmanagement.asp

Jeynes, J. (2012). Risk Management: 10 Principles. Woburn: Butterworth-Heinemann.

Management, T. I. (n.d.). Retrieved February 21, 2015, from

https://www.theirm.org/media/886062/ISO3100_doc.pdf

primer, P. (n.d.). Retrieved February 20, 2015, from Prince2 primer:


primer, P. (n.d.). Prince2 primer. Retrieved February 20, 2015, from

http://www.prince2primer.com/managing-prince2-project-risk

Salford, U. o. (2015). Project Risk and Procurement Management. University of Salford.

Stanleigh, M. (2015). Business Improvement Architects. Retrieved February 18, 2015, from

http://www.bia.ca/articles/rm-risk-management.htm

Wikipedia. (n.d.). Wikipedia. Retrieved February 15, 2015, from

http://en.wikipedia.org/wiki/Qualitative_risk_analysis

Wikipedia. (n.d.). Wikipedia. Retrieved February 18, 2015, from

http://en.wikipedia.org/wiki/ISO_31000

Project Risk and procurement -Assignment 1

Documents

Transcript of Project Risk and procurement -Assignment 1