A Review of Techniques For Risk Management in Projects
A Review of Techniques For Risk Management in Projects
A Review of Techniques For Risk Management in Projects
www.emeraldinsight.com/1463-5771.htm
BIJ
14,1
22
Abstract
Purpose This paper aims to provide a review of techniques that support risk management in
product development projects using the concurrent engineering (CE) philosophy.
Design/methodology/approach The Australia/New Zealand risk management standard
AS/NZS 4360:1999 proposes a generic framework for risk management. This standard was adapted
for product development projects in the CE environment. In this paper, existing techniques were
reviewed for their applicability to processes in risk management; namely, techniques for establishing
context, risk identification, risk assessment and treatment.
Findings Risk management is an activity within project management that is gaining importance due
to current business environment with a global focus and competition. The techniques reviewed in this
paper are used on an ad hoc basis currently. A more risk focused approach is likely to result in an
integration of several of these techniques, resulting in an increased effectiveness of project management.
Practical implications The techniques reviewed in this paper can be used for the development of
risk management tools for engineering and product development projects.
Originality/value This paper provides a gist of techniques categorized in the form that they are
applicable for implementation of risk management functions in product development projects using
CE philosophy.
Keywords Risk management, Project management, Product development, Risk assessment
Paper type General review
Benchmarking: An International
Journal
Vol. 14 No. 1, 2007
pp. 22-36
q Emerald Group Publishing Limited
1463-5771
DOI 10.1108/14635770710730919
Introduction
Projects are managed through the concurrent engineering (CE) philosophy for faster
time to market and to achieve project objectives through a shorter iterative process. CE is
the development of product and process through simultaneous functions that aims at
reducing time to market, overall development cost and achieve a high product quality
(Salamone, 1995; Caillaud et al., 1999). Owing to the multi-functional nature of teams in
CE, product and process information is shared and a quick overall understanding of the
product and process is developed. This leads to an achievement of the right design in the
first attempt and helps attaining a clarity for the issues in the implementation phase of
the project, resulting in an overall lower developmental cost and a quicker response to
market as compared to a traditional over the wall approach (Jo et al., 1993).
The design process determines product geometry, materials, functional
specifications, machining processes, assembly sequences, tools and equipment
necessary to manufacture a product. Production plans, control tools such as inventory
controls, resource allocations and job scheduling are other important outputs of the
design process. Hence, it can be asserted that design influences to a great extent,
the quality and the cost of the product (Salamone, 1995; Jo et al., 1993). Short comings in
the product design process results in extra costs generated through project delays,
penalties, excess of materials used, labour, additional operations, resource
Techniques for
risk management
in projects
23
BIJ
14,1
Establish the context
Identify risks
Analyze risks
24
Evaluate risks
Assess risks
Figure 1.
Representation of the risk
management process as
per AS/NZS 4360:1999
Treat risks
(1)
(2)
(3)
(4)
start-to-start;
finish-to-finish;
start-to-finish; and
finish-to-start.
The overlapping of activities means that the estimation of project duration is usually
compressed and results in a shorter completion time when compared to PERT. However,
manual computations are tedious, especially for large networks (Badiru, 1996).
Generalized activity networks
A GAN is a graphical representation of the probabilistic branching of activities
(Dawson and Dawson, 1994, 1995, 1998). Uncertainty is represented as alternative
paths with a probability attached to it, providing an illustration of all possible paths or
scenarios that can be described for a project, including loops. GAN also becomes very
complicated when the number of nodes increase, with an added difficulty of
quantification of branching probabilities as an output from every activity node.
Design structure matrices
A design structure matrix (DSM) represents precedence relationships of project tasks on
a square matrix containing equal number of rows and columns representing the number
of tasks (Steward, 1981; Kara et al., 1999; Eppinger et al., 2001). Existence of a precedence
relationship between two tasks is represented through a binary code, with a mark X.
Absence of the mark means that no precedence relationship exists between the two
tasks. DSM depicts three different types of precedence relationships between tasks.
A sequential relation indicates that the precedent task must be completed before the
subsequent task commences. A parallel relationship indicates that two tasks are carried
out independently, while a coupled or a circuit relationship indicates that the two tasks
are interdependent, requiring input from each other (Steward, 1981; Kara et al., 1999;
Eppinger et al., 2001). DSM provides a capability of representing task relationships in a
complex system and lends itself to analysis through matrix manipulations leading to the
isolation of group of coupled tasks. However, decision points are not represented into
the DSM structure and alternative paths are not realized.
IDEF0 functional modelling
IDEF0 is a graphical representation of a system through a functional perspective
(Colquhoun et al., 1993; Sarkis and Lin, 1994; Malmstrom et al., 1999). In IDEF0, a box
represents an activity or a function while arrows represent inputs, outputs, controls
and mechanisms operating on activities and on the project as a whole (Colquhoun et al.,
1993; Sarkis and Lin, 1994; Malmstrom et al., 1999; Ang and Gay, 1993; Kusiak et al.,
1994). An input is a requirement that a functional unit needs to perform, while an
output is the outcome of that function or a combination of functions. Controls are
constraints that dictate functions such as regulatory environment and budget, while
mechanisms are supports that advocate performance of that function such as people,
computer systems and machines. IDEF0 provides an overall view of the project at the
top level and successively more details deeper into subsequent levels. This provides a
model that is relevant to all functional levels in the organization.
Techniques for
risk management
in projects
25
BIJ
14,1
26
diagrams are easy to use, they do not provide a foundation for further analysis such as
relative importance of individual causes of a problem. Hence, cause-and-effect diagrams
are used for deterministic problems in a very specific domain.
Failure mode and effect analysis
Failure mode and effect analysis (FMEA) provides a structure for determining causes,
effects and relationships in a technical system. FMEA is used to determine failures and
malfunctions through exploration of failure modes, consequences of a system
component failure so that solutions for rectifying these problems can be visualized
(Risk Management Standard AS/NZS 4360, 1999; Kumamoto and Henley, 1996; Cross,
2001).
Hazard and operability study
Hazard and operability study (HAZOP) is an extension of FMEA where check words
are applied to process parameters in order to identify safety and operational problems,
usually in new systems (Cross, 2001; Lawley, 1974; Roach and Lees, 1981; Kletz, 1985).
Check words create other perspectives to the overall process and focus attention on
unforeseen areas in the process. In risk management for projects, HAZOP can be
applied by considering project parameters such as strategy, budget and schedule to
identify risk situations.
Fault trees
Fault tree analysis is a visual technique for breaking down failure in the system into
source events (Kumamoto and Henley, 1996; Cross, 2001; Kletz, 1985; Dhillon, 1982;
Birolini, 1993). Fault trees use event and gate symbols to structure cause and effect
relationships of a failure. It is a simple technique and helps in reflecting on logical
sequences that lead to failure. In project risk analysis, this technique is complicated
due to the large number of events and gates; however, it could be used in a smaller
domain to analyse a particular failure.
Event tree
Event tree analysis is a graphical representation of potential consequences arising
from a failure where possible consequences are generated and broken down from an
initial event (Kumamoto and Henley, 1996; Cross, 2001). In project risk analysis its
application is similar to fault tree analysis and works only on small zone of influence of
potentially damaging consequence arising from a risk event.
Techniques for risk analysis
After risk events are identified, their characteristics need to be assessed so that it is
determined whether the risk event is worth further analysis. Once it is decided that a
risk event needs analysis then it needs to be determined whether the risk event
information can be acquired through quantitative or qualitative means. Measurement
metrics for risk also need to be determined so that these metrics can be used for
computation of risk magnitude and risk analysis leading to risk mitigation plans
(Amornsawadwatana et al., 2002).
Risk is measured using two parameters risk probability and risk consequence
(Risk Management Standard AS/NZS 4360, 1999; Chapman and Ward, 1997;
Techniques for
risk management
in projects
27
BIJ
14,1
28
Ward, 1999; Boehm and DeMarco, 1997; Conroy and Soltan, 1998; Duncan, 1996;
Baccarini and Archer, 2001; Patterson and Neailey, 2002; Pyra and Trask, 2002). Risk
probability or likelihood indicates a chance of a risk event occurring while risk
consequence, severity or impact represents an outcome generated from the risk event.
Risk magnitude is the product of risk probability and consequence. To measure risk
magnitude, probability and consequence of a risk event needs to be determined, which
constitute the risk assessment function.
In practice, the risk quantities are either quantitative or qualitative in nature. The
quantitative approach to determination of risk parameters requires analysis of
historical data through statistical analysis. In many instances, quantitative data is
hard to achieve and is restricted to very small domain of the problem where historical
trends could be sustained. An example of quantitative data for determining risk
consequence is a historical record of money spent on correcting non-compliance of
tooling usually used in fabrication of the type product being currently developed.
Though, the risk may not eventuate, there is a fair estimate of the cost of the risk
actually eventuating. Quantitative data is not always available when needed or not in
the form required, hence a qualitative approach using subjective assessment
techniques are often more appropriate for risk management. The subjective approach
utilizes mainly the relative measures of human judgments, feelings and opinions in
comparison to ideal situations. Though the subjective approach is influenced by
individual bias, preferences and expertise, it provides a basis for risk assessment
where it is more important to highlight risk events that are possible, rather than an
exact prediction of a catastrophic event. An example of qualitative assessment is that
the impact of the non-conformance of a fabrication tool to be used in the project is very
high, but the chance of such an eventuality is very low. Though, the terms very high
and very low can be represented on a nominal scale, it is not an exact measure.
Organisations employ qualitative assessment techniques to identify risk because an
expert opinion is the best source available, rather than an unreliable quantity.
Techniques for risk analysis
The function of risk analysis is to determine influence of risk factors on the system as a
whole. Risk events form a cumulative effect on one or more aspects of the project and it
is easier to mitigate risk events if they can be bunched in groups and preferably dealt
at a higher level in the long run than focusing on one particular risk event, in which
case the project is likely to be micro-managed. Several techniques in the literature that
are currently applied for project analysis can also be applied for risk analysis.
These are summarized in this section.
Probability and impact grids
Risk events represented on a grid consisting of probability on one axis and impacts on
another are often used to define threshold regions on the grid, which represent high
risk events based on past experience or organizational procedures (Risk Management
Standard AS/NZS 4360, 1999; Chapman and Ward, 1997; Ward, 1999; Pyra and Trask,
2002; Stewart and Melchers, 1997; Royer, 2000). Probability and impact grids provide a
simple format for showing relative importance of risk events. Figure 2 shows an
example of a probability and impact grid (Royer, 2000).
Techniques for
risk management
in projects
29
Impact
1
3
3
Likelihood
Figure 2.
Probability and
impact grid
BIJ
14,1
30
Invest
Figure 3.
Decision tree analysis
0.6
$120,000
0.4
$50,000
Do not invest
$0
Techniques for
risk management
in projects
31
Risk mitigation
Risk events diminish project objectives when harmful effects realize due to unforeseen
circumstances. Risk management attempts at studying in detail, all aspects of project
management, so that all controllable events have an action plan or a risk mitigation
plan. A reactive approach or a feed back approach refers to risk mitigation actions
initiated after risk events eventuate and can be seen as initiation of contingency plans.
On the other hand, a pro-active approach or a feed forward approach refers to actions
initiated based on chance of a risk event occurring, such as insurance (Kartam and
Kartam, 2001; DeMaio et al., 1994). A combination of these two approaches is applied to
risk management to avoid risk, reduce the likelihood of risk, reduce the impact of risk,
transfer risk, or to retain the risk (Risk Management Standard AS/NZS 4360, 1999).
Context
Establishment
Risk
Identification
Prior Risk
Knowledge
(Repository)
Risk Analysis
Qualitative &
Quantitative
Measures
Risk
Evaluation
Decision
Support
Systems
Treat Risks
Risk
Mitigation
Planning
Figure 4.
Framework for risk
management tools
BIJ
14,1
32
paper and the result is an establishment of a risk structure that will facilitate the
subsequent functions in the risk management process. For example, in process
focussed risk management context, the risk model could be a process model. Then,
information features such as technical, financial, schedule, organisational, etc.
aspects may be tagged to the process units to provide a relevance for risk
assessment. A risk query mechanism may then be formulated through techniques
presented fourth section and imposed on the process model through interactive or
collaborative interfaces to collect quantitative and qualitative data as described in
fifth section. The risk evaluation consists of decision support systems using
techniques presented in sixth section of this paper. Risks worth investigating
further due to their high chance of occurring or high potential impacts or
leading to new opportunities are then pursued leading to being treated. This whole
process of risk management is collaborative and requires incremental contributions
from all participants within the organization and supplementing project
management approach, which is more proactive.
Conclusions
Project risk management endeavours to supplement project management practices
by investigating project structure, organizational environment, external
environment, products, processes and procedures in detail. It further, supplements
the existing knowledge with lessons learnt, best business practices, industry
benchmarks and case studies such that risk mitigation plans are in place when risk
events do eventuate. This prevents crisis situations and also provides future
avenues for opportunities.
This paper presents techniques that are commonly used in project management
and elsewhere, outlining their usefulness to project risk management, especially in
CE projects. These techniques add to an understanding of risk management
functions and build on team communication and collaboration, not necessarily
completely dependent on a collaborative computer network or a computer
application. All the techniques presented in this paper have their own
characteristics and a specific realm of application. As such, a combination of these
techniques is likely to fulfil most needs for risk management by a project team and
evolve tools that are tailored for their needs but are generic in structure. Several
software tools are also commercially available for risk management, but they address
only a specific aspect of risk management using limited number of techniques
presented in this paper. The framework for risk management tools presented in this
paper provides an integrated approach to risk management in projects that can be
used for development of risk management tools that suit specific domain but are
generic in structure and may or may not be in the form of computer applications.
Current state of development in hardware and software technology enables
integration of applications for the techniques presented in this paper. There are many
risk management tools commercially available to support project management but
tend to address either a limited scope of application or limited processes in risk
management. Future developments in integrated and generic tools will lead to
widespread use of risk management principles in project management, retain
organisational knowledge and provide a competitive business edge.
References
Ahmed, A. et al. (2003a), A conceptual framework for risk analysis in concurrent engineering,
(R1.6 Paper No. 86), Proceedings of the 17th International Conference on Production
Research, 4-7 August, Blacksburg, Virginia, USA.
Ahmed, A., Amornsawadwatana, S. and Kayis, B. (2003b), Application of ARENA simulation to
risk assessment in concurrent engineering projects, Proceedings of the 9th International
Conference on Manufacturing Excellence - ICME, 13-15 October, Melbourne, Australia.
Amornsawadwatana, S. et al. (2002), Risk mitigation investment in concurrent design process,
Proceedings of the International Conference on Manufacturing Automation ICMA, Hong
Kong, China, Professional Engineering Publishing Ltd, Suffolk.
Ang, C.L. and Gay, R.K.L. (1993), IDEF0 modelling for project risk assessment, Computer in
Industry, Vol. 22, pp. 31-45.
Baccarini, D. and Archer, R. (2001), The risk ranking of projects: a methodology, International
Journal of Project Management, Vol. 19 No. 3, pp. 139-45.
Badiru, A.B. (1993), Scheduling of concurrent manufacturing projects, in Parasaei, H.R. and
Sullivan, W.G. (Eds), Concurrent Engineering: Contemporary Issues and Modern Design
Tools, Chapman & Hall, London, pp. 93-109.
Badiru, A.B. (1996), Project Management in Manufacturing and High Technology Operations,
Wiley, New York, NY.
Berny, J. and Townsend, P.R.F. (1993), Macrosimulation of project risks a practical way
forward, Risk Management, Vol. 11 No. 4, pp. 201-8.
Birolini, A. (1993), Design for reliability, in Kusiak, A. (Ed.), Concurrent Engineering:
Automation, Tools, and Techniques, Wiley, New York, NY, pp. 307-47.
Boehm, B.W. and DeMarco, T. (1997), Software risk management, IEEE Software, Vol. 14 No. 3,
pp. 17-19.
Caillaud, E. et al., (1999), A framework for a knowledge-based system to risk management in
concurrent engineering, Concurrent Engineering: Research and Applications, Vol. 7 No. 3,
pp. 257-67.
Chapman, C.B. and Ward, S.C. (1997), Project Risk Management: Processes, Techniques and
Insights, Wiley, Chichester.
Clarke, C.J. and Varma, S. (1999), Strategic risk management: the new competitive edge, Long
Range Planning, Vol. 32 No. 4, pp. 414-24.
Clemen, R.T. (1996), Making Hard Decisions: An Introduction to Decision Analysis, Druxbury
Press, New York, NY.
Clemen, R.T. and Reilly, T. (2001), Making Hard Decisions with Decision Tools, Druxbury
Thomson Learning, Toronto.
Colquhoun, G.J., Baines, R.W. and Crossley, R. (1993), A state of the art review of IDEF0,
International Journal of Computer Integrated Manufacturing, Vol. 6 No. 4, pp. 252-64.
Conroy, G. and Soltan, H. (1998), ConSERV, a project specific risk management concept,
International Journal of Project Management, Vol. 16 No. 6, pp. 353-66.
Cross, J. (2001) Lecture Notes for SESC9211: Risk Management, School of Safety Science,
The University of New South Wales, Sydney.
Dawson, C.W. and Dawson, R.J. (1995), Generalised activity-on-the-node networks for managing
uncertainty in projects, International Journal of Project Management, Vol. 13 No. 6,
pp. 353-62.
Techniques for
risk management
in projects
33
BIJ
14,1
Dawson, R.J. and Dawson, C.W. (1994), Clarification of node representation in generalised
activity networks for practical project management, International Journal of Project
Management, Vol. 12 No. 2, pp. 81-8.
Dawson, R.J. and Dawson, C.W. (1998), Practical proposals for managing uncertainty and risk in
project planning, International Journal of Project Management, Vol. 16 No. 5, pp. 299-310.
34
DeMaio, A., Verganti, R. and Corso, M. (1994), A multi-project management framework for new
product development, European Journal of Operational Research, Vol. 78 No. 2, pp. 178-91.
Dhillon, B.S. (1982), Reliability Engineering in Systems Design and Operation, Van Nostrand
Reinhold Company, New York, NY.
Dickinson, M.W., Thornton, A.C. and Graves, S. (2001), Technology portfolio management:
optimizing interdependent projects over multiple time periods, IEEE Transactions on
Engineering Management, Vol. 48 No. 4, pp. 518-27.
Duncan, W.R. (1996), A Guide to the Project Management Body of Knowledge, Project
Management Institute, Newtown Square, PA, pp. 111-21.
Eppinger, S.D. et al. (2001), DSM tutorial, available at: http://web.mit.edu/dsm/Tutorial/
tutorial.htm
Henley, E.J. and Kumamoto, H. (1991), Probabilistic Risk Assessment: Reliability Engineering,
Design and Analysis, IEEE Press, New York, NY.
Jaafari, A. (2001), Management of risks, uncertainties and opportunities on projects: time for a
fundamental shift, International Journal of Project Management, Vol. 19 No. 2, pp. 89-101.
Jo, H.H., Parasaei, H.R. and Sullivan, W.G. (1993), Principles of concurrent engineering,
in Parasaei, H.R. and Sullivan, W.G. (Eds), Concurrent Engineering: Contemporary Issues
and Modern Design Tools, Chapman & Hall, London, pp. 3-23.
Kara, S., Kayis, B. and Kaebernick, H. (1999), Modelling concurrent engineering project under
uncertainty, Concurrent Engineering: Research and Applications, Vol. 7 No. 3, pp. 269-74.
Kartam, N.A. and Kartam, S.A. (2001), Risk and its management in the Kuwaiti construction
industry: contractors perspective, International Journal of Project Management, Vol. 19
No. 6, pp. 325-35.
Kletz, T.A. (1985), Eliminating potential process hazards, Chemical Engineering, Vol. 92 No. 4,
pp. 48-68.
Kumamoto, H. and Henley, E.J. (1996), Probabilistic Risk Assessment and Management for
Engineers and Scientists, IEEE Press, Piscataway, NJ.
Kusiak, A. and Zakarian, A. (1996), Reliability evaluation of process models, IEEE
Transactions on Components, Packaging and Manufacturing Technology Part A, Vol. 19
No. 2, pp. 268-75.
Kusiak, A., Larson, T.N. and Wang, J. (1994), Reengineering of design and manufacturing
processes, Computers & Industrial Engineering, Vol. 26 No. 3, pp. 521-36.
Larson, N. and Kusiak, A. (1996a), Managing design processes: a risk assessment approach,
IEEE Transactions on System, Man and Cypernetics Part A: Systems and Humans,
Vol. 26 No. 6, pp. 749-59.
Larson, N. and Kusiak, A. (1996b), System reliability methods for analysis of process models,
Journal of Integrated Computer-Aided Engineering, Vol. 3 No. 4, pp. 279-90.
Lawley, H.G. (1974), Operability studies and hazard analysis, Chemical Engineering Progress,
Vol. 70 No. 4, pp. 45-56.
Malmstrom, J., Pikosz, P. and Malmquist, J. (1999), Complementary roles of IDEF0 and DSM for
the modelling information management process, Concurrent Engineering: Research and
Applications, Vol. 7 No. 2, pp. 95-103.
Mayer, R.J. et al. (1995), Information integration for concurrent engineering (IICE), IDEF3
Process Capture Method Report, Human Resources Directorate Logistics Research
Division, Armstrong Laboratory, Wright-Patterson AFB, OH.
Patterson, F.D. and Neailey, K. (2002), A risk register database system to aid the
management of project risk, International Journal of Project Management, Vol. 20 No. 5,
pp. 365-74.
Perry, J.G. (1986), Risk management an approach for project managers, Project Management,
Vol. 4 No. 4, pp. 211-6.
Perry, J.G. and Haynes, R.W. (1985), Risk and its management in construction projects,
Proceedings of Institution of Civil Engineers, pp. 499-521.
Pyra, J. and Trask, J. (2002), Risk management post analysis: gauging the success of a simple
strategy in a complex project, Project Management Journal, Vol. 33 No. 2, pp. 41-8.
Raftery, J. (1994), Risk Analysis in Project Management, Chapman & Hall, London.
Remenyi, D. and Heafield, A. (1996), Business process re-engineering: some aspects of how to
evaluate and manage the risk exposure, International Journal of Project Management,
Vol. 14 No. 6, pp. 349-57.
Risk Management Standard AS/NZS 4360 (1999) Risk Management Standard AS/NZS 4360,
Standards Association of Australia, Sydney.
Roach, J.R. and Lees, F.P. (1981), Some features of and activities in hazard and operability
(Hazop) studies, The Chemical Engineer, October, pp. 456-62.
Royer, P.S. (2000), Risk management: the undiscovered dimension of project management,
Project Management Journal, Vol. 31 No. 1, pp. 6-13.
Russell, R.S. and Taylor, B.W. III (2000), Operations Management, Prentice-Hall Inc.,
Upper Saddle River, NJ.
Salamone, T.A. (1995), What Every Engineer Should Know About Concurrent Engineering,
Marcel Dekker, New York, NY.
Sarkis, J. and Lin, L. (1994), An IDEF0 functional planning model for the strategic
implementation of CIM systems, International Journal of Computer Integrated
Manufacturing, Vol. 7 No. 2, pp. 100-15.
Steward, D.V. (1981), Systems Analysis and Management: Structure, Strategy and Design,
Petrocelli Books Inc., New York, NY.
Stewart, M.G. and Melchers, R.E. (1997), Probabilistic Risk Assessment of Engineering Systems,
Chapman & Hall, London.
Taha, H.A. (1997), Operations Research: An Introduction, Prentice-Hall, Upper Saddle River,
NJ.
Tavares, L.V. (2002), A review of the contribution of operational research to project
management, European Journal of Operational Research, Vol. 136 No. 1, pp. 1-18.
Ward, S.C. (1999), Assessing and managing important risks, International Journal of Project
Management, Vol. 17 No. 6, pp. 331-6.
Webb, A. (1994), Managing Innovative Projects, Chapman & Hall, London.
Wiest, J.D. (1981), Precedence diagramming methods: some unusual characteristics and their
implications for project managers, Journal of Operations Management, Vol. 1 No. 3,
pp. 121-30.
Techniques for
risk management
in projects
35
BIJ
14,1
36