Risk Assessment Methods in Projects

Introduction to the Study

Risk assessment is a stage in the risk management process that is concerned with the determination of both quantitative and qualitative risks in a particular project. Risk assessment in various contexts involves the objective evaluation of risk where the uncertainties and assumptions that exist in a particular situation are identified and presented for assessment. Risk assessment is an important step in risk analysis procedures as it enables the risk analyst to determine the appropriate risk assessment tool that will be used in the project. There is no one risk assessment method that is deemed suitable for the assessment process and the selection of a risk assessment tool will therefore depend on the depth of the risk analysis that is required to assess the project risk as well as the complexity of the risk to the project (Anbari 2005).

Risk assessment methods are important in projects as they ensure that the appropriate method has been chosen in the assessment of the project’s risks. There are usually a large amount of risks at the start of any project that result from the uncertainty of how the project will begin and end. Once a project is implemented, the various stakeholders of the project become exposed to the projects risks since the major decisions of the project have already been made. When the work has started, the level of risk exposure continues to decrease as the project nears its set target for completion. Projects with short life cycles are likely to have lower levels of risk when compared to projects with long lifecycles because the risk exposure for projects with long lifecycles continues to increase as refurbishment and maintenance work threatens the operational performance of the project’s tasks (Smith et al 2006).

Qualitative and Quantitative Risk Assessment Methods

The level of risk in a project is usually a combination of the probability of the risk occurring and the impact that the risk will have on the project should it occur. The assessment of the risk can either involve the use of qualitative or quantitative methods of risk assessment. The qualitative risk assessment is viewed to be the most useful phase of the risk management process as it lays the foundation for all the other stages that are included in risk management. The basic techniques that are incorporated in the assessment and analysis of risks under the qualitative approach include the identification of the risk, risk assessment, the ranking of the risk, sorting and classification and the determination of risk occurrence probabilities and the impact of the risk (Smith et al 2006).

Qualitative methods are usually used to perform the initial assessment of the risk within a project that has cost and time constraints. These methods of risk assessment are also used when there is insufficient information about the risk which can be used to conduct the risk assessment. The factors that need to be considered when using a qualitative risk assessment tool will be choosing the right people to conduct the risk assessment, using suitable procedures to ensure judgement has been used consistently in the process and the use of key indicators and loss analysis to make decisions during the risk assessment process (Reeves 2010).

The risk assessment tools that incorporate qualitative techniques of managing and assessing risks within a project include checklists or risk registers where the potential risks to a project are identified and recorded in a risk register after which they are checked off once they have been appropriately assessed and controlled. Another risk assessment tool that involves the use of qualitative assessment techniques is the priority tables where the risks to a project are categorised according to their priority. Probability impact tables are other qualitative assessment tools that are used to determine the probability of a risk occurring during the lifecycle of the project. The risks in the probability impact table are categorised according to their probability of occurring and also the impact that they will have on the project (Smith et al 2006).

A quantitative risk assessment provides a quantitative estimation of the risks that are under assessment in the risk analysis process. A quantitative risk estimation will involve calculating the two components of a risk which include R, L and p. R represents the risk itself while L represents the magnitude of the potential loss caused by the risk should it occur. The probability that the risk will occur will be represented by the symbol p. A quantitative risk assessment provides the risk assessor with a number of tools and methodologies that can be used for identifying the risks. The main objective of a quantitative risk assessment is to be able to prioritise risks according to their potential for occurrence and also the urgency of the risk where risks that have a higher probability of occurring are given a higher priority (Vose 2008).

The risk assessment tools that are used in the quantitative assessment of risks in projects include the sensitivity analysis of the risks and their impact on the project. A sensitivity analysis of the projects risks will involve determining the variation and uncertainty of the output of the project in a quantitative way. Sensitivity analysis involves changing the parameters of a project to determine what effects such changes will have on the management of potential risks. Another quantitative risk assessment tool that is used in the assessment process is the scenario analysis technique where the possible future outcomes of the project are considered by providing alternative outcomes or scenarios that will determine the impact of the risks to the project. Probabilistic risk analysis (PRA) is another quantitative risk assessment tool that involves the use of systematic and comprehensive methodologies to evaluate the risks that are related with complex projects. The PRA risk assessment tool assesses the magnitude or severity of the risk as well as the probability of the risk occurring (Smith et al 2006).

The various issues that are considered when conducting a qualitative assessment of risks will involve a brief description of the risk, identification of when the risk might occur during the lifecycle of the project, determination of the elements of the project that will be affected by the risk, the factors that will influence the occurrence of the risk, the relationship the risk has with other factors and the likelihood of it occurring or recurring during the stages of the project. The main issues that are considered in the quantitative assessment of a risk will be the increased cost of managing the risk where an additional amount that is above the estimate to complete the project will be needed to manage the risk and the increased time which is the additional time that will be needed beyond the project’s completion date to manage the risk (Smith et al 2006).

Risk Assessment Tools and Methods

As explained earlier in the discussion, an important step in the risk analysis process is the determination of an appropriate risk assessment tool that can be used in the identification and management of risks within a project. There is no single approach that is more suitable than the other when it comes to which risk assessment technique is more superior. The selection of a risk assessment tool will therefore depend on the type and complexity of the project that is being undertaken, the depth of the risk analysis that will be required for the risk management activity and the familiarity that the various stakeholders of the project have to risk assessment tools. The various types of risk assessment tools that are used in risk assessment activities are divided into two broad categories which include the basic tools of risk assessment and the advanced tools or approaches to risk assessment. Under the basic tools, there are various assessment tools that fall under the diagram analysis and risk ranking/filtering categories of risk assessment tools (Frank et al 2008).

The various types of tools that fall under diagram analysis include flow charts, check sheets, cause/effect diagrams and process mapping. These diagram analysis tools are classified as basic risk assessment tools because they are simple and easy to use when it comes to gathering and organizing risk management data. These diagrammatic analysis tools are also able to structure risk assessment processes to facilitate appropriate decision making activities during the risk analysis and management process. Diagrammatic analysis tools are used in the compilation of observations and empirical information that are necessary in supporting risk assessment activities (Frank et al 2008).

The risk ranking and filtering assessment tools are those methods that are used in the comparison and ranking of risks during the risk assessment process. Risk ranking and filtering tools are used in the evaluation of multiple quantitative and qualitative factors that are used to assess each type of risk. These tools employ the use of weighting scores and risk scores to evaluate the magnitude and probability of the risk from occurring within a project. Risk ranking and filtering tools are used in the prioritization of operating areas that have a high priority of risk within a project for risk assessment activities. They are also used in projects where the risks or underlying consequences of the project are diverse and difficult to deal with when compared to using a single risk assessment tool (Damodaran 2008).

The other category of risk assessment tools is the advanced category where the risk assessment tools are more specialised in dealing with complex risks that might arise in a project. One example of an advanced risk assessment tool is the fault tree analysis (FTA) which is used in identifying the root causes of a risk within a project. The fault tree analysis is also used in evaluating the risks that might arise in the systems or sub-systems of a project at any one given time. This makes the FTA a more suitable method of risk assessment for projects that are complex and difficult in nature as they combine the multiple causes of a project’s systems and sub-systems failing by identifying the causal chains. Another tool that is used in risk assessment is the hazard operability analysis method (HAZOP) which operates under the assumption that risky events in projects are caused by deviations from the design and operating intentions of the project (Frank et al 2008).

The HAZOP method assumes that any deviation from the original design and purpose of the project will lead to the probability of risks occurring within the project. The hazard operability analysis tool of risk assessment utilises a systematic technique of identifying the potential deviations in a project’s activities from the initial design of the project. The HAZOP method is commonly used in accessing the manufacturing processes of industry facilities and equipment as well as in the evaluation of the safety hazards that exist in the manufacturing processes (Damodaran 2008).

Another type of risk assessment tool that is used in the assessment of risks is the failure mode effects analysis tool (FMEA). This tool is used in assessing whether the project has the potential for failure and whether there is a probable effect of this failure on the outcomes of the project. The failure mode effects analysis is an important tool for a project manager and risk analyst as it helps them to determine whether the risks identified within the project will lead to the failure of the project or failure of the project’s outcomes. The FMEA risk assessment tool identifies the failure modes of the project after which the risk reduction strategies and actions are applied to eliminate, reduce or control the potential failure of the project (Frank et al 2008).

The failure mode effects analysis tool mostly relies on the strong understanding that the risk analyst has on the type and complexity of the project, the process or operations of the project as well as the various activities that fall under the project. The output of the project is usually deemed to be the relative risk score that is used in determining the failure mode of the project. The FMEA risk assessment tool is used in the evaluation activities of equipment and facilities within manufacturing processes to determine the failure modes of the processes and also the risks of critical parameters in the manufacturing process (Frank et al 2008).

Apart from the basic and advanced tools of risk assessment approaches, other tools that are used in the risk assessment process include the probabilistic approaches of risk assessment that include decision trees, scenario analysis and simulations. The probabilistic scenario analysis tool of risk assessment is a method of assessing risks by incorporating the use of event trees in assessing risks. Scenario analysis involves the identification of a hazard within a project after which a step-by-step scenario is developed to deal with the hazard as it occurs. The pathway that usually leads to the end point of the hazard is what is usually referred to as an event tree. The steps that led to the occurrence of a hazard within a project are usually shown in the pathways and nodes of the event tree. These nodes evaluate the probability that a risk will occur within the project (Bachmann 2006).

Another probabilistic method that is used in the assessment of risks is decision trees where the risk is assessed through the use of pathways and nodes. Decision trees are graphs that look like trees where the risks and their possible consequences are analysed based on the outcomes of a project. Decision trees are useful techniques in determining the probability of the occurrence of a risk and what outcome the risk will have on the project should it occur. Decision trees are important probabilistic risk assessment tools because they provide the risk analyst with the best possible solutions to deal with the risk. Decision trees are the easiest probabilistic risk assessment tools to use because they are simple to understand and interpret. A probability value for the pathway can be developed based on the description of risk analysis experts based on the outcomes and costs of the project. The decision tree can also be used with other methods of risk assessment such as scenario analysis, flow charts and cause/effect diagrams (Yang 2006).

Simulations in risk assessment involve the modelling of the risk to reflect the outcomes of the risk should it occur. Simulation is used to show the effects of the risk should the risk occur during the performance of the project’s activities. The major aspects that are considered in risk assessment simulations include the use of approximations and assumptions in modelling the simulation, the prevalence or magnitude of the risk, the validation of the simulation outcomes and the characteristics and behaviours of the risk. Simulations incorporate the use of various probabilistic approaches of risk assessment to determine the outcomes of the risk. Some of these methods include scenario analysis where a particular scenario related to the outcome of a risk is modelled to simulate the effects of the risk to the project’s activities (Lawrence et al 2006).

Evaluation of Risk Problems

The various risk problems that exist in the risk assessment process include risk identification, assessment, transfer and mitigation. Risk identification involves determining the types of risks that exist within a process and developing management activities that will be used to deal with those risks. The absence of risk identification processes within a project might create a situation where the project manager is unable to effectively manage the risks that might arise while the project is being implemented. The manager might also be unable to determine the causes of the risk while the project is being implemented (Reeves 2010).

Risk identification becomes a problem during the determination of the risk if the project team is unable to properly identify and assess what types of risks are present in the project. It also becomes a problem when the team is unable to control the impacts of the risk on the project’s outcomes when the risk becomes unidentifiable making it difficult to document and control. Risk assessment provides a greater understanding of the risk and it is a vital process of developing action plans that will be used to manage the risk. Risk assessment allows the project manager to compare risks against each other, allowing him to prioritise risks according to their probability (Reeves 2010).

Risk assessment becomes a risk problem especially when the wrong risk assessment tool or technique has been chosen to assess the project’s risk. Using unsuitable risk assessment approaches might prevent the project team from appropriately assessing the risks that are present within a project which might lead them to develop the wrong risk management and control activities. Such problems might see the risk continuing to persist in the project which means that additional resources will be needed to manage the risk as well as manage the projects deviations (Reeves 2010).

Risks that have continued to persist within a project might not produce the desired outcomes for the project. Risk assessment problems should therefore be dealt with by choosing the appropriate risk assessment tool that will assess the risk and provide the project manager with the leeway to create risk control measures. Risk assessment also proves to be a problem when the exposure level of a significant control failure cannot be easily understood and when the key controls that are necessary for the project’s effectiveness cannot be assessed for risks. It is also a problem to a project manager when it is difficult to develop effective key indicators that will be used to manage and control the risk (Reeves 2010).

Risk transfer is a risk management process where a risk is shifted from one part of the project to another. It is also the shifting of burden or responsibility to another party liable for the project through the use of contracts, legislation or insurance cover claims. Risk transfer is a common practice when a company or organization wants to perform risk reduction activities within its projects to ensure that it limits the number of resources that are needed to assess and manage the risk. There are various risk transfer tools that can be used to assess and manage a risk within a project and these include micro-insurance schemes, calamity funds, catastrophe bonds and pools. While risk transfer activities limit the amount of resources that will be needed by the project manager to control the risk, they still present a problem to the manager especially if they have been transferred from one part of the project to another. Risk transfer can also present a problem to the project manager if there are multiple risk types identified to exist within the various systems of a project. It is deemed as a short term solution which must be dealt with soon to avoid the risk from creating devastating outcomes (Culp 2004).

Derivatives which are important financial instruments used in risk transfer activities are payoffs that are based on the performance of the project’s underlying asset. Derivatives can take the form of project or company contracts, assets, futures, swaps and forwards. Derivatives are a problem during the risk transfer where one part of the project will lose financially especially if the risk has been transferred within the project. If the losses incurred by the risks transferred to the one part of the project continue to increase, the project might suffer a failure of its significant control systems which means that more resources will have to be used to manage the risk (Culp 2004).

Risk mitigation is defined as a proactive strategy that is used to decrease the probability of a risk from occurring or decrease the impact of the risk in the event it occurs. The strategies that are used in risk mitigation activities might be physical strategies where the project designs will have to be changed to decrease the occurrence of risks or financial measures where additional money will be needed to minimize the impact of the risk. Risk mitigation presents a problem to a project that has risk issues especially if they have been left unresolved. These unresolved risks will cause significant delays in the project’s completion as more activities will have to be introduced to deal with the risks. This might delay the results of the project especially if the impact of the risk has minimized the value of the project. If risk mitigation activities are conducted at a later stage of the project then the impacts of the risk will be high because the probability of the risk occurring within the project will be high (Levin and Kalal 2003).

Case Studies of Risk Assessment Tools

A case study was conducted on the risk assessment tools that are used in a packaging line in a manufacturing company based in the United States. The risk assessment involves determining what processes, procedures and events during the packaging of a product create an unacceptable risk to the overall quality of the product. The project team assigned for the case study decided to select a risk assessment method that was systematic, comprehensive and inductive in nature after an assessment of the risk factors which were determined to be quantitative in nature (Product Quality Research Institute 2005).

The risk assessment tool that was used in the case study was the functional failures and effects analysis (FFEA) risk assessment tool which is a hybrid of the failure mode effects analysis (FMEA) risk assessment tool. The functional failures and effects analysis method examines the effects of functional failures on the system performance of a project through the systems and function-based methods. To apply the risk-based decision making concepts to the FFEA risk assessment tool, the project team identified the frequency of each functional failure of the project as well as the severity of the potential outcome of the failure. The FFEA assessed the risk by defining the potential product defect that might occur during a given packaging operation and the severity of and frequency of the defect. The table below represents the severity categories of the product defect (Product Quality Research Institute 2005).

Category Severity Description
1 Effect is not noticeable
No quality, impact, production or financial impact insignificant
2 Minor effect
No impact of license or NDA, possible quality problem and possible production problem such as excessive rejects
3 Moderate effect
Quality concern (e.g. excessive internal metrics, customer complaints), impacts of production for short periods of time
4 Major effect
Quality impact, exceeds license or NDA limits (e.g. miscount or missing labels), impacts of production for extended periods of time
5 Critical effect
Quality problem with potential impacts to patient safety (e.g. mislabelled product mix) and significant production problem (e.g. a typical event which causes a major loss of production impacting on a product’s supply)

(Source: Product Quality Research Institute 2005)

The diagram below represents a frequency scoring scale for the occurrence of product defects during the packaging process.

A frequency scoring scale for the occurrence of product defects during the packaging process

For each potential failure in the packaging operations of the manufacturing plant, the potential impact of the failure on product packaging was determined by the project team after which it was assigned with a severity category. Once the severity of the failure was categorised, all the dominant causes that were relevant to the potential failure were assigned a frequency. In the FFEA model, the frequency of packaging failure (F) is combined with the ability to detect (D) the failure, after which it is plotted against the severity of the failure (S) as follows: F – D= F (new) S vs F (new). The resulting risk assessment and work output was through the use of the FFEA model was recorded by the team in the following table

Item No. Potential
Failure
Dominant Causes Severity
category
Events/
year
Frequency
category
Safeguards Safeguard
Type
Eliminate or
Mitigate risk
A Incorrect expiry date printed on-line Incorrect set-up 5 1-10 4 Engineering/
Administrative controls
D=0 Yes
B Overfill Feeder failure (pin breaks, dropping excessive tablets) 4 100-1000 6 Vision system with reject verification D=4 Evaluate options and implement where appropriate
C Wrong Shrink wrap _ 1 0.01-0.1 2 _ _ None
D Cleaning residue (left from cleaning agents) Cleaning concentration is high
Human error (improper cleaning or rinsing)
3 1-10

1-10

4

4

Line cleaning inspection D=0 Evaluate options and implement where appropriate

(Source: Product Quality Research Institute 2005).

Another case study was conducted on a manufacturing plant based in Zurich, Germany that produced non-sterile active pharmaceutical ingredients (APIs). The packaging operations of these products need to be performed in suitable designed rooms that incorporate the use of containment technology. The main risks that exist during the packaging operations of APIs are the contamination of operators from hazardous API chemicals. In the case study, the manufacturer of the API factory identified operator contamination and the occupational exposure as the main risk factors in the packaging of APIs. The risk question that was developed for the case study was whether there were effective room designs or containment technologies that could be used during the packaging or pack-out operations in the factory to minimize operator contamination and exposure to hazardous chemicals. The manufacturer identified the risk factors to be more qualitative than quantitative which made him choose the modified version of the hazard operability analysis (HAZOP) risk assessment method (Product Quality Research Institute 2006).

The assessment process involved using the risk factors to determine if a respective packaging room or pack-out strategy could be used in reducing the overexposure or contamination of packaging operators. A risk level of low, medium or high was assigned for each risk factor in the study after which actions were developed to mitigate the identified risk. According to the HAZOP method, the activities and events that occur in the API packaging room would be used in determining whether the identified risk factors will occur during the pack-out process. The aspects that need to be considered when evaluating this type of room would include the presence of rough surfaces in the packaging room, whether the room is designed for easy maintenance activities and whether the air quality in the room is filtered to some degree. The table below represents a HAZOP risk assessment conducted on the API packaging rooms (Product Quality Research Institute 2006).

Contamination/Operator Exposure Risks Open drum packaging of an API through a sealed chute from a dryer on the second floor into a general purpose processing room with no airlock and no differential pressure relative to the general manufacturing floor
Initial Assessment Adjusted Control Strategy Follow-up Assessment
Contamination of API by other compounds Medium risk 1) Strict cleaning and maintenance program for the general purpose processing room
2) Positive differential pressure relative to general manufacturing floor
None to low risk
Contamination of API by foreign material Medium risk None to low risk
Contamination of packaging material by other compounds Medium risk None to low risk
Contamination of packaging material by foreign material Medium risk None to low risk
Contamination of other compounds outside the room by API Medium risk 1) Continuous liner system
Or
2) Negative pressure pack out booth
Or
3) Dust tight direct connect technology with bulk container
None to low risk
Exposure to the operator in the room High risk None to low risk
Exposure to operators outside the room Medium risk None to low risk

(Source: Project Quality Research Institute 2006)

In the international construction industry, the construction projects that are conducted are usually complex in nature and they present various types of factors. These risk factors include the number of organizations that are involved in the project and the diversity of the projects which increase the probability of risk factors occurring during the performance of the project. A case study was conducted on the construction industry of North American companies in the United States. The focus on the North American companies was mostly because twelve of the world’s largest transnational corporations and 26 of the 100 international construction contractors involved in the construction industry are based in North America (Walewski 2003).

The research team involved in the case study saw that the identification of industry issues would provide a basis for selecting the most suitable risk assessment tools. The high-level risk issues that were identified by the research team while conducting the case study include the risks that were associated with construction and project life cycles, the international construction market and its participants, project-specific related risks that exist in different countries and the allocation of risk issues in the construction industry (Walewski 2003).

The risk factors identified in the study were qualitative in nature which allowed the project team to develop a risk assessment tool that would be used in international construction industries. This risk assessment tool is known as the international project risk assessment (IPRA) tool that is based on the following attributes which include the process of identifying and accessing risks specific to international construction projects, risk elements tailored for international projects and a structured process that can be used to identify, measure and track risks from the early stages of the project. The IPRA risk assessment tool has been divided to cater for four major sections which include commercial, operations, country and facilities which have been further divided into fourteen categories that represent 82 risk elements. The sections, categories and elements are used to describe and provide examples of the various risks that exist in construction projects (Walewski 2003).

Visual Roadmap to achieving Total Risk Management in Projects

In achieving successful risk management in project activities, the following recommendations and observations can be used as a roadmap towards achieving total risk management in projects. To ensure that risk management activities have been achieved, risk analysis and management activities must be used during the early stages of the project. Properly structured risk identification, analysis and mitigation processes can be able to minimize the risks that are associated with complex projects which might ensure that the total risk management activities have been managed appropriately. Another recommendation that can be used in achieving total risk management in projects involves not viewing risk management and risk assessment activities as substitutes to adequate project planning activities (Yussuf 2010).

They should however be viewed as a process that can be used in identifying, assessing and managing risks within a project. Projects that possess certain characteristics such as systems and subsystems that are complex in nature as well as multiple participants and technological innovations are more than likely to be exposed to increasing levels of risk. The project manager and risk analyst should therefore consider the characteristics of the project when managing the risk within a project. Documentation of the risk management activities is important as it allows for the necessary actions to be taken against the risk and in achieving total risk management of project activities (Yussuf 2010).

A method that can be used to ensure that there is the total management of risks in a project is the AS/NZS 4360 risk management standard that is specifically used to handle risks within a project. This method is suitable for both simple and complex projects because of the many risk events that might affect the stages of the project. The AS/NZS 4360 risk management standard is also suitable as it focuses on the operational aspects of the project. The diagram below represents a visual roadmap of how an organization that is undertaking a project can be able to adopt total risk management through the use of the AS/NZS 4360 standard.

(Source: Yussuf 2010)
(Source: Yussuf 2010)

References

Anbari, F.T., (2005) Qs and As for the PMBOK guide. New York: Project Management Institute

Bachmann, T.M., (2006) Hazardous substances and human health: exposure impact and external cost assessment at the European scale. Oxford, UK: Elsevier

Culp, C.L., (2004) Risk transfer: derivatives in theory and practice. Hoboken, New Jersey: John Wiley and Sons

Damodaran, A., (2008) Strategic risk taking: a framework for risk management. Upper Saddle River, New Jersey: Wharton School Publishing

Frank, T., Brooks, S., Creekmore, R., Hasselbalch, B., Murray, K., Obeng, K., Reich, S., and Sanchez, E., (2008) Quality risk management principles and industry case studies. Web.

Lawrence, S., Mathias, D., Klopfer, G., Pandya, S., Olsen, M., Onufer, J., and Holst, T., (2006) Simulation-assisted risk assessment. Web.

Levin, M., and Kalal, T.T., (2003) Improving product reliability: strategies and implementation. West Sussex, England: John Wiley and Sons Limited

Product Quality Research Institute (2005) Packaging line GMP optimization. Web.

Product Quality Research Institute (2006) Pack-out remedies to minimize contamination and exposure. Web.

Reeves, O., (2010) Process: identification, assessment, control and mitigation. Web.

Smith, N.J., Merna, T., and Jobling, P., (2006) Managing risk in construction projects. Oxford, UK: Blackwell Publishing Limited

Vose, D., (2008) Risk analysis: a quantitative guide. West Sussex, England: John Wiley and Sons

Walewski, J., (2003) International project risk assessment: methods, procedures and critical factors. Web.

Yang, T., (2006) Computational verb decision trees. International Journal of Computational Cognition. Vol. 4, No.4, pp 34-46

Yussuf, M.N., (2010) Contemporary approaches to project risk management: assessment and recommendations. Web.