Why is risk management important?
If a project is at the very earliest stage of inception, there will likely be a high amount of uncertainty compared to when the project is close to completion. It’s good project management to acknowledge these risks and proactively manage them. This starts by identifying the key metrics that signal the project’s success and forecasting any events that could have a negative impact on achieving these metrics.
“…risk management is the identification, evaluation and prioritisation of risk followed by coordinated and economical application of resources to minimise, monitor and control the probability or impact of unfortunate events or to maximise the realisation of opportunities.”
When an unmitigated risk event occurs on site, it impacts both cost and programme and could run into significant sums of money. It can also cause reputational damage to both developer and contractor.
However, if risks are captured at the outset of the project and mitigated or managed out entirely, the benefits are clear for all.
Does it make a difference if you act as Principal Designer or Principal Contractor?
The Principal Designer has a legal obligation through the CDM (2015) regulations to ensure that significant and foreseeable risks are managed throughout the pre-construction design process. Where the designer cannot eliminate the risks in question, they should work with the Principal Contractor and the developer to coordinate the work of others in a way that secures their health and safety.
If you are a developer and intend to operate as a management contractor, including taking on the role of both Principal Designer and Principal Contractor, then you should consider the above and remember you will retain a legal responsibility for managing certain risks. It’s better to manage these risks centrally as opposed to passing them onto the supply chain.
Also, the Principal Designer should assist the Principal Contractor in meeting their CDM requirements of producing the construction phase plan (CPP), which includes providing the relevant information in terms of key project risks. As the works progress, the Principal Designer and Contractor are responsible for managing design changes and sharing updated information.
The Principal Contractor has the responsibility for health and safety during the construction phase on notifiable projects only. The Principal Contractor also has the duties to “plan, manage, monitor and coordinate the construction phase,” taking into account the general principals of prevention to ensure the project is carried out without risks to health or safety.
How do you categorise, allocate, value and manage risk?
Ideally you will manage risks in order of priority where those risk or opportunities have the greatest effect. You first address those that are most likely to occur and work your way through to those least likely to occur. However, these can interchange through the projects lifecycle and it can be difficult to balance resources to mitigate the risks accordingly.
The following method is a good place to start when producing a risk register:
- Hold a risk workshop including all contracting parties and where appropriate key stakeholders
- Identify the risks (threats)
- Identify the opportunities (benefits)
- Determine the expected likelihood and consequences of specific types of risks
- The determination should both qualitative and quantitative i.e. describe in detail what the risk exactly is, what it could affect and for how long and for quantitative the full value of the risk in terms of both direct and indirect cost. These would be the pre-mitigation values
- Identify ways to reduce the risk (via mitigation, removal or contingency plan) including description and the cost of mitigation
- Re-run the determination as described above but after the mitigation has been applied to establish the post mitigation risk values
- Add the post mitigation values plus the cost of mitigation to generate your project risk value
- Sort in order of priority either through what risk reduction measures are required first or by the highest risks first
- The register should also include how the risk will be managed, controlled, reviewed and reported or in risk terms how you will “avoid, reduce, control or accept the risk”
Ideally the risk management process is owned by risk managers who are aware of all the risks associated with a project and specifically their field of expertise. This is typically why Project Managers make good risk managers and why they can produce good quality risk management plans.
Once established, the key to managing an effective risk register is ownership and regular reviews. The risk should be allocated to the person best placed to manage and control them by taking responsibility and accountability.
- The Project Manager should own any risk that might affect the delivery of the project e.g. design approvals reviewed in time, payments issued on time and the management of stakeholders
- The Developer might own any risks that affect their business, or the project being realised e.g. funding is in place or land access arrangements are in place
- The Contractor should own any risks that will affect their ability to achieve the scope of works e.g. resource availability, material availability or plant breakdowns
What about opportunities? How should they be managed alongside risk?
Opportunities can be defined as “a positive outcome that may bring additional value to a project.” For example, this may be allowing a tenant early access to a building that increases revenue for the developer. Opportunities may also come in the way of value engineering where an alternative material finish benefits both the Contractor and developer.
They can be managed alongside risk when preparing a cost plan to demonstrate that threats (risks) and benefits (opportunities) have been considered alongside each other to provide a balanced view.
As a Developer or Contractor, should you sell or retain risk?
Whoever takes the role of Principal Designer or Principal Contractor must consider their legal obligations before delegating any risks associated with the provision of information in regards health and safety.
In terms of managing other risks, the party who takes on the risk needs to have the capability to manage it along with the skills, experience and resources to actively mitigate it. For example, if you have statutory undertaker’s equipment that requires diversion for a development to proceed, by making the Contractor responsible for placing the order with the stats company and then coordinating their works with their own, then you as a developer have passed over the responsibility for the stats company’s performance and any delays will remain the responsibility of the Contractor.
However, if the Contractor has little or no experience in how to manage third party companies, they may struggle to deliver this without the developer’s assistance, which could result in a delayed project to the detriment of both parties. In instances such as this, it’s important to differentiate on the risk register who is best placed to manage and own the risk versus who has ultimate responsibility under the contract for the consequences of the risk materialising i.e. the Contractor retains the commercial risk but the developer is best placed to help them mitigate the risk.
There are other pitfalls that developers can fall into when trying to pass risk over to the supply chain. For example, placing the contract as a lump sum but leaving ambiguities and inconsistencies in the contract document that gives rise to post contract variations. Therefore, when considering ‘selling’ risk by paying a premium for a lump sum contract, what should be reviewed is:
- Sufficiency of the procurement route
- Any amendments to contract terms are clear and do not conflict with other terms
- The scope is clear and not open to interpretation
When does a risk become an issue?
In risk management terms, once a risk has a high probability of occurring or is already influencing a project, it is no longer a risk and has progressed to become an issue. This is where the probability has reached 100%, but it is not unusual for risk events to become ‘issues’ once they hit 75% probability on the basis that the event is likely to occur.
Risk management aims to identify potential problems as early as possible so that the opportunity for taking effective action is maximised.
Are there any tools available to manage risk?
We’ve described how to capture risks and administer them, but what should be in place above this is a high-level risk management plan or RMP. The idea of having an RMP in place is that it captures your risk strategy including:
- How you will record risks
- What controls you will have in place
- How they will be reviewed and reported on
- How you will control and monitor their progress, including any re-evaluation of the risks as the project progresses.
As a developer, you will want your supply chain to give you this information in order so that you can get assurance as to how they will manage key project risks.
What is considered to be best practice?
Good risk management depends on having clear roles, owners and accountability, and well-written and valued risk registers. In terms of best practice, the Institute of Risk Management has produced their own risk management standard which was subsequently adopted by the Federation of European Risk Management Association (FERMA). Alongside this is the publication of ISO 31000, the Global Risk Management Standard.
In terms of day-to-day practice, effective risk management will enable project teams to anticipate events before they happen, mitigate them if they are proactive, and make informed decisions. Good project management is actively managing risk through quality decision making, which in turn improves contingency planning for developers and contractors alike.