EP 107

How to ACTUALLY manage risk on construction projects (EP 107)



This week, Paul is joined by Chris Ritson, Senior Risk & Uncertainty Consultant at Safran, a software company building a unified project management solution to help organisations confidently tackle complex capital projects.

Chris is an out-and-out risk expert, and Paul wanted to interview him to fully understand the difference between how a Risk Manager and a QS manage risks and what QS’ could learn.

Across the episode, we cover parametric modelling, Montecarlo simulations and best practice when managing risks and opportunities. Chris advises best setting up projects and project teams to manage risks. If you work construction risks - you really should listen in.


Are you struggling with a lack of Quantity Surveyors?

A recent RICS Survey found that 54% of main contractors reported insufficient numbers of Quantity Surveyors available in the market, and at C-Link, we completed a survey that found 80% of companies find it challenging to recruit QS at the moment.

Are you one of those companies?

C-Link is software built by Quantity Surveyors for Main Contractors. We save 600 hours of Quantity Surveying time per project in automation. We can make your QS’ so much more efficient.

Book a demo to learn more by clicking here.


Paul Heming: Hello and welcome to episode 107 of the Own the Build Podcast with me, Paul Heming. How is everyone doing? I hope you’re all doing pretty well this week. Thanks to everyone who has been reaching out, saying hello, seem to have been inundated since the start of the year with people saying that they’re enjoying what we’re doing. So thank you. If you have spoken to me, I appreciate it. And if you thinking about it, feel free to give me a shout. Be happy to hear from you. Now, a few weeks back on episode 102, which was actually a really popular show, got some really good feedback. I interviewed Simon Robinson, who was a QS from Sub Port helping subcontractors. And in that show, we talked a lot about how main contractors manage risk with subcontractors. And it got me thinking because, well, to be honest with you, I’ve been thinking about it for a long time. I even wrote my dissertation on how construction companies manage risk. So, it’s always been something at the top of my mind, particularly cause I was a subcontractor all my time, and I was doing that episode with Simon and thinking I would love to speak to someone who was a genuine expert in risk as opposed to just a QS, because QS’s have a certain way of managing things and I thought it’d be really interesting to invite in and expert. So in the studio today, I’m joined by Chris Ritson, who is a senior risk and uncertainty consultant at Safran. I know that I’ve already got everyone’s attention. Safran or a software company building a unified project management solution designed to help organizations, tackle complex capital projects with confidence. And I was introduced to Chris by Gareth Evans from episode 96, who described to me that Chris was a risk genius. The bar has been set and it has been set very high. I see Chris is wincing right next to me here. How are you doing, Chris? You happy with that? 

Chris Ritson: Hi, Paul. Yeah, it’s quite a high bar.

Paul Heming: So, the risk genius. Like, what are you thinking when, what have you done so that Gareth is calling you a risk genius?

Chris Ritson: I’m genuinely not being humble when I say I don’t know. I really don’t know.

Paul Heming: Well, I’m not sure about that. I’m not sure about that. I mean, I looked at your profile, we’ve chatted, I mean you were up for lots of awards, risk manager of the year 2017, you were a final staff winner of risk innovation of the year in 2017. So, I think my mission to find a disciple of risk management and a very good one. I feel like I’m on the right path here. So, I’m very pleased to have you on the show, Chris. Do me a favor for everyone who is listening. Talk to us about your experience in construction and your experience in risk and what you’re now doing.

Chris Ritson: Okay. So, I started in 2005-06, thereabouts in the highways in industry. And it was over here in Bristol, where I live. And we were covering a very large geographic region. Lots of small projects, some big projects, so lots of infrastructure, roads, bridges, everything else in between in the southwest. And when I joined, it was just as almost a bit like a dog’s body between two teams. It was like the quality assurance team and the risk management team sort of 50-50 split. And I was helping them to implement their risk database, where they were using it to capture their non-conformance reports, NCRs for their issues, but then also for frets and opportunities. And they were capturing those on their risk register there as well on that database. So, I was kind of like helping maintain the database until I then grew into actually learning how to facilitate risk workshops and things like that. And kind of grew in my career from that kind of graduate job to begin with. So, that’s kind of where it all started. And that was on a very unique contract where they really wanted to do risk management to the likes of, which has never been seen on a highways contract before. So, that was kind of like, so I was already in at a kind of higher level perhaps than what would be seen as typical at that time.

Paul Heming: Great introduction.

Chris Ritson: Very fortunate. And I had some great mentorship from, it would’ve been Mo McDonald risk managers at the time from Colin and then Ian. So that was my introduction and I was working for Balfour Beatty at that time. And then just blitzing through kind of the rest of the story very quickly for this sake of brevity and you know, an introduction. That ended. I ended up in Cross rail on the Paddington underground station, the new build.

Paul Heming: Not many risks to manage on that project. Were they?

Chris Ritson: No, I couldn’t find any. And then, I left there to come into network rail with Costane, so it was a Skanska costain. And then back, there was a brief period of a couple of years where I was with ABC joint venture, which was a costane joint venture. Again, that was rail sector related for the electrification projects. And then we get back to high speed two. So that was kind of the quick version and then all the other things have genuinely happened in between.

Paul Heming: Yeah. So you’ve done a lot of risk management for contractors, tier one contractors, tier one organizations on large, large projects that are generally infrastructure, highways, rail, etcetera. You are now senior risk and uncertainty consultants. I only noticed this morning that that was your title and I have to say I absolutely loved it, particularly the uncertainty consultant. What are you doing now at Safran?

Chris Ritson: So I joined Safran just over three years ago, and that was a jump that I made after trying to compare some software on the market that could do our Monte Carlo simulation. So, risk analysis of both schedule and cost. What I was trying to do is actually find a way of integrating both into a holistic model. So it’s quite typical to find that some people will run like a cost risk model on a spreadsheet, but then they’ll have to run a different software program for the schedule for taking something like from P6 or Microsoft Project and then stressing it with risk and uncertainties. So, I wanted to find something that did both, and that’s how I discovered Safran risk and I compared it to other products in the market. And just for me personally, for various reasons, user interface, the ease of use and all those kinds of things mostly workflow and things that just meant that I was just really sold on it. Because I could sort of see that it was greater than the sum of its parts and what it was actually trying to do. And I was really sort of inspired by that. And then a few conversations later and I ended up joining them and now I’m promoting them, I’m educating and I’m introducing people to the product. And there’s another product as well. I mean, Safran have a few products. They’re all project management, project related. So scheduling is like the pedigree, the 25 year old company. So they’ve got a scheduling engine that’s equivalent to something like P6, so you can do it in P6, the likelihood is you can do it in Safran. And then they’ve built their risk module on top of that. And then more recently, we’ve also got a kind of, I’d say an enterprise, almost like an enterprise risk system, so a database approach for your risk registers. But we’ve kind of like brought it down to how do you promote it on projects for day-to-day use with people, that that’s not their normal language talking in like risk jargon and things like that. So, I’ve got a real passion and I’ve always had that passion from back in 2006 onwards to how do you actually get people to do risk management when they’re busy people, you know?

Paul Heming: Exactly, exactly.

Chris Ritson: Other things that they’d rather be doing. So that’s looking at user interfaces and how do you make that experience just more accessible, transparent? Because what I found very early on in my career was that if you have these systems that are built for other risk people, then it’s like a barrier of entry. You can’t get people filling the system with useful information. And so you’re into that situation, then you have a risk system on paper only and not actually in practice. You’re not getting the benefits, the academic benefits or even the marketing benefits that you’ve been sold. So, you have to have engagement with the people.

Paul Heming: Yeah, that makes total sense to me. So we’re speaking to a man who is a risk proficionado working for a company that is managing risks through technology, which is amazing. I want to ground our conversation as I do almost week in, week out on this podcast. So, what is risk management to you and what does a risk manager do in construction?

Chris Ritson: So, risk management to me is just getting the team to set aside a bit of time and for what could be seen as a small amount of effort and investment up front can actually yield some great benefits later on downstream. And if you just continue being busy and busy and focusing on the things that you think are important, then you’re going to lose that opportunity to just pivot and change and get some extra value that is there. You know, it just needs a bit of time to be given over to that. So, in terms of what risk management is, I mean really risk management is different to different people. It’s like beauties in the eye of the beholder and different people, different perspectives. Like just in terms of what I do, I do project level risk mostly. Some experience in corporate level risk management, even those two things are different even though they might be in the same company. But then if you’re an actuary, you know, you’re working in the insurance industry or maybe you are working in banking, finance, different forms of risk management.

Paul Heming: So, risk management for projects then is where we want to focus, risk management in construction.

Chris Ritson: Yes. And then even there, you’ve still got other forms of risk management. So like commercial directors and managers and such, like they’re going to be very familiar with risk in terms of contracts and what is written in contracts and how does it apportion risk between parties, delineation of responsibilities and such. So again, that’s a kind of different form of risk management. And then if you’re an engineer, you are going to be looking at tenile strengths and things like that of physical –

Paul Heming: Technical risk management almost.

Chris Ritson: Yeah, physical properties of things and where are the thresholds, where it’s within a range of tolerance that is suitable and where does it fall outside that range. And then you’ve got auditing, you know, that I’ve kind of mentioned, alluded to that right at the start, where they’re looking for nonconformances to processes and things like this. So again, it’s another form of risk management, environmental statements and you know, what are we going to do? You know, you’re looking at thresholds of what you are and are not going to do with respect to upsetting the balance in the natural environment or upsetting stakeholders. So, you think of any enabling team on a project, whether that is those that handle the media and people that are going to be affected by it. You know, you’ve got all these kind of like niche little teams and they all manage risk differently. So, when you brought up Gareth at the start, you know, Gareth is, at the time that I met him, he was in charge of procurement. So procurement risk management is again, is going to be very particular and different there to how I would typically do project risk on a risk register and looking at change management and how that affects things. 

Paul Heming: That makes perfect sense. And you know, when you think about your basic risk register, I’m going to excuse how layman this is going to be, but you know, you have commercial risk, financial risks, physical risks, environmental risks, like you define them all. And is a risk manager there to kind of manage all of the project risks and liaise with who’s managing the commercial, the physical, etcetera. Is that what a risk manager typically does in these tier one contractors?

Chris Ritson: No, no, actually. So a risk manager on these kind of construction projects is something different. So they’re more of an enabler. They facilitate and they make sure that people do spend that little small fraction of time actually thinking about some of these things. And the reason why we do that, the reason why we have to do that as well is because we have to try and reframe people’s perspectives on the objectives. Like what’s the objectives of the project and how are these things that you are telling me, how are they going to affect the project objectives? Like whether it’s a milestone that for delivery or a particular promise that might have been made to the customer, you know, like, we’re going to reopen this road by this exact date. And that’s what we’ve publicly stated and that becomes really important. So some of these objectives help you articulate why something’s important, why is this risk more important than that risk when it comes to assessing risk? So a risk manager facilitates those discussions to actually occur and formalizes and helps standardize into a format that can be then consumed such that decision makers C-suite and whatnot can actually make some kind of actionable informed decision. And if at all possible, a good risk manager will try to make some recommendations as well, because, you know, important people, busy people, not much time in their day. And if you just give them data, they’ll just look at it and go, oh, wonderful. Now what do you want me to do with all this? So it’s about like, I think I put a, a meme type pitcher up on LinkedIn once, you know, a hitchhiker’s guy to the Galaxy or the Babel fish, it’s like a universal translator. It’s like you have to talk to all these different disciplines enabling functions, be they engineers, commercial quantity, surveyor’s environment teams and whatnot. And then you have to kind of turn all of that into what is more important than the other thing because they all think those things are the most important things to them, but aren’t necessarily the most important things to the people running the show. And in turn, you’ve then got customers and stakeholders external to the project, which will see things through a different lens, different perspective.

Paul Heming: Very differently. Well, I think that you’ve touched on something really interesting now. You talked about a project objectives, you’ve talked about what the priorities actually are and I think it might sound unusual to some people listening. Project objectives. What are you going on about project objectives? But it makes total sense when you’re talking about milestones or like, depending on what this specific project is. Talk to me about project objectives, how they are set and who sets them. Cause it seems to me like that then grounds the entire risk management process.

Chris Ritson: And it should. And a risk management plan, which is where you should start your process by drafting a risk management plan should make clear and articulate what are the priority objectives. And those objectives can be financial, they can be schedule related. Quite often they are. And you’ll see those in contracts because they’ll be the key date milestones and things or key date milestones, access dates, handover dates. We see those quite a lot. But those are the easy ones to think about. They kind of come to hand really easy. But if you are something like a high speed too, then you’ll have other things, other promises that you are making because you affect so many people. It’s genuinely a mega project, right? So you are making all these other kinds of promises. So you would have, like, I seem to recall something like a reduction in carbon, like whatever the industry standard is, we are going to try and better it. We’re going to try and set a new standard for the next century of building projects. But in big civil engineering construction projects, so they will set a target, I can’t remember what it is, it’ll be like 20%, 50%. So they’ll pick a target. So now that you’ve named it, now that you’ve articulated it, capture it and now start thinking about what the thresholds are in terms of, you know, are you achieving or not achieving and monitoring that. And you go back again to, okay, so what if you do or do not achieve that promise? Who’s most affected by that? And then you can start looking through those lenses and those perspectives again. And that would help you to sort of articulate internally at least, and presumably your customer will help with that process. They’re going to take the lead in terms of telling you what’s most important to them.

Paul Heming: And if you are, so that makes sense, right? You know, again, there’ll be SME, people working at SMEs listen to this and thinking, oh this doesn’t feel like this has anything to do with me. To be honest with you, you’re talking about HS 2 and you know, HS 2 sets these big macro objectives. Let’s say, on the project have these big macro objectives that you are then risk managing as the risk manager. But surely that then filters through the supply chain, the main, the subcontractor, secondary subcontractors. It feels a bit abstract at times. I know we’re talking about a mega project here, but how should you be acting down the supply chain, whether it’s main sub or secondary subcontractor for instance, to actually be ensuring that those objectives are hit. How would you do that?

Chris Ritson: Well, I think you would probably do that through the procurement process. You’d do it through the contracts, but the works information that you sort of share with those SMEs and the supply chain, if you can articulate to them why it’s important to you and therefore, impress upon them why you need them to behave and act in a certain way to achieve these things. And you know, they might be a small cog, there might be a much larger cog in the process of delivering that. But if you can kind of align everyone towards the same objective, then you are more likely to achieve that objective and reduce the uncertainty around whether or not you can or cannot. 

Paul Heming: Okay. And I think you’ve almost just hit the nail on the head there actually. And that’s, you know, going back to the inspiration almost for this conversation is how QS’s maybe think that they do that through procurement versus how someone like you would look at the way QS’s are doing it and think that there could be a different way.

Chris Ritson: Yeah, and I think this is a really key or good example of this is health and safety. So health and safety risk management was the other big one that wasn’t mentioned earlier. And they in some respects have a much easier job than someone like me doing kind of project risk in all its different shapes and sizes, right? With colors and flavors because health and safety just has this kind of one overarching goal that, you know, you come to work and the expectation is no accidents and you go home in as good a condition, if not better, than when you started your working day. And everyone can get on board with that. It’s just like, it’s a singular vision. Doesn’t matter what project, where in the UK, you can reasonably expect those to be the terms, you know, the expectations. When you then start diving into, oh we’ve got multiple objectives, that’s where it gets a little trickier.

Paul Heming: Yeah, absolutely. Okay. And so I think we’re getting to kind of the real meat now of the topic and I want to ask you a lot more about this and particularly around procurement, but we will do that right after this break. 

So I think that was a really good first half to the show and we segued kind of onto what, where I wanted to take the conversation really in the second half of the show, which is more focused on commercial risk management. There’ll be lots of commercially minded QS’s, commercial managers, commercial directors, even they’ll be managing directors at main contractors listening to this and they’ll be thinking prominently, how do I manage commercial risks? How am I managing commercial risks on this project right now? And I’m interested to hear from you the mentality and culture that you have around risk management because it’ll be totally different to my experience as a former commercial manager. And I’m interested to see like what the difference is, how you actually go about identifying and managing risks versus how I experienced it, which is much more what risk have I got on this subcontract package, how can I remove it or how can I pass it down somewhere else and have it managed by someone who’s more capable of it. So, my question to you is, what is your view on the way that commercial teams manage risk and construction?

Chris Ritson: So, we already kind of touched on like the contracts, now the contracts is going to be the principle starting point because it delineates responsibilities between different parties and the portions the risk that way. So, if we all just take that as our common understanding as a starting point. So after that, when you are then getting into say subcontracting, you can then look at, and what I’ve seen done before would be QS or someone in commercial sits down, they draft top 10 things that comes to their mind, pop them into a spreadsheet and they do a very quick assessment, kind of like a red, amber, green kind of traffic light flag kind of thing. And they do a kind of little mini risk register for themselves. Now I applaud that because at least they’re thinking about risk, right? So this is good. Where that can go further is I’ve seen people then say, well this is just qualitative, this is just my gut feel. If I put some numbers to this, that would actually help rationalize whether or not these are the right things to be worried about or not. And it starts to put additional framing, additional context around it. So, they might say probability that this one in their list will happen and then probability in the next one. So, they could look at it in terms of probabilities, then they could look at it in terms of probability of the most likely impact. They wanted to get slightly spicier, saltier. They could look at what’s the best case and the worst case. And so they’ve come up with the traditional three point estimate. So I’ve seen that throughout my career right from the beginning cause the systems that I’ve been exposed to have always kind of been more sort of starting there. So it’s a sliding scale of maturity and there’s often, I like to say there’s no real right or wrong answer here when it comes to some of these things because depending, going back to that context again, if your context is that you are on, I don’t know, something that’s low risk to the overall objectives, then does it really matter? Like can your gut feel intuition just get you through what you need to do.

Paul Heming: As long as you have the objectives. Right? 

Chris Ritson: Yeah. So, as long as the objectives are communicated and you understand what’s at stake, what is at risk, then that’ll help you make a decision on the level of maturity and sort of sophistication that you should be getting involved in in terms of articulation of identification of risk, assessment of risk and then what are you going to do about it, which is the most important thing. Because once you’ve learned something, you have to react to that information. It’s no good just sitting on a spreadsheet somewhere that, you know, it has to be shared, it has to be communicated. So there are risk management processes out there. ISO 31,000 as a sort of standard one that you’d look at. There’s others available. The association project management has one look at the PRM guide. There’s also Institute of Risk Management as an organization if you want to learn more. And they will point you in various different directions for different types of risk management and things. But you will find what looks like a very similar process, it might be a four step process, like a plan due check act or it might be seven or more and it’ll be using different words but approximately meaning the same thing in approximately the same order. So, it doesn’t matter if you’re in America, UK, somewhere else around the planet, you’ll find a risk process locally to you that kind of makes sense. And it will do broadly the same thing because you kind of do the same things in a repeatable, logical kind of order to a point. Little caveating statement there. So where this gets more involved I suppose is that you can then take those simple spreadsheet models that you might throw together, come up with what we call an EMV, estimated mean value or estimated monetary value or you could do a same three point estimate and probability for schedule impact you. Why not? You could do that. It’s not the same thing as doing a schedule risk analysis that uses the actual logic of the actual schedule because some risks will affect critical path and some will not. So, that’s a different higher level of maturity kind of risk assessment when you’re doing it like that, which is what I do in Safran, right? So you’ve got different formats but you mustn’t get too hung up on always doing it perfectly to the best possible standard. You should always – it’s one of like the key tenants in the institute of risk management when you kind of look into the research on risk is that you have to be proportionate, is a really good word to use here. Proportionate to the amount of risk that you are exposed to.

Paul Heming: You’re managing. What, in terms of the frequency and the volume of risk management that you’re doing?

Chris Ritson: Exactly. Yeah. 

Paul Heming: Okay. 

Chris Ritson: So, when the stakes start climbing, you need to start thinking about how do I do more commensurate to the risk exposure faced here? 

Paul Heming: I think that’s fantastic advice and that will resonate with the broad spectrum of listeners who probably go all the way up to like your HS 2 style project, but will come all the way down to doing a half a million pound, million pound build, right? And yeah, commensurate level of management for the kind of project that you are on. Just touching on frameworks, right? And I know you’re saying there’s loads of different frameworks and none of them are right or wrong. That estimated monetary value kind of level is the furthest level I ever got to in terms of how we would manage risk. Whereby you’d kind of have the risk, you’d have the probability then have the value that you’d attribute to it and all those different things so you could say this is the risk that these are the big risks, etcetera, and you’d be able to manage it that way. I think from my experience that having a risk register, now I was a subcontractor, but a large subcontractor, having a risk register internally on a project was rare. How does that make you feel as a risk manager?

Chris Ritson: I’m not surprised to hear that. I’ve always worked on projects that were basically the NEC free type contract. So, there was a requirement to have something, contractual requirement to have risk register, RR, which is actually, when you look at what it really is, it’s not a risk register in what you and I have been talking about so far. It’s actually something else. It’s actually more of a change management register and documentation to standardize what should we do when new information becomes available, but that it would be supported by other risk processes like the ones that you and I have been discussing up to this point. And it’s just the format and the level of, you know, the amount of data you want to start capturing on those is going to be different depending on the different projects.

Paul Heming: Yeah, I think, and its interesting isn’t it? And I think you’ve kind of hit the nail on the head and we steal your language again, but it is the commensurate level of process. Like, how much do we actually need to do for what we are building today? And that’ll be very different for everybody listening. I guess, a question that I would ask you though is, at a minimum, what is the minimum level of risk management you should be applying to a construction project?

Chris Ritson: I feel like quite experienced in the topic, right? And I want to be kind of careful about what I say here because –

Paul Heming: Just a little bit.

Chris Ritson: In a utopia, right, you would have everyone’s processes and steep procedures like their sort of standard operating practices written down somewhere so that if Dave couldn’t come to work today, Jeff could come in in his place, he’d follow the same process procedures and the company gets the same outcome, it’s the same result because they followed the same standard, right? That process was written in a certain way such that it was cognizant of the risk that that process is designed to manage. So, just because there might be an absence of a risk register doesn’t mean there’s an absence of risk management. And in a utopia, if everyone has perfect historical evidence to help them write their processes, procedures such that it kind of bulletproofs them against all kinds of deviations and things like that, that sounds like great. But the reality is as you scale and get bigger, your complexity, the number of moving parts, the agents, the number of stakeholders talking to one another, the amount of feedback loops from one, from party A to party Z and back again to C to F, you know, it can just grow, grow, grow and grow arms and legs and walk off the table and out the door and you know, it can just avalanche and snowball beyond recognition. So that’s why when we start talking about the commensurate approach, you have to recognize that there is probably some degree of risk management happening anyway. Then there’s a more visible kind of this thing that is called the risk register and maybe we have a risk manager that helps keep things moving in the right direction, consistent approach to the data capture and making sure that people spend the time thinking outside of their usual box, which is their process procedure. So, it captures the additional. So, if you are in a project where you think there’s just something about this project that’s a bit different or it’s bigger and therefore something might emerge out that we’ve never really handled or dealt with before. So, I think you have to think in those kind of terms about what the thresholds and what the triggers are for increasing the level of sophistication that you want to apply. And then when you do scale up to the bigger projects, to the several million pairing projects and the mega projects, then it becomes increasingly important to start standardizing your approach to risk management. So you’re still going to have the basis of the original procedure, which was designed to handle risk, but it recognizes that this is a different ballpark, different ball game. It’s like we’re playing by different rules, where we just don’t know what we’re going to bump into necessarily and we have to have mechanisms with which you’ll capture –

Paul Heming: Absolutely. You’re absolutely right as well in that just because there isn’t a risk register or just because there isn’t a prescribed risk manager, it doesn’t mean that you’re not managing risk. Every project is littered with risks and you have a QS, a project manager, a site manager, all of these people that perhaps are managing it in their minds or managing it less formally. I guess, the question would be, what is your advice in terms of managing risk that less formal approach, risk register, even if it’s basic risk register, how would you advise companies to manage risk? Because surely, if you formalize that process, even if it’s, I don’t know, a monthly risk meeting to review a risk register, what’s the minimum that you would really recommend?

Chris Ritson: Everyone’s context is different, right? So, it’s really difficult to give a one size fits all answer to these kinds of things. And I wouldn’t really attempt to. So, what I think is probably the most important is communication is key. So as long as there’s communication flow such that someone can kind of blow a whistle and say, do you know what? I think we might need to up our game. Take it back a step before you even get into a project, before you are executing a project, you would know what the nature of the project is because you tendered, you did work winning, right? So, you will have gathered enough information through that process such that you should have an inkling of the degree of risk management that is going to be required to satisfy it, to manage it successfully. So, you know, we haven’t talked much about opportunities and things like that, decision making. There are so many other facets to this and when in the life cycle of the project, you’d actually apply these things. So, and to what frequency and intensity as well. So, it’s dynamic and I’m so hesitant to give you a one size fits all answer because I don’t think it really exists.

Paul Heming: No, I think you’re absolutely right and the next thing I was going to ask you about was, you know, we’ve talked a lot about the negative, the risk, but then there’s the positive and the opportunity management as well. But I guess maybe where I’m landing and my own experience is, and I’m very open to you challenging this, is that quite often, you know, if you talk about there’s no allocated risk manager on this project or maybe even in this business, we don’t have a risk manager per se. You will have project managers, commercial managers, whoever, health and safety managers managing risk. But it feels, or my experience was that it was always quite siloed and that the health and safety manager might be doing theirs, commercial manager might be doing theirs and actually a forum, a document place where that conversation is at a minimum collated and put together so that all those silos are actually operating in unison. Makes sense as a minimum. And that’s something that I didn’t experience very often at all, honestly. And I know it might sound mad to someone who’s worked on HS 2, but some of the people listening will be thinking, we don’t have that, we don’t even have a risk register.

Chris Ritson: Yeah, okay. I mean that is one of the good things you can do with a risk register is you can start to look at the degrees of impact against different objectives or different types of risks like the health and safety, like reputation, like financial loss and schedule impact. You can articulate those on a scoring system and you can have things all consistently analyzed, assessed in one as you say, four or more document or it could be database. In terms of the siloing, I mean, you do need to have like is a strong recommendation that the subject matter expert, the person that is best placed to actually manage and actually handle the risk should be the risk owner in any case, regardless of what the contract might actually say, he might actually need that person to really inform the conversation and the direction of mitigation. Or if it was a to-do of opportunities and things then, you know, what is it that we need to put in place in order to realize that? So yes, there’s a degree of silo, but I think you get that on projects anyway. It’s kind of necessary regards subject matter expertise in the field. I think that the communication thing that I said earlier is the overarching recommendation because it allows you to transcend written process. It allows the more people that are being transparent and accessible with the information, the more chances, the more touchpoints that something could actually change when someone goes, oh actually, if we do this, I can help with that. Or really, gosh, I’m exposed to that too. So when you facilitate and allow a group of people from different silos to kind of hear about how each other’s things might actually be a potential chain of dominoes, one effecting the other, which then creates, you know, we’re talking about feedback loops, earlier I mentioned. So, who’s the best person to actually handle that? They’re all affected, but only one person might be the one that has the silver bullet. And then when you understand it through the context of oh wow, it affects so many different stakeholders here, that’s now the importance of the mitigation measure being actually resourced, you know, actually prioritized and that you put into position.

Paul Heming: You talk about giving the risk to the most suitable risk owner, which naturally makes sense. One of the things that I’ve experienced in the past is being on a project as a subcontractor, seeing either in the tender document or in the contract document that a risk, a project risk at the main contract level has been allocated to a subcontractor perhaps incorrectly at all. The perception is that it is not that the risk has been handed to the wrong risk owner through the contract, through the procurement process. Is that something that you’ve experienced it, something that you’ve seen much of?

Chris Ritson: I know that it happens because it’s a fallacy, right? If you are the owner, you know the customer, the ultimate customer, and you think you can subcontract the ownership of risk down the supply chain, who then subcontracts it down the supply chain further and further.

Paul Heming: Where’s it go?

Chris Ritson: You could end up in a situation where you think, done that. Yeah, I’m bulletproof because I wrote it in the contract. But ultimately, if that thing still happens and that person wasn’t best placed to manage it and they then it was a fallacy, it’s going to come bite you on the bum anyway. Your project’s going to be delayed.

Paul Heming: One hundred percent.

Chris Ritson: You’re going to have penalties, you’re going to be exposed to the negative media coverage potentially depending on the profile of the project and, and all those kind of things. So, you know, there was a really useful way of looking at it is, I know that what we were describing there was like, how do you use contracts to pretend you’ve managed risk?

Paul Heming: Yeah.

Chris Ritson: But it would be far more sensible if you instead had the communication lines open and you went, huh, I can see what you’re trying to do here. But you know that if that happens, we’re a small medium size enterprise, we’ll just go under, you know, and you’ll have at least the knock on effect of having to go and find a replacement SME to fill in that gap, which is going to take you time and level and effort. You’ve still got the consequence of the original risk, the original sin anyway, all because you mistakenly thought that you could pass it down. So, a two-way conversation there as part of the tendering process would help remedy and highlight those kinds of things and make sure that the right risk owner really came to attention. You know, we all kind, like a consensus is built around what is appropriate and you might have to think about risk in another way, which is who’s the best person to stop the risk from occurring in the first place, right? Is one question. Another question is if it happens despite our best endeavors to make it not happen, you now in damage limitation mode.

Paul Heming: Who do we want managing then?

Chris Ritson: Who manages the risk now?

Paul Heming: Yeah. Exactly.

Chris Ritson: Does ownership transfer between contractual commercial parties? Probably does. So, yeah. So you can get into a situation where a customer might end up dealing with the damage limitation anyway. So for a follow up on that, there’s another podcast, I don’t know if you happy for me to sort of say –

Paul Heming: Plug away. 

Chris Ritson: Riskologist podcast. So, there’s kind of like risk managers and risk people. You know, they had this episode where they talked about the risk carrier so if you want to know more about that, the risk carrier concept by Paul Sutcliffe.

Paul Heming: Excellent. No, I’m definitely going to check that out myself, actually. One other thing, and this is I think we’re getting to the heart of the problem as well or the mentality, and this is kind of what, going back yonks ago now, I was kind of thinking about in my dissertation. Is there many cases, like, is there a way, one of the things I used to always think is, you know, the way risks are procured, I will give them that risk even if they’re not the most appropriate or we’ll give them that risk and they’ll charge us for it even if it’s very unlikely to happen and you know, I don’t know stupid example, but it happens 1% of the time and when it happens, would cost you 10,000 pounds versus you pay a thousand pounds each time, right? So you’re actually paying a hundred thousand pounds over the life of a hundred projects versus 10,000. I feel that that happens all the time in construction projects. That risk is just given for no reason other than it’s always been given.

Chris Ritson: Yeah, I mean I think that’s another mechanism as part of the kind of contractual Merry-go round in discussing risk in a maybe less mature way than just having a conversation. So, if you get into a situation where you’ve got people that are ideologically driven and they’re just trying to pass it on for passing it on sake, then that’s what you’re going to do to protect yourself. You’re going to say, well look, I can do the work for this amount of money, this amount of time, and this is the scope, this is the quality of the scope that I can deliver for those parameters, those constraints. Oh, I’ve seen that you’ve also passed that risk. You’ve delineated that. That’s now my responsibility. So here’s my risk register and I’m showing you transparently how I’m costing this up and I’m adding that into my fee, this is how much is also going to cost you. So that’s how much it’s going to cost to work and this is how much it’s going to cost me to own the risks. So you can have a conversation that goes ping pongs backwards and forwards between, oh hang on, it’s not really going to cost you that, is it? It’s like, well it is to me, you don’t know my business as well as I do. So this is how my, and if you want me to take the premium of that or the cost of that, this is the premium for me doing that. You know, I can ensure my car through not just one but many, many other providers so that they all have different premiums.

Paul Heming: It would be quite interesting, you know, as a QS, when you’re doing your tender and in your tender, you create your bill and you say price those 10 items, it’s a hundred square meters of this, 50 square meters of that. Quite interesting. And some companies do this, some QS’s do this. If you put in risk number one, how much to include this risk, number two, how much to include this risk, number three, how much to include this? And then you would quickly see, wow, actually if I give them that risk, that’s part of their submission to me and all of a sudden I’m paying for it. And quite often that doesn’t happen. And in that not happening, it’s blurred, you kind of paying for it, but it’s not known. This is the problem. I just think that a lot of the way that we do both the tender stage procurement and then actually allocate risk in the contract is without real thought, it’s more just, I’ll just give them that and see if we get away with it more than who’s the most important person? Who’s the best person to manage this risk? And then how much are we paying for this risk to be managed and is that the right amount to be paying for that risk to be managed? That’s how I always thought about it, but never saw it in action.

Chris Ritson: Yeah, I mean the grand conditions in construction projects is probably one of the most obvious ones of that. You know, you can’t necessarily pass on the unknown unknowns cause what do we know? What are the assumptions around this? You know, it might be that you can pass that risk down to someone that’s willing to take it. You know, if they’ve had ground surveys done every X amount of distance and they’re comfortable with that and they go, well what’s the chance that between that survey point and that survey point, there’s something in between is going to be nasty and they might be comfortable taking that risk on. So, that’s the other problem or aspect I mentioned to tendering work winning is, you know, some people are going to have more risk appetite because they need to win the work maybe for political commercial reasons that are more higher up in the corporate kind of structure that they’ve just been told win at all costs. You know, we’ll deal with the risk, we’ll take the gambit, you know, take the gamble. So, you know, there’s nice to think that risk management is standardized and it’s always going to be, you know, cookie cutter. It’s one size fits all and it’s just not cause humans, behaviors and all these other aspects that we’re not really talked about so much biases and things, you know, that they all kind of creep in to distort how it should perhaps work best.

Paul Heming: No, it’s fascinating, isn’t it? There’s so many pieces to the puzzle and you’re absolutely right. You know, there isn’t one size fits all in terms of how you manage risks. Like meet once a month to manage it on this format of risk register, every business, every project and every risk needs it. It kind of just needs to be managed in in its own right.

Chris Ritson: Yeah, it’s a project by project basis and trying to establish the appropriate culture and kind of receptiveness to wanting to talk about risk. And as if you can get that bit right, then you just plug in an Excel spreadsheet or you plug in a Safran risk manager database or you plug in on top of that, the extra quantitative Monte Carlo simulation stuff as necessary and scale up as you need to. But, you know, there’s a maturity scale there. But the most important thing for me is like the culture. If you get the culture, the communication, the transparency, the accessibility, the comfortableness, you know, we talk about in health and safety, again, a really good example is the just culture, you know, is someone can be like a whistleblower for something, can feel like they’re not going to be absolutely strung up on the wall for grinding the project to a whole while something gets looked at. You know, it’s that kind of thing, that freedom to be able to say, hang on a minute, what about this? Has anyone thought about that? And put it into part of the plan or at least the risk register where it can be explored as a kind of collaborative effort.

Paul Heming: I completely and utterly agree with everything you’re saying. And I think there isn’t one size fits all and you are absolutely right. Its culture and mentality around how you manage risk. And we are at the end of the show now and we have basically just kind of skimmed the top of the topic, right? We’ve just, and we’ve kind of got to a point now where we think, I almost feel like –

Chris Ritson: I knew the kinds of questions that could have come my way today.

Paul Heming: Yeah. So, I think fascinating chatting to you. I’ve really enjoyed it and I’m sure the listeners have as well. And it will have set the foundations in the framework, I hope for many people listening as to perhaps how they can adjust their approach to managing risk or whether they are managing risk in a certain way. I’m sure there is opportunity for us to explore further conversations. Christian will be doing that. I will share your details and Safran’s details in the podcast description and I will just extend my gratitude and thanks for you coming on the show and talking today as eloquently as you have. So, thanks for coming on.

Chris Ritson: Thank you. It’s been my pleasure. Thank you for inviting me. Cheers.

Paul Heming: Absolute pleasure. And everyone, as always, I will speak to you next week. Have a great weekend. Thank you.

Risk Register Template

Are you looking for a Risk Register template to work with on your construction project? Our team of ...

Download now

More Episodes