Feeds

What could possibly go wrong?

Risk assessment: prepare for the worst, don't frighten the horses

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Project management Who says there isn’t much government transparency on the riskiness of recent projects?

David Pitchford, executive  director of major projects, efficiency and reform group at the Cabinet Office, recently said: “We in the UK have a propensity to try to do things that have never been done before. Innovation is a good thing, but innovation with a 100 per cent risk of failure is not innovation; it is a gamble. We do that very well.”

Pitchford added that no one in government “seems to know how many projects are on the books or how much they will cost”. Gulp! A risky business indeed.

Speaking at the recent Association for Project Management conference, Pitchford was perhaps preaching to the converted but his comment offered a rare glimpse of what seems to be the perceived level of risk in big government projects.

Such a candid exchange was itself a bit risky and the Cabinet Office has since issued a “no comment until the review process is over” statement. But in reality civil servants are confronting what every project manager (PM) has to consider: how to predict types and levels of risk and prepare for them.

In a perfect world we would identify all the risks, cost them and develop a contingency plan. “Simples”, as the TV meerkat would say. But of course it is not so simples in reality.

Take for example the construction of Terminal Five at Heathrow. During the construction of the Heathrow Express Rail Link which was to serve the terminal, the train link tunnel running through the airport complex collapsed leaving a huge crater in the ground.

No one in government “seems to know how many projects are on the books or how much they will cost”

Unfortunately the prediction of possible tunnel collapse was not in the risk register, the document which seeks to foresee all possible risks.

David Hancock, Head of Project Risk, Transport for London and formerly responsible for the risk managment system on the project explains: "British Airports Authority (BAA) told us that when the collapse occured the contract had to be thrown out the window because the risk wasn't in the risk register. When we asked people about the register they said that a collapse seemed so unlikely it didn't seem worth putting it in the register.

"They also said 'but if we put it in there it might happen', and that 'if I put my name next to it I might get the blame for it.' So for whatever reason it wasn't in there."

This case study says a lot about the process of evaluating risk. Even if you are able to predict all the risks there may be human factors preventing you from taking account of some of them.

The ultimate solution was to pour concrete into the resulting hole for three days causing a bumper sales year for a lucky concrete supplier. Meanwhile it precipitated a major review of how contracts could be put together and led to new agreements that shared the risks with a shared contingency 'pot', instead of BAA holding all the risk. These became part of the Terminal 5 Handbook used for working with contractors.

Hancock believes this was a major factor in ensuring the Terminal 5 project was delivered close to its target date of completion.

What gave the project its “infamous” tag, of course, was the headline-grabbing failure of the baggage handling system when the terminal was handed over and opened for business.

So what is the best approach to risk? The first task is to draw up the aforementioned risk register (or “risk log” in Prince2 parlance) in an exhaustive attempt to identify and analyse risks and plan for possible management.

Implementation risks, which are generally easily foreseen, relate to suppliers, labour, and rework. The hazard rating is usually derived from “likelihood” multiplied by “impact”. As such measures are subjective, this is a qualitative process. A range of other less likely risks – such as tunnel collapses – should be added to ensure completeness.

Alongside these calculations quantitative risk analysis works by creating random activity durations, using the Monte Carlo technique, within agreed duration limits to map out the probability of finishing the project at certain times. For example the critical path calculation may be 20 days with a probability of 60 per cent, and 25 days with a probability of 20 per cent.

A line graph of probability vs time gives a clear view of the probable completion on a particular date, with probability falling away on either side of that date in an inverted V.

An alternative to the Monte Carlo technique is to use a spreadsheet for project planning and run a range of “what if?” scenarios. This allows for a wider range of predictions for start and finish dates for selected activities.

The calculation of risk naturally leads to the creation of a contingency fund, and where appropriate insurance. However, the larger the contingency fund, the more it is prone to risk itself. How has the Olympic Delivery Authority been faring on the money markets with its jaw-dropping £1.2bn contingency fund? A Freedom of Information request might be needed to tease that one out.

Coping with risks during a project is often ad hoc but an issue log or register details each problem, its status and who owns it. Understandably, the issue log becomes the feared black book at most review meetings but it is helpful as an audited record of problems needing to be fixed, or at least contained.

A cost/benefit risk analysis is also commonly employed before, during and after a project to calculate its payback time or break-even point. Much of this is qualitative but on huge projects such as the government’s ID card scheme it can lead to a big red light and cancellation. In the case of a new road such as the emerging motorway at Hindhead in Hampshire, designed to ease access to Portsmouth and beyond, calculations of benefit are very much of the “finger in the air” variety.

So how do PMs estimate risk in practice?

Ivan Lloyd, director of Corporate Project Solutions, thinks it is all about information gathering. “Drawing on past experience and best practices is best. Detailed requirements gathering will also help project managers understand every single step. Until this is done you can’t accurately forecast resources or the risks involved,” he says.

Others recognise that you have to narrow your focus for efficiency. Peter Taylor, author of The Lazy Project Manager, says: “I use the 80/20 rule for risk planning. You should be able to anticipate 80 per cent of the likely risks, then make sure that you are not running at capacity during the execution and control phase so you can deal with the risks you could not anticipate.”

Strategies for minimising risk are many and varied but the standard principle is probably “be prepared or prepare your CV”.®

Bootnote

The Heathrow Express Rail Link tunnel collapse was described in court as “the worst civil construction disaster for 25 years”. Builder Balfour Beatty was fined £1.2m, while Austrian engineering firm Geoconsult, responsible for monitoring the progress of the Heathrow Express Link, was fined £500,000. Both companies paid a further £100,000 in costs.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
Torvalds CONFESSES: 'I'm pretty good at alienating devs'
Admits to 'a metric ****load' of mistakes during work with Linux collaborators
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.