Feeds

What could possibly go wrong?

Risk assessment: prepare for the worst, don't frighten the horses

  • alert
  • submit to reddit

The essential guide to IT transformation

Project management Who says there isn’t much government transparency on the riskiness of recent projects?

David Pitchford, executive  director of major projects, efficiency and reform group at the Cabinet Office, recently said: “We in the UK have a propensity to try to do things that have never been done before. Innovation is a good thing, but innovation with a 100 per cent risk of failure is not innovation; it is a gamble. We do that very well.”

Pitchford added that no one in government “seems to know how many projects are on the books or how much they will cost”. Gulp! A risky business indeed.

Speaking at the recent Association for Project Management conference, Pitchford was perhaps preaching to the converted but his comment offered a rare glimpse of what seems to be the perceived level of risk in big government projects.

Such a candid exchange was itself a bit risky and the Cabinet Office has since issued a “no comment until the review process is over” statement. But in reality civil servants are confronting what every project manager (PM) has to consider: how to predict types and levels of risk and prepare for them.

In a perfect world we would identify all the risks, cost them and develop a contingency plan. “Simples”, as the TV meerkat would say. But of course it is not so simples in reality.

Take for example the construction of Terminal Five at Heathrow. During the construction of the Heathrow Express Rail Link which was to serve the terminal, the train link tunnel running through the airport complex collapsed leaving a huge crater in the ground.

No one in government “seems to know how many projects are on the books or how much they will cost”

Unfortunately the prediction of possible tunnel collapse was not in the risk register, the document which seeks to foresee all possible risks.

David Hancock, Head of Project Risk, Transport for London and formerly responsible for the risk managment system on the project explains: "British Airports Authority (BAA) told us that when the collapse occured the contract had to be thrown out the window because the risk wasn't in the risk register. When we asked people about the register they said that a collapse seemed so unlikely it didn't seem worth putting it in the register.

"They also said 'but if we put it in there it might happen', and that 'if I put my name next to it I might get the blame for it.' So for whatever reason it wasn't in there."

This case study says a lot about the process of evaluating risk. Even if you are able to predict all the risks there may be human factors preventing you from taking account of some of them.

The ultimate solution was to pour concrete into the resulting hole for three days causing a bumper sales year for a lucky concrete supplier. Meanwhile it precipitated a major review of how contracts could be put together and led to new agreements that shared the risks with a shared contingency 'pot', instead of BAA holding all the risk. These became part of the Terminal 5 Handbook used for working with contractors.

Hancock believes this was a major factor in ensuring the Terminal 5 project was delivered close to its target date of completion.

What gave the project its “infamous” tag, of course, was the headline-grabbing failure of the baggage handling system when the terminal was handed over and opened for business.

So what is the best approach to risk? The first task is to draw up the aforementioned risk register (or “risk log” in Prince2 parlance) in an exhaustive attempt to identify and analyse risks and plan for possible management.

Implementation risks, which are generally easily foreseen, relate to suppliers, labour, and rework. The hazard rating is usually derived from “likelihood” multiplied by “impact”. As such measures are subjective, this is a qualitative process. A range of other less likely risks – such as tunnel collapses – should be added to ensure completeness.

Alongside these calculations quantitative risk analysis works by creating random activity durations, using the Monte Carlo technique, within agreed duration limits to map out the probability of finishing the project at certain times. For example the critical path calculation may be 20 days with a probability of 60 per cent, and 25 days with a probability of 20 per cent.

A line graph of probability vs time gives a clear view of the probable completion on a particular date, with probability falling away on either side of that date in an inverted V.

An alternative to the Monte Carlo technique is to use a spreadsheet for project planning and run a range of “what if?” scenarios. This allows for a wider range of predictions for start and finish dates for selected activities.

The calculation of risk naturally leads to the creation of a contingency fund, and where appropriate insurance. However, the larger the contingency fund, the more it is prone to risk itself. How has the Olympic Delivery Authority been faring on the money markets with its jaw-dropping £1.2bn contingency fund? A Freedom of Information request might be needed to tease that one out.

Coping with risks during a project is often ad hoc but an issue log or register details each problem, its status and who owns it. Understandably, the issue log becomes the feared black book at most review meetings but it is helpful as an audited record of problems needing to be fixed, or at least contained.

A cost/benefit risk analysis is also commonly employed before, during and after a project to calculate its payback time or break-even point. Much of this is qualitative but on huge projects such as the government’s ID card scheme it can lead to a big red light and cancellation. In the case of a new road such as the emerging motorway at Hindhead in Hampshire, designed to ease access to Portsmouth and beyond, calculations of benefit are very much of the “finger in the air” variety.

So how do PMs estimate risk in practice?

Ivan Lloyd, director of Corporate Project Solutions, thinks it is all about information gathering. “Drawing on past experience and best practices is best. Detailed requirements gathering will also help project managers understand every single step. Until this is done you can’t accurately forecast resources or the risks involved,” he says.

Others recognise that you have to narrow your focus for efficiency. Peter Taylor, author of The Lazy Project Manager, says: “I use the 80/20 rule for risk planning. You should be able to anticipate 80 per cent of the likely risks, then make sure that you are not running at capacity during the execution and control phase so you can deal with the risks you could not anticipate.”

Strategies for minimising risk are many and varied but the standard principle is probably “be prepared or prepare your CV”.®

Bootnote

The Heathrow Express Rail Link tunnel collapse was described in court as “the worst civil construction disaster for 25 years”. Builder Balfour Beatty was fined £1.2m, while Austrian engineering firm Geoconsult, responsible for monitoring the progress of the Heathrow Express Link, was fined £500,000. Both companies paid a further £100,000 in costs.

Boost IT visibility and business value

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Intel's Raspberry Pi rival Galileo can now run Windows
Behold the Internet of Things. Wintel Things
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
Time to move away from Windows 7 ... whoa, whoa, who said anything about Windows 8?
Start migrating now to avoid another XPocalypse – Gartner
You'll find Yoda at the back of every IT conference
The piss always taking is he. Bastard the.
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.