Feeds

What could possibly go wrong?

Risk assessment: prepare for the worst, don't frighten the horses

  • alert
  • submit to reddit

The essential guide to IT transformation

Project management Who says there isn’t much government transparency on the riskiness of recent projects?

David Pitchford, executive  director of major projects, efficiency and reform group at the Cabinet Office, recently said: “We in the UK have a propensity to try to do things that have never been done before. Innovation is a good thing, but innovation with a 100 per cent risk of failure is not innovation; it is a gamble. We do that very well.”

Pitchford added that no one in government “seems to know how many projects are on the books or how much they will cost”. Gulp! A risky business indeed.

Speaking at the recent Association for Project Management conference, Pitchford was perhaps preaching to the converted but his comment offered a rare glimpse of what seems to be the perceived level of risk in big government projects.

Such a candid exchange was itself a bit risky and the Cabinet Office has since issued a “no comment until the review process is over” statement. But in reality civil servants are confronting what every project manager (PM) has to consider: how to predict types and levels of risk and prepare for them.

In a perfect world we would identify all the risks, cost them and develop a contingency plan. “Simples”, as the TV meerkat would say. But of course it is not so simples in reality.

Take for example the construction of Terminal Five at Heathrow. During the construction of the Heathrow Express Rail Link which was to serve the terminal, the train link tunnel running through the airport complex collapsed leaving a huge crater in the ground.

No one in government “seems to know how many projects are on the books or how much they will cost”

Unfortunately the prediction of possible tunnel collapse was not in the risk register, the document which seeks to foresee all possible risks.

David Hancock, Head of Project Risk, Transport for London and formerly responsible for the risk managment system on the project explains: "British Airports Authority (BAA) told us that when the collapse occured the contract had to be thrown out the window because the risk wasn't in the risk register. When we asked people about the register they said that a collapse seemed so unlikely it didn't seem worth putting it in the register.

"They also said 'but if we put it in there it might happen', and that 'if I put my name next to it I might get the blame for it.' So for whatever reason it wasn't in there."

This case study says a lot about the process of evaluating risk. Even if you are able to predict all the risks there may be human factors preventing you from taking account of some of them.

The ultimate solution was to pour concrete into the resulting hole for three days causing a bumper sales year for a lucky concrete supplier. Meanwhile it precipitated a major review of how contracts could be put together and led to new agreements that shared the risks with a shared contingency 'pot', instead of BAA holding all the risk. These became part of the Terminal 5 Handbook used for working with contractors.

Hancock believes this was a major factor in ensuring the Terminal 5 project was delivered close to its target date of completion.

What gave the project its “infamous” tag, of course, was the headline-grabbing failure of the baggage handling system when the terminal was handed over and opened for business.

So what is the best approach to risk? The first task is to draw up the aforementioned risk register (or “risk log” in Prince2 parlance) in an exhaustive attempt to identify and analyse risks and plan for possible management.

Implementation risks, which are generally easily foreseen, relate to suppliers, labour, and rework. The hazard rating is usually derived from “likelihood” multiplied by “impact”. As such measures are subjective, this is a qualitative process. A range of other less likely risks – such as tunnel collapses – should be added to ensure completeness.

Alongside these calculations quantitative risk analysis works by creating random activity durations, using the Monte Carlo technique, within agreed duration limits to map out the probability of finishing the project at certain times. For example the critical path calculation may be 20 days with a probability of 60 per cent, and 25 days with a probability of 20 per cent.

A line graph of probability vs time gives a clear view of the probable completion on a particular date, with probability falling away on either side of that date in an inverted V.

An alternative to the Monte Carlo technique is to use a spreadsheet for project planning and run a range of “what if?” scenarios. This allows for a wider range of predictions for start and finish dates for selected activities.

The calculation of risk naturally leads to the creation of a contingency fund, and where appropriate insurance. However, the larger the contingency fund, the more it is prone to risk itself. How has the Olympic Delivery Authority been faring on the money markets with its jaw-dropping £1.2bn contingency fund? A Freedom of Information request might be needed to tease that one out.

Coping with risks during a project is often ad hoc but an issue log or register details each problem, its status and who owns it. Understandably, the issue log becomes the feared black book at most review meetings but it is helpful as an audited record of problems needing to be fixed, or at least contained.

A cost/benefit risk analysis is also commonly employed before, during and after a project to calculate its payback time or break-even point. Much of this is qualitative but on huge projects such as the government’s ID card scheme it can lead to a big red light and cancellation. In the case of a new road such as the emerging motorway at Hindhead in Hampshire, designed to ease access to Portsmouth and beyond, calculations of benefit are very much of the “finger in the air” variety.

So how do PMs estimate risk in practice?

Ivan Lloyd, director of Corporate Project Solutions, thinks it is all about information gathering. “Drawing on past experience and best practices is best. Detailed requirements gathering will also help project managers understand every single step. Until this is done you can’t accurately forecast resources or the risks involved,” he says.

Others recognise that you have to narrow your focus for efficiency. Peter Taylor, author of The Lazy Project Manager, says: “I use the 80/20 rule for risk planning. You should be able to anticipate 80 per cent of the likely risks, then make sure that you are not running at capacity during the execution and control phase so you can deal with the risks you could not anticipate.”

Strategies for minimising risk are many and varied but the standard principle is probably “be prepared or prepare your CV”.®

Bootnote

The Heathrow Express Rail Link tunnel collapse was described in court as “the worst civil construction disaster for 25 years”. Builder Balfour Beatty was fined £1.2m, while Austrian engineering firm Geoconsult, responsible for monitoring the progress of the Heathrow Express Link, was fined £500,000. Both companies paid a further £100,000 in costs.

Secure remote control for conventional and virtual desktops

More from The Register

next story
BBC: We're going to slip CODING into kids' TV
Pureed-carrot-in-ice cream C++ surprise
China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
Told to cough up more details as antitrust probe goes deeper
Windows 7 settles as Windows XP use finally starts to slip … a bit
And at the back of the field, Windows 8.1 is sprinting away from Windows 8
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
This is how I set about making a fortune with my own startup
Would you leave your well-paid job to chase your dream?
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?