The project development risks today are more multifaceted and complex than ever. The Engineer Procure Construct (EPC) and Design Build (DB) delivery models can help owners transfer project execution risks to contractors. However, these models are only as effective as the contractor's effectiveness in managing the transferred risk. Competitive market dynamics push many service providers and suppliers outside their comfort zones, into project commitments full of unknowns and uncertainties. Many constructors are asked to take design responsibilities, and engineers and designers are held accountable for construction uncertainties.
As long as the uncertainties are known, the contractors may do something about them (treat them). Measurable uncertainties do not introduce into business any uncertainty. They are called risks (Knight, 1921). Modern project risk management consists of identifying the project uncertainties, quantifying them and executing treatment strategies to mitigate the unfavorable or to exploit the favorable potential consequences of those risks.
The unknowns can also be converted to risks by acquiring and analyzing the information that becomes available as a project progresses. Typically project outcomes can be influenced most effectively at the very beginning of a project, before any significant commitments are made. As a project progresses and irreversible (or too expensive to reverse) commitments are made, the number of effective treatment actions diminishes. Ironically, more valuable information becomes available as a project progresses (Figure 1)
Conducting project risk assessments at the development phase of large projects are common. Typically the risks are identified and assessed in workshops and interviews with subject matter experts, project team and project participants who are experienced in developing similar projects with similar risk profiles. The more unknowns that are converted to risks in early phases, the higher the chances are of avoiding or exploiting them. The risks that cannot be fully avoided are monitored with contingency budgets and mitigation plans. Depending on the risk tolerance of the organization, insurance or bilateral hedging contracts can be obtained in order to mitigate the residual risks.
A necessary approach in EPC and DB delivery models is to continue identifying and assessing risks dynamically as a project progresses and new information becomes available. An effective project controls framework is instrumental in collecting data throughout the project workflows and across the functions, in order to conduct the required qualitative and quantitative analyses.
The dynamic risk management (DRM) process typically follows five steps (Figure 2): 1) Identification 2) Classification 3) Quantitative and Schedule Risk Analysis (QRA) 4) Mitigation Actions 5) Monitoring/Resolution. The level of complexity and the size of a project determine the emphasis and effort required for each step:
Risk identification is the initial project risk management step in uncovering unknown issues that may affect project objectives and recognizing them as potential risks that need to be analyzed. This step requires the collaboration and collective expertise of the project team members and stakeholders. Broad participation should be encouraged continuously from a project's planning phase through its completion. The effort and time invested in the early phases of a project will yield a much higher value than the efforts spent later in the project lifecycle because early detection improves the success of treatment and resolution of the project risks. For example in a DB project, forecasting the project cost and schedule at certain design progress points, or better, continuously side-by-side with the designers will allow the project team timely value engineering and optimization opportunities as the design evolves. Monitoring productivity in the field, fabrication shops and design offices can help identify potential divergences from the project plan and budget.
In the project risk classification step, the identified risks are qualitatively analyzed. Typical project risk classes include cause, type, trigger event, impact types/groups and consequent events. The risk classes differ based on the industry, company, project and execution strategy. Classification helps the project team determine risk priority, available treatment actions, action execution assignees and the quantitative analyses that need to be performed. For example design evolution, productivity and freight risks typically require different type of attention and treatments. Classification can help the project team allocate its risk treatment resources efficiently.
The complexity and phase of the project along with the nature of the identified risks determine the methods used to quantify the project risk. To evaluate an imminent individual risk, in its simplest form, QRA can consist of a deterministic estimation (a single-point figure) of the potential cost and schedule impact. To evaluate the total project risk and assess the required contingency, probabilistic quantification methods including parametric analysis, statistical sampling, decision trees and Monte Carlo simulation (Expected Value, Range Estimating and other methods) reveal more accurate results. Probabilistic methods in general consider a range of values in lieu of a single-point deterministic estimate for consequential impact. Some methods take into account likelihood of realization of each risk when calculating the total project risk because in real life some of the identified risks will not be realized. Interpreting probabilistic results can be confusing for assessing individual risks, however they are necessary to see the big picture and help avoid overstating or understating the required project contingency and float. A clear common understanding of the quantification methodology used should be established across the project team before using the quantitative methods to avoid any confusion down the road.
The risk quantification is also used in risk adjusted asset valuation to evaluate different plant configurations and locations during the planning and development phases. Real options and other financial modeling methods can also be utilized as part of the QRA. This step may sometimes grow too complex for its purpose. As the project progresses and valuable information becomes available, the risk management focus must remain on the identification and mitigation action steps. The QRA step should be as simple and as short as possible, but sufficient enough to be effective.
Risk treatment actions are where the rubber hits the road in project risk management. In this step, actions that will lead to the desired results are determined and assigned to individuals that have the highest capability, influence and motivation to accomplish them. The action execution assignees are typically selected from project team members and stake holders. For example in a construction project, mitigation actions for site labor productivity risks are typically assigned to the site superintendent. If a risk is imminent, contingency plans are prepared in case that risk is realized. In certain instances, the risk or mitigation actions can be transferred to third-party specialists such as specialty subcontractors that have specific expert skills and the motivation to manage them. In other instances some risks can be hedged through financial contracts.
In order to resolve identified risks effectively, they and the status of mitigation actions need to be tracked and frequently reviewed. When an assigned action is completed and its objectives are achieved then the risk issue can be considered resolved. Certain risks cannot be resolved immediately and need to be monitored throughout the project lifecycle. Others become realized despite the actions taken. If an unfavorable risk is realized, the project team must recognize its status and use contingency plans to minimize the consequential impact. DRM programs can lead to faster and more favorable resolutions.
The project risks in EPC and DB execution must be managed dynamically throughout the project under a strong project governance framework. Unknowns must be converted to managed risks continuously, so that proper and timely actions can be taken for risk treatment.
Strong project governance supported by an effective project controls framework and dynamic risk management practice differentiate effective contractors from the rest. Strong project governance can be established through integration of project phases, workflows and functions in a way that is compatible with the company culture.
In order to rein in their EPC and DB risk, the project participants must demand for evidence of strong project governance and dynamic risk management practices when selecting their partners.
