sign in sign up
<<
Home , Project management, Project risk management

ADVISORY Project

Leadership Series 9

kpmg.com/nz

About the Series KPMG’s Project Advisory Leadership Series is targeted towards owners of major capital programmes, but its content is applicable to all entities or stakeholders involved with major . The intent of the Project Leadership Series is to describe a framework for managing and controlling large capital projects based on the experience of our project professionals. Together with our simplified framework, we offer a sound approach to answer the questions most frequently asked by project owners.

Project

Project risk management is frequently overlooked yet is one of the more critical elements to successful project delivery. Generally, delivering a project’s defined scope on time and within are characteristics of project success. Unfortunately, these success factors are often not achieved, especially for large complex projects where both external influences and internal project may change significantly over time. is a continuous process of identifying, analysing, prioritising and mitigating that threaten a projects likelihood of success in terms of cost, , quality, safety and technical performance. Organisations and owners often consider project risk management activities as “nice to have” on a project rather than as a core component of project controls. Additionally there is some confusion between organisations and project teams as to what exactly constitutes risk management activities.

In this paper, we provide a standard framework for risk management and discuss implementation techniques for projects of all types and sizes. This should provide you with a better understanding of how to address the following challenges:

»» Do we have a comprehensive project risk management policy? »» What elements of project risk management are necessities for our organisation to implement? »» How do we balance the requirements and controls of a risk management programme with efficient and streamlined project execution? »» Are our current project risk management procedures effective at mitigating project risk? »» How do we align our project specific risk management activities with our enterprise risk management objectives? »» What are some key questions we should be asking about project risks throughout the project lifecycle?

Defining project risk management

The objective of project risk management is to understand project and programme level risks, minimise the likelihood of negative events and maximise the likelihood of positive events on projects components, which should be scalable »» Available (staffing, ); and programme outcomes. Project risk to the specific project’s size and type: management is a continuous process »» Preferred reporting and that begins during the phase 1. and planning; protocols; and and ends once the project is successfully 2. Risk identification; »» The organisation’s strategic objectives. commissioned and turned over to operations. 3. Analysis (quantitative and qualitative); Strategy and planning activities include:

Construction owners, project teams and 4. Response planning; and »» Assigning roles and responsibilities contractors often define and apply risk 5. Monitoring and . related to risk management activities; management activities differently on a identifying and defining requirements project. Owners may use informal or ad 1. Strategy and planning for project stakeholders regarding risk hoc practices, such as stage gate approval, management activities; Strategy and planning activities set that they interpret as risk management the foundation for a risk management »» Establishing common risk categories for activities, contractors may define risk programme and ultimately determine identified risks. Categories can wither management as tracking potential whether the initiative is successful. be based on common industry risks change orders, and project teams may During the strategy and planning phase or on the organisations risk categories express the view that “everything we do an organisation will define how risks are (e.g. , financial, operations, is risk management”. While all of these addressed and managed. Strategy and governance etc); and activities help to identify and manage planning should take into consideration: discrete elements of project risk, they »» Developing a risk matrix and assigning do not fully describe a comprehensive »» Corporate or enterprise-wide risk risk ratings to identify risks. The risk approach to project risk management. A management guidelines (including matrix should define risk ratings based comprehensive project risk management tolerance level for risk); on probability and impact by taking into approach should have the following account the organisations risk tolerance. 2. Risk identification 3. Analysis 4. Response planning

Risk identification is the identification of all The analysis phase determines the Response planning is the phase where possible risks that could either negatively or likelihood and impact of each identified the project team develops response positively affect the project. It is important in risk and prioritises risks for management actions and alternative options to reduce the risk identification process to solicit input attention. Successful risk analysis requires project risks. Project teams use response from all project stakeholders including those objective thinking and input from those planning to decide ahead of time how they outside of the core project team. Potential most familiar with the area affected by the will address possible risk occurrences and contributors to risk identification include: possible risk. Analysis is typically a two- how they will avoid, transfer, mitigate or step approach: accept project risks. Response planning »» Project team members (planners, must take into consideration available , , contractors etc); Step 1 – Qualitative analysis resources and potential repercussions »» Risk management team members; of the response plans. The goal of For the qualitative analysis, the project response planning is to align risks with »» Subject matter professionals team assigns a priority level (e.g high, an appropriate response based on the (IT, Safety, Legal etc); medium, low) to each risk. The priority level severity of the risk along with cost, tie and »» Customers (internal and external); should be aligned with the organisations feasibility considerations. Risk response risk management plan, risk tolerance level »» End users; and planning includes: and other organisational objectives. The »» Organisation management priority levels can be used to rack the risks »» Assigning responsibility for identified and leadership. on the risk register and develop efficient risks to appropriate project team members or stakeholders. It is Successfully capturing all project risks response plans that focus attention on imperative that the assignment takes increases with frequent communication items with a higher priority. It is important into consideration the individual’s and feedback amongst team members to identify all potential risks that will capability to address specific risk areas. and stakeholders. These discussions require follow up by the project team. Assigning a risk to someone who has should attempt to identify inaccuracies, little or no knowledge of a risk area is inconsistencies and assumptions regarding Step 2 – Quantitative analysis not an effective risk planning approach. the project. The resulting product of these For the quantitative analysis, the project working sessions should be the initial list of team assigns a most likely cost value to »» Developing a response plan to address identified risks. each identified risk. This value takes into the identified risk. This process should be iterative and include all stakeholders From the initial list of identified risks, a risk consideration both the probability and affected by the risk. Common options for register or log can be populated to ensure potential impact of the risk event occurring. a response include: that all risk items are analysed, prioritised Determining probability and impact can and monitored. Risk registers should typically result from a of exercise including: ÌÌ Avoidance – modifying the include the following fields: »» Interviews – gathering impact and to avoid the potential condition probability data for a range of scenarios or occurrence »» Risk type; (e.g optimistic, most likely and ÌÌ Transference – shifting the »» Description; pessimistic) consequences and responsibilities »» Cost impact; »» Decision trees – comparing the associated with the risk to a third »» Probability; probability of risks and rewards party (often accomplished by between various decisions contractual agreement) »» Risk level; »» Model – conducting a ÌÌ Mitigation – taking preventative »» Possible responses; and project in order to quantify action to reduce the probability of risk »» Action owner. potential impacts to the project. occurrence or impact on the project ÌÌ Acceptance – proceeding as planned and accepting the outcome of a risk. »» Finalising and documenting the various risk responses identified by each responsible party. The plan should clearly define the agreed upon response for a risk, the responsible party, results from both the quantitative and qualitative analysis and a budget and timeframe for the risk response. 5. Monitoring and control

The final step of risk management is if monitoring and control reveals that an the project. However, without a risk monitoring and control. This process should identified risk is unlikely to materialise, management diminished. The two case be set up to track potential risks, oversee the the plan can be adjusted to re-prioritise studies below help demonstrate the implementation of risk plans, and evaluate the risk to a lower level. value and benefit of a comprehensive the effectiveness of risk management risk management process. procedures. Monitoring and control should Potential benefits of risk management Embedding risk management into occur throughout the project lifecycle and Although a well designed and well executed day-to-day activities help improve and guide the overall risk risk management process can significantly management process. This step should: reduce the risk of failure, the benefit of Effective risk management is typically »» Equip management and the project team performing a comprehensive risk analysis achieved when an organisation undertakes to make informed decisions regarding risk; may be costly and burdensome for smaller an active commitment to integrating risk projects with limited . As noted management into their project protocols »» Evaluate the effectiveness of risk earlier in this paper, risk management and controls. Primary considerations for response actions; and processes should be scalable to the size and an organisation to establish an effective »» Identify risk characteristics that appear to complexity of an organisations programme plan include: have changed from what was documented or project. To achieve this, an organisation »» Allotting appropriate resources to in earlier identification and analysis stages. should consider defining a baseline set of perform risk management activities; procedures to apply to all projects along Monitoring and control is essential with more rigorous set of procedures for »» Creating an environment that embraces for maintaining effective and efficient high-value, complex projects. and promotes risk management risk management, it is a barometer for and actively encourages and pursues determining how well your risk management The value of risk management has risk management at all levels of the plan is designed. If monitoring and control traditionally been a difficult concept organisation; and reveals certain risks are not being mitigated to quantify. Many organisations and or avoided as planned, then an adjustment project teams understand the risks as »» Clearly defining and training personnel can be made to the response plan. Likewise, they impact their respective roles on on risk management controls.

CASE STUDY 1 – New medical office building- $30 million

Risk description: In order to commission the building at the completion of construction, the utilities needed to be connected to the utility (gas and electric). Throughout the project, the team could not get a commitment from the utility company for when they would complete the connection. This risk was never communicated beyond the project team and there was no analysis of the impact for a delay or an alternative plan developed to address the risk.

Impact: The risk ultimately did occur and resulted in the need for temporary generators, an increase in the contractor’s general conditions and several months delay to the project completion.

CASE STUDY 2 – New bridge construction - $600 million

Risk description: During the design and planning stages of the project, a decision was made to rely on a geotechnical report that was 30+ years old and in a different location than the planned bridge foundations. The engineers designing the bridge understood this as a risk; however there was no process in place to capture this risk and quantify or communicate the risk to project leadership or to the team responsible for managing the construction phase of the project.

Impact: The bedrock in the actual location of the bridge foundations was substantially different than the geotechnical report indicated. This resulted in a complete redesign of the foundations and several months delay on the project. The financial impacts were greater than $30 million. Many companies set up separate organisations (PMO’s) to manage the unique risk of major capital programmes. This In both case studies, the risks were well known by the project teams and could have been assists the organisation in aligning dedicated resources with the specific avoided or mitigated if a risk management process would have been in place. Having a risk skill sets and team structure to manage major construction projects. management process would have allowed the organisations to track, quantify, plan and communicate the risks to individuals with the capability to help mitigate or avoid the risk. Developing a risk management process

Training is the keystone to any risk management plan. Without a formal training effort, a risk management approach will most likely not be embraced or followed. Not only should training occur at the inception of the policy but it should also include:

»» On-boarding for new hires; »» Regular “brown bag” or informational Many companies set up separate project management organisations session to review any lessons learned, (PMO’s) to manage the unique risk of major capital programmes. This updates to policy, or identified assists the organisation in aligning dedicated resources with the specific leading practices; and TIP skill sets and team structure to manage major construction projects. »» Required refresher sessions to maintain staff awareness of the risk management policies and procedures and to emphasise the organisations CONCLUSION commitment for risk management. Training is often forgotten aspect of A well defined risk management process can help to greatly increase project and policy implementation; however this is programme success. However, risk management has traditionally been overlooked a particularly crucial function to establish and is considered by many of the more fuzzy areas of project management. At a an effective risk management approach. minimum, organisations with significant capital expenditures should clearly define Often overlooked training is crucial their procedures and expectations for risk management, communicate its importance, for informing employees about the adequately train its personnel, and monitor high risk projects for compliance with risk importance of risk management and management procedures. its various elements. About KPMG Project Advisory

KPMG’s Project Advisory services are KPMG applies leading concepts Project Advisory Services can assist objective, professional approaches to and practices, supported by: organisations to generate significant managing the many risks associated › Experienced practitioners cost savings by minimising poor with major change: risks that involve selection decisions, costly overruns, › Recognised best practices complexity, technology, governance, misalignment with needs, selection and management of vendors › Effective tools and templates poor quality deliverables and and partners, implementation of › International standards failed projects. solutions and acceptance of change › Built-in knowledge transfer throughout the organisation.

Our project advisory services include

INDEPENDENT QUALITY PROJECT KPMG’s Portfolio Management (PfM) ASSURANCE (IQA) AND MONITORING Advisory and Assistance services help Is your project or programme on track? These services provide a highly focused, organisations to develop appropriate Are the key risks and issues being activity-based approach to project risk processes and capabilities to achieve effectively managed and addressed? management. They provide management this aim. We provide practical guidance Independent Quality Assurance is with an objective and independent for conducting capability development, KPMG’s approach to providing objective, assessment of the risks associated maturity assessments and performance practical and open feedback to senior with a business initiative, programme or reviews. Our methodology provides a executives, independently assessing project, and evaluate the effectiveness flexible, comprehensive approach that project status, risks and issues. Advice of planned or implemented controls to can help our clients achieve their goals. is provided by experienced staff who mitigate the risks. are not part of the delivery team. PROGRAMME MANAGEMENT BENEFITS MANAGEMENT OFFICE ASSISTANCE PORTFOLIO, PROGRAMME AND REALISATION ADVISORY Programme Management Office AND PROJECT MANAGEMENT KPMG professionals help you identify the Assistance is intended to help our (P3M) PRACTICES measurable business changes that you clients develop the processes to P3M provides services for the purpose will to see at the successful completion support a Programme Management of designing or evaluating portfolio, of your project and to tie these into Office. We assist with the development programme, or project management an effective Benefits Management of a client’s programme office processes practices. The objective is to assist and Realisation strategy which can and facilitate communication across in implementing or improving P3M be referenced in your Business Case. client leadership to help make sure that practices to reduce project costs, Even for projects where outcomes are enterprise programme initiatives are increase project success and create an “enabling” or “intangible”, our Project aligned with the organisation’s business organisational P3M support environment Advisory team will be able to assist with . The focus of the PMO is to which is valued by internal and external the identification of proxy indicators increase project visibility across client stakeholders alike. and benefit relationships to support the leadership in order to help achieve approval of your Business Case and its strategic programme performance. LARGE PROJECT AND PROGRAMME successful delivery. MANAGEMENT ASSISTANCE PROJECT ADVISORY This cornerstone service of KPMG’s PORTFOLIO MANAGEMENT Our practitioners know that successful Advisory practice is designed to Effective portfolio management helps projects are the result of clear vision, address the full lifecycle of a project or large organisations make sound careful planning, and meticulous programme, providing an integrated decisions by prioritising the deployment execution. approach to managing large initiatives of scarce resources to change initiatives Bottom line: Project Advisory services – the result: significant efficiencies and and maximising their value to help drive speed and effectiveness of change enhanced outcomes. The methodology achieve the organisation’s strategy. within your organisation by reducing incorporates concepts from well-known Organisations operate in increasingly costs and increasing success. risk, benefits, project and quality dynamic environments, which often management disciplines to help make it a struggle to satisfy fluid companies achieve the results they business requirements. expect during every phase of a large project or programme. Leadership Series

Please look for important topics covered by our Project Advisory Leadership Series in the coming months:

»» A three part mini series on: How to successfully manage your major projects »» Integrated project delivery »» Building a foundation for a project health check »» Effective reporting for construction projects: increasing the likelihood of project success »» Handling labour risk in construction

Contact us

Gina Barlow Perry Woolley Director Director Project Advisory Project Advisory T: (04) 816 4798 T: (09) 367 5960 E: [email protected] E: [email protected]

Chris Dew Harriet Dempsey Partner Associate Director Project Advisory Project Advisory T: (09) 363 3230 T: (04) 816 4883 E: [email protected] E: [email protected]

kpmg.com/nz

© 2014 KPMG, a New Zealand and a member firm of the KPMG network of independent member firms affiliated with KPMG International (“KPMG International”), a Swiss entity. All rights reserved. Printed in New Zealand. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 00403