0470_022817_01_prexvi.fm Page i Wednesday, September 8, 2004 7:59 PM Project Risk Management Guidelines TEAM LinG - Live, Informative, Non-cost and Genuine ! 0470_022817_01_prexvi.fm Page ii Wednesday, September 8, 2004 7:59 PM TEAM LinG - Live, Informative, Non-cost and Genuine ! 0470_022817_01_prexvi.fm Page iii Wednesday, September 8, 2004 7:59 PM Project Risk Management Guidelines Managing Risk in Large Projects and Complex Procurements Dale F. Cooper, Stephen Grey, Geoffrey Raymond and Phil Walker Broadleaf Capital International TEAM LinG - Live, Informative, Non-cost and Genuine ! 0470_022817_01_prexvi.fm Page iv Wednesday, September 8, 2004 7:59 PM Copyright © 2005 John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England Telephone (+44) 1243 779777 Email (for orders and customer service enquiries): [email protected] Visit our Home Page on www.wileyeurope.com or www.wiley.com All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London W1T 4LP, UK, without the permission in writing of the Publisher. Requests to the Publisher should be addressed to the Permissions Department, John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England, or emailed to [email protected], or faxed to (+44) 1243 770620. Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The Publisher is not associated with any product or vendor mentioned in this book. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding that the Publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional should be sought. Other Wiley Editorial Offices John Wiley & Sons Inc., 111 River Street, Hoboken, NJ 07030, USA Jossey-Bass, 989 Market Street, San Francisco, CA 94103-1741, USA Wiley-VCH Verlag GmbH, Boschstr. 12, D-69469 Weinheim, Germany John Wiley & Sons Australia Ltd, 33 Park Road, Milton, Queensland 4064, Australia John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop #02-01, Jin Xing Distripark, Singapore 129809 John Wiley & Sons Canada Ltd, 22 Worcester Road, Etobicoke, Ontario, Canada M9W 1L1 Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Cataloging in Publication Data Project risk management guidelines: managing risk in large projects and complex procurements/ Dale Cooper...[etal.]. p. cm. Includes bibliographical references and index. ISBN 0-470-02281-7 (cloth: alk. paper) 1. Risk management. 2. Project management. 3. Industrial procurement—Management. I. Cooper, Dale F. HD61.P765 2004 658.15’5—dc22 2004011338 British Library Cataloging in Publication Data A catalogue record for this book is available from the British Library ISBN 0-470-02281-7 Typeset in 10/12pt Garamond by Integra Software Services Pvt. Ltd, Pondicherry, India Printed and bound in Great Britain by Antony Rowe Ltd, Chippenham, Wiltshire This book is printed on acid-free paper responsibly manufactured from sustainable forestry in which at least two trees are planted for each one used for paper production. TEAM LinG - Live, Informative, Non-cost and Genuine ! 0470_022817_01_prexvi.fm Page v Wednesday, September 8, 2004 7:59 PM C ONTENTS Foreword vii Preface ix About the authors xiii Introduction to project risk management 1 Part I The basics of project risk management 11 1 The project risk management approach 13 2 Establish the context 19 3 Risk identification 37 4 Qualitative risk assessment 45 5 Semi-quantitative risk assessment 59 6 Risk treatment 73 7 Monitoring and review 89 8 Communication and reporting 93 9 Project processes and plans 101 10 Simplifying the process 109 11 Managing opportunities 125 12 Other approaches to project risk management 137 Part II Extending the basic process 145 13 Case study: tender evaluation 147 14 Contracts and risk allocation 161 15 Market testing and outsourcing 171 16 Public–private partnerships and private financing 183 17 Technical tools and techniques 203 18 Introduction to environmental risk management 225 Part III Quantification of project risks 249 19 Introduction to quantification for project risks 251 20 Cost-estimating case studies 263 21 Case study: planning a timber development 279 22 Capital evaluation for large resource projects 295 TEAM LinG - Live, Informative, Non-cost and Genuine ! 0470_022817_01_prexvi.fm Page vi Wednesday, September 8, 2004 7:59 PM vi Contents 23 Risk analysis and economic appraisal 311 24 Conclusions 321 Part IV Additional information and supporting material 329 25 Risk management process checklist 331 26 Worksheets and evaluation tables 335 27 Examples of risks and treatments 357 Glossary 371 References 375 Index 379 TEAM LinG - Live, Informative, Non-cost and Genuine ! 0470_022817_01_prexvi.fm Page vii Wednesday, September 8, 2004 7:59 PM F OREWORD Project risk management has come a long way since the 1980s, when Dale Cooper and I worked together on a range of risk management consultancy projects in the UK, Canada and the USA, published together, and became friends as well as colleagues. In particular, the leading edge has moved from bespoke methods and models developed for particular organizations and situations towards generic processes. It has also come along way since the mid-1990s, when Stephen Grey and I worked together on the Association for Project Management PRAM (Project Risk Analysis and Management) Guide. In particular, the debate about what shape generic processes should take has clarified a number of issues, without leading to a consensus. Project risk management continues to evolve in interesting and useful ways, with no end to this development in sight. One of the key current dilemmas is the gap between common practice and best practice. Central to this is a widespread failure to understand the relationship between simple approaches that work well in appropriate circumstances, and more complex approaches that pay big dividends when the aspects they focus on deserve attention. Opinions are divided on the scale and nature of this dilemma, and I have some views on how best to approach it which differ from those put forward in this book. However, I think this book is very useful reading for both experts and novices. It addresses the need for simplicity without being simplistic in a direct manner. It has lots of useful practical advice for getting started and dealing with simple situations. It also addresses some of the areas where more sophisticated approaches are well worthwhile, and some of the relevant concepts and tools. In addition, it packages the whole in a structure that works well. A key feature of this book is the way it postpones addressing quantitative analysis and associated process iterations (multiple pass looping) until after the basic process has been described. Initially I found this a source of concern. However, this book is unusually clear about the limitations of semi-quantitative approaches, the consequence rating tables (Tables 4.3 and 4.4) make this approach unusually rich in insight, and the attractions of the starting position adopted include a close proximity to common practice. There are many routes to best practice, and both the best routes and the nature of the destination are debatable. This book provides a particularly simple basic process as a starting position without overlooking the drawbacks, and it addresses many of the implications of more sophisticated processes later. Another key feature of this book is the notion that best practice risk management is shaped to particular contexts for efficiency, but the principles are universal and transporta- ble. The chapters on environmental issues and outsourcing, for example, address very dif- ferent contexts, but they share some basic perspectives. TEAM LinG - Live, Informative, Non-cost and Genuine ! 0470_022817_01_prexvi.fm Page viii Wednesday, September 8, 2004 7:59 PM viii Foreword This is a pragmatic and directly useful book for project risk management novices. It is also a stimulating and challenging book for those with considerable experience of the field. Chris Chapman Professor of Management Science University of Southampton, UK TEAM LinG - Live, Informative, Non-cost and Genuine ! 0470_022817_01_prexvi.fm Page ix Wednesday, September 8, 2004 7:59 PM P REFACE The risk management processes described in this book had their genesis well over 20 years ago when I accepted a position at the University of Southampton. There I met and worked with Dr Chris Chapman, already an acknowledged expert in project risk, with an estab- lished relationship with BP and an extensive client base in Canada. Chris involved me in his consulting activities in North America, primarily associated with quantitative risk analyses of large projects in the hydroelectric and the oil and gas industries. This was a time of innovation, as there were few protocols or models for the kinds of risk analyses that were required for these projects, and the quantitative calculations used a form of numerical integration called the Controlled Interval and Memory approach, developed by Chris, that was implemented in bespoke software. We had to develop different model structures and forms of analysis, and new software had to be written on some occasions to accommodate the new structures. It was highly stimulating, at times exhausting, and great fun, and I learned a huge amount from Chris and the clients with whom we worked. Many of the projects on which we worked are described in published papers, and some of them are referred to in the case material in this volume. They are all described in our book (Cooper and Chapman, 1987). After I left Southampton, I worked as a consultant in the finance sector, primarily with international companies in the UK, USA, Hong Kong and Australia. Many of my assign- ments involved risk in one form or another: risks associated with trading equities, bonds, commodities, currencies and other financial instruments; compliance risks; new business risks as the finance sector in the UK restructured and transformed itself at the time of the so-called Big Bang; and balance sheet and liquidity risks associated with the management of financial assets and liabilities having different bases and maturity structures. I then worked as a senior line manager in the sector, where I had to develop organizational strategy and manage its implementation, as well as run operational business areas. One of the main lessons I learned from the finance sector, an industry that is often perceived as notoriously risky, is this: if something is too complex to understand and explain then it is probably too risky to undertake, as you won’t be able to design and implement the right kinds of operational processes, controls and monitoring to manage the risks effect- ively. That insight, and the reinforcement I have received from many clients subsequently, has led me to simplify many of the processes and tools I use for risk management. When complexity is needed, then it is really needed and it must be done properly, but simple approaches are often sufficient for making sound decisions. A large part of this book is based on simple qualitative approaches to project risk. The processes described here had a long gestation; they were first formalized by me in the New South Wales Government Risk Management Guidelines in 1993. The first version of the Australian and New Zealand Standard on Risk Management (AS/NZS 4360) (1995), extended TEAM LinG - Live, Informative, Non-cost and Genuine !