Skip to content
Our website will be unavailable from 17:00 GMT Wednesday 20 November until 9:00 GMT Monday 25 November while we carry out important upgrades.

If you plan to update your membership, book an event or access APM Learning, APM Community or use other resources, please do this outside of these dates.

The 15 November Chartered Project Professional submission date is unaffected.

Thank you for your patience.
Added to your CPD log

View or edit this activity in your CPD log.

Go to My CPD
Only APM members have access to CPD features Become a member Already added to CPD log

View or edit this activity in your CPD log.

Go to My CPD
Added to your Saved Content Go to my Saved Content

Project risk analysis and management
APM Risk Specific Interest Group January 2018

1. Introduction

This mini guide is a short form of the APM publication, Project Risk Analysis and Management (PRAM) Guide 2nd edition. It provides an introduction to the processes involved in project risk analysis and management, offering a simple, but robust and practical framework to help new practitioners get started. Some of the commonly used techniques and methods are described; a more comprehensive list and description can be found in the full APM guide.

Project risk analysis and management can be used on all projects, whatever the industry or environment, and whatever the timescale or budget.

2. What is PRAM?

In this guide, the term ‘PRAM’ encompasses processes, techniques and methods that enables the analysis and management of the risks associated with a project. Properly undertaken, it will increase the likelihood of successful completion of a project to cost, time and performance objectives.

Risk has two aspects: downside risk or threats, which if they occurred would adversely affect project objectives, and upside risk or opportunities, which if pursued would positively affect the project objectives. This guide focuses on the downside threats, which for the sake of brevity of this guide are called risks. The threats and opportunities are discussed in more detail in the APM PRAM Guide.

Risks for which there is ample data can be assessed statistically. However, no two projects are the same. Often things go wrong for reasons unique to a particular project, industry or working environment. Dealing with risks in projects is therefore different from situations where there is sufficient data to adopt an actuarial approach. Because projects invariably involve a strong technical, engineering, innovative or strategic content, a systematic process has proven preferable to an intuitive approach. PRAM has been developed to meet this requirement.

3. What is involved?

The first step is to recognise that risk exists as a consequence of uncertainty. In any project there will be risks and uncertainties of various types as illustrated by the following examples.

the management and financial authority structure are not yet established;

the technology is not yet proven;

industrial relations problems seem likely;

resources may not be available at the required level.

All uncertainty produces an exposure to risk, which in project management terms, may cause a failure to:

keep within budget;

achieve the required completion date;

achieve the required performance objective.

PRAM is designed to identify and assess risks that threaten the achievement of project objectives and to take action to avoid, reduce or even accept those risks. The next section of this guide describes the benefits that PRAM can bring to a project and also the wider benefits to the organisation and its stakeholders. It should be regarded as an integral part of project or business management and not just as a set of tools or techniques.

The PRAM process

Experienced risk analysts and managers hold perceptions of this process that are subtle and diverse. Figure 1 shows the major phases in the PRAM process. In order to simplify the process, this guide divides the overall process into two constituents or stages; risk analysis and risk management. Risk analysis is the combination of the estimate and evaluate sub-phases within the Assess phase in Figure 1.

Risk analysis

This stage of the process is generally split into two 'sub-stages': a qualitative analysis 'sub-stage' that focuses on identification and subjective assessment of risks, and a quantitative analysis 'sub-stage' that focuses on an objective assessment of the risks.

Qualitative analysis 

A qualitative analysis allows the main risk sources or factors to be identified. This can be done, for example, with the aid of checklists, interviews or brainstorming sessions. This is usually associated with some form of assessment that could be the description of each risk and its impacts or a subjective labelling of each risk (for example, high/low) in terms of both its impact and its probability of occurrence.

A sound aim is to identify the key risks, perhaps between five and 10 for each project (or part-project on large projects). Which are then analysed and managed in more detail.


Quantitative analysis

A quantitative analysis often involves more sophisticated techniques, usually requiring computer software. To some people, this is the most formal aspect of the whole process requiring:

measurement of uncertainty in cost and time estimates;

probabilistic combination of individual uncertainties.

Such techniques can be applied with varying levels of effort ranging from modest to extensively thorough. It is recommended that new practitioners start slowly, perhaps even ignoring this ‘sub-stage’, until a climate of acceptability has been developed for project risk analysis and management in the organisation.

An initial qualitative analysis is essential. It brings considerable benefit in terms of understanding the project and its problems irrespective of whether or not a quantitative analysis is carried out. It may also serve to highlight possibilities for risk ‘closure’, ie the development of a specific plan to deal with a specific risk issue.

Experience has shown that qualitative analysis – identifying and assessing risks – usually leads to an initial, if simple, level of quantitative analysis. If, for any reason – such as time or resource pressure or cost constraints – both a qualitative and quantitative analysis are impossible, it is the qualitative analysis that should remain.

It should be noted that procedures for decision-making would need to be modified if risk analysis is adopted. An example that illustrates this point is the sanction decision for clients, where estimates of cost and time will be produced in the form of ranges and associated probabilities rather than single value figures.


Risk management

This stage of the process involves the formulation of management responses to the main risks. Risk management may start during the qualitative analysis phase as the need to respond to risks may be urgent and the solution fairly obvious. Iteration between the risk analysis and risk management stages is likely.

Risk management can involve:

implementing measures to avoid a risk, to reduce its effect or to reduce its probability of occurrence;

establishing contingency plans to deal with risks if they should occur; initiating further investigations to reduce uncertainty through better information;

considering risk transfer to insurers;

considering risk allocation in contracts;

setting contingencies in cost estimates, float in programmes and tolerances or 'space' in performance specifications;

Section 6 of this guide considers some of the techniques of PRAM in more detail.

4. Why is it used?

There are many reasons for using PRAM, but the main reason is that it can provide significant benefits far in excess of the cost of performing it.

Benefits

The benefits gained from using PRAM techniques and methods serve not only the project, but also other parties, such as the organisation and its stakeholders. Some examples of the main benefits are:

project risks can be actively managed to enhance the performance of the project against its key objectives;

an independent view of the project risks, which can help to justify decisions and enable more efficient and effective management of the risks;

an increased understanding of the project, which in turn leads to the formulation of more realistic plans, in terms of both cost estimates and timescales;

an increased understanding of the risks in a project and their possible impact that can lead to the minimisation of risks for a party and/or the allocation of risks to the party best able to handle them;

an understanding of how risks in a project can lead to the use of a more suitable type of contract;

knowledge of the risks in a project, which allows assessment of contingencies that actually reflect the risks and which also tends to discourage the acceptance of financially unsound projects;

a contribution to the build-up of statistical information of historical risks that will assist in better modelling of future projects;

facilitation of greater, but more rational, risk taking, thus increasing the benefits that can be gained from risk taking;

assistance with the distinction between good luck and good management, and bad luck and bad management.

Who benefits from its use?

an organisation and its senior management, for whom a knowledge of the risks attached to proposed projects is important when considering the sanction of capital expenditure and capital budgets;

clients, both internal and external, as they are more likely to get what they want, when they want it and for a cost they can afford;

project managers who want to improve the quality of their work, ie they want to bring their projects into cost, on time and to the required performance.

What are the costs of using it?

The costs of using PRAM techniques vary according to the scope of the work and the commitment to the process. Below are some example costs, time-scales and resource requirements for carrying out the process.

Cost

The cost of using the process can be as little as the cost of one or two days of a person’s time up to a maximum of 5–10 per cent of the management costs of the project, even if this higher cost, as a percentage of the total project cost, is relatively small. It can be argued that the cost incurred is an investment if risks are identified during the process that may otherwise have remained unidentified until it was too late to react.

Time

The time taken to carry out a risk analysis is partially dependent upon the availability of information. A detailed cost and time risk analysis usually requires anywhere from one to three months depending on the scale and complexity of the project, and the extent of planning and cost preparation already carried out. However, as indicated above, a useful analysis can take as little as one or two days.

Resources

The minimum resource requirement is obviously just one person within an organisation with experience of using PRAM techniques. However, if expertise does not exist within the organisation, it can be readily acquired from outside consultants. It is likely that once PRAM has been introduced to an organisation, in-house expertise will develop rapidly.

As stated in Section 3, PRAM is relevant to all projects and is an integral part of project management. This can make it very difficult to separate the costs of performing it. Some organisations treat these costs as an overhead to the organisation, and not to the project.

5. When should it be used and who should do it?

PRAM is an inherently scalable process and as such can be applied to nearly all projects to the point where it brings benefits to that project without overburdening it. PRAM is a continuous process that can be started at almost any stage in the life cycle of a project; however, it is most beneficial to use it in the earlier stages of a project.

There are five points in a project where particular benefits can be achieved by using it:

1. Feasibility study. At this stage, the project is most reliable, enabling changes to be made that can reduce the risks at a relatively low cost. It can also help in deciding between various implementation options for the project.

2. Sanction. The client can make use of it to view the risk exposure associated with the project and can check that all possible steps to reduce or manage the risks have been taken. If a quantitative analysis has been carried out, then the client will be able to understand the 'chance' that they have of achieving the project objectives (cost, time and performance).

3. Tendering. The contractor can make use of it to ensure that all risks have been identified and to help them set their risk contingency or check their risk exposure.

4. Post tender. The client can make use of it to ensure that the contractor has identified all risks and to assess the likelihood of tendered programmes being achieved.

5. At intervals during implementation. It can help to improve the likelihood of completing the project to cost and timescale if all risks are identified and are correctly managed as they occur.

Which projects are suitable?

Many experienced practitioners of PRAM would say “any and all” in answer to this question, and experience does show that this is the case – the reasons were stated earlier in the guide. All projects contain risk and risk analysis, and management is an integral part of project or business management.

Attend any conference or read any literature on risk and it is clear that the most extensive applications have occurred on large capital projects, such as defence, oil and gas, aerospace and civil engineering – these projects have been the proving ground for many of the techniques.

In other fields, there are examples of risk analysis and management applied to insurance, IT projects and software development, and projects for organisational change.

The only general guidance is that the more complex or more innovative the project, the greater the benefits. On small projects, the budget will probably justify only a low level of application, perhaps omitting the quantitative analysis.

What type of project?

It can be used on any type of project, but it is more beneficial for some projects than others. Some examples of projects that would benefit from PRAM are:

innovative, new technology projects;

projects requiring large capital outlay or investment;

fast-track or high-tempo projects;

projects that interrupt crucial revenue streams;

unusual agreements (legal, insurance or contractual);

projects with sensitive issues (environment/relocation);

projects with stringent requirements (regulatory/safety);

projects with important political/economic/financial parameters.

When should it be done?

There are a few circumstances when it is particularly advisable to use PRAM techniques. These are:

when there are specific targets that must be met;

when there is an unexpected new development in a project;

at points of change in the life cycle of a project.

When shouldn’t it be done?

There are no particular circumstances under which PRAM techniques should not be used except perhaps for repeat projects, where such analyses have already been carried out – unless, of course, there are specific differences between the projects.

In the presence of uncertainty, where severe constraints give rise to significant risk, the absence of relevant data may make a quantitative assessment not worthwhile. However, such circumstances must never prevent a rigorous qualitative analysis being carried out.

Who should do it?

Many people advocate the use of an independent expert or external consultant to ensure they receive an unbiased view, whereas others suggest that PRAM support should be an internal function. Opinions differ widely at this stage, but, essentially, anyone can do it provided consideration is given to the 'perspective' from which they are viewing the project. In any event, the project management team should be closely involved in the analytical process to ensure validity of the analysis and also to allow them to believe in the results.

6. How to do it – techniques and methods

As outlined in Section 3, PRAM can be split into its two constituents or stages – risk analysis (qualitative and quantitative) and risk management. A range of tools for both constituents is available at SIG publishes reference table of risk tools. There is no one technique or method for carrying out either stage of the process. Some of the techniques and methods that can be employed are detailed below.

Qualitative risk analysis

The first phase of the qualitative analysis is identification. This is considered by some as the most important element of the process, since once a risk has been identified, it is possible to do something about it. Identification can be achieved by:

interviewing key members of the project team;

organising brainstorming meetings with all interested parties;

by using the personal experience of the risk analyst;

reviewing past corporate experience if appraisal records are kept.

All of the above methods are greatly enhanced by the use of checklists, which can either be generic in nature, ie applicable to any project or specific to the type of project being analysed.

Probability impact matrix

Once identified, the risks are then subjected to an initial assessment that categorises the risks into ratings (for example, high/low) of probability of occurrence, and ratings (for example, major/minor) of impact on the project's objectives should the risk materialise. The relative significance of the identified and assessed risks may be displayed on a probability impact matrix. An example matrix is shown in Figure 2. Scaling of the probability and impact should follow the project's risk management approach. Showing the risks in this way helps to focus on the risks that require urgent attention. The matrix can be used to display the effect of planned responses.

Initial responses should be planned for risks that have been assessed as high relative significance and/or require urgent attention. The analysis may be terminated during this phase if the assessment immediately suggests a way in which many identified risks can be mitigated.

It may be necessary to revisit the identification phase after the assessment phase to see if any consequential 'secondary' risks can be identified: a secondary risk may result from a planned response to a risk and might therefore lead to the response being unsuccessful. The necessity of doing this will largely be dependent on the size and/or complexity of the project.

Planned responses should be reviewed for cost-effectiveness and, once approved, should be included in the project schedule.

Quantitative risk analysis

Once all risks have been identified, during the qualitative analysis, it may be appropriate to enter into a detailed quanitative analysis. This will enable the impacts of the risks to be quantified against the three basic project success criteria: cost, time and performance. Several techniques have been developed for analysing the effect of risks on the final cost and timescale of projects. However, such techniques do not always readily apply themselves to the analysis of performance objectives.

The main techniques currently in use are:

Sensitivity analysis, often considered to be the simplest form of risk analysis.

Essentially, it simply determines the effect on the whole project of changing one of its risk variables, such as delays in design or the cost of materials. Its importance is that it often highlights how the effect of a single change in one risk variable can produce a marked difference in the project outcome.

In practice, a sensitivity analysis will be performed for more than one risk, perhaps all identified risks, in order to establish those that have a potentially high impact on the cost or timescale of the project. The technique can also be used to address the impact of risk on the economic return of a project. Figure 3 shows an example of a sensitivity diagram.

This diagram shows that the project is very sensitive, as measured against the internal rate of return, to any changes in both the demand for the product and the revenue from the product, however, changes in energy costs or the cost of raw material have much less impact.

Sensitivity diagram for a manufacturing plant

Probabilistic analysis specifies a probability distribution for each risk and then considers the effect of risks in combination. This is perhaps the most common method of performing a quanitative risk analysis and is the one most people consider, incorrectly, to be synonymous with the whole PRAM process. In fact, as this guide illustrates, it is but one facet of that process.

The most common form of probabilistic analysis uses ‘sampling techniques’, usually referred to as ‘Monte Carlo simulation’. This method relies on the random calculation of values that fall within a specified probability distribution often described by using three estimates: minimum or optimistic, mean or most likely, and maximum or pessimistic. The overall outcome for the project is derived by the combination of values selected for each one of the risks. The calculation is repeated a number of times, typically 1,500 depending on the capabilities of the sampling software and organisational preferences, to obtain the probability distribution of the project outcome.

It is usual to carry out a probabilistic time analysis with the aid of a critical path method (CPM) network to model the project schedule. The results of the simulation can be used to compare the effects of risks in a schedule with the qualitative assessment of the risks. For example, a risk with a high impact on a task that is not on the critical path may be treated ahead of a risk with a relatively low impact that is impacting on a critical path item.

The effect of each task on the overall end date of the project can be examined using a tornado chart. An example tornado chart is shown in Figure 4. The length of the bars is a measure of the duration cruciality of a task. (Cruciality = Criticality multiplied by duration sensitivity.) The longer the bar, the more effect that task is having on the overall duration of the project.

Example tornado chart

The tornado chart can also be used to evaluate the cost-effectiveness of planned responses by comparing the assessed effect of risks with the planned effect together with the cost of the planned responses.

The same method can be used for probabilistic cost analysis, especially when the cost estimate can be broken down into the same categories or activities as the schedule and when cost risks are related to time risks. If an independent cost analysis is undertaken, then it may be appropriate to use a spreadsheet method. Figure 5  shows an example of a histogram and cumulative curve derived from a probabilistic time analysis using a model based on a CPM network.

Time probability histogram and s-curve for a new oilfield development

This diagram shows the distribution of finish dates from an example project for the achievement of first oil. It is based on 1,000 iterations using Monte Carlo sampling. The actual finish date of this particular project was achieved within two days of the mean.

Cost probability s-curve for a new office building

This diagram shows the distribution around a cost estimate for the final out-turn cost for a new building. It is based on 1,000 iterations using Monte Carlo sampling. The highlighted figures represent the unadjusted cost, ie the sum of all the cost elements without any risk treatment, the expected cost derived from the statistical mean and a suggested accuracy range. The difference between the unadjusted cost and the expected cost is considered to be an unallocated provision.

Influence diagrams provide a powerful means of constructing models of the issues in a project that are subject to risk. As a result, influence diagrams are now used as the user interface to a computer-based risk-modelling tool, thus allowing the development of very complex risk models that can be used to analyse the cost, time and economic parameters of projects.

Decision trees are another graphical method of structuring models. They bring together the information needed to make project decisions and show the present possible courses of action and all future possible outcomes. Each outcome must be given a probability value indicating its likelihood of occurrence. This form of risk analysis is often used in the cost risk analysis of projects.

Risk management

Risk management uses the information collected during the risk analysis phase to make decisions on how to improve the probability of the project achieving its cost, time and performance objectives. This is done by reducing the risk where it is advantageous to do so, and monitoring and managing the risk that remains.

The project manager uses the information at his/her disposal to choose between the feasible responses to risks assessed during the qualitative phase. This may involve amending the project plans to reduce the risk, for example, moving high-risk activities off the critical path, developing contingency plans to allow rapid response if certain risks occur, or setting up monitoring procedures for critical areas in order to get early warning of risks occurring.

There are three types of response to risk: changing the project scope; proactive response; and reactive response, which can be described as follows:

change project scope: an alteration to the project plan such that the risks are avoided;

proactive response: planned and implemented responses undertaken to reduce the likelihood of the risk and/or the adverse consequences if the risk materialises;

reactive response: a provision in the project plan for a course of action that will only be implemented should the adverse consequences of the identified risk materialise.

Responses to risk can do one or a combination of four things:

1. Avoid – risks that can be eliminated from the project and therefore no longer propose a threat.

2. Reduce – the impact and/or probability of risks that can be decreased by implementing certain actions.

3. Transfer – risks can be passed on to other parties who may be better placed to manage the risks or prepared to insure against their impacts. Unfortunately, this does not eliminate risks or change the ownership of risks.

4. Accept – the benefits that can be gained from taking the risk should be balanced against the penalties.

The risk management phase begins immediately after the qualitative analysis is complete and is then a continuing process through the complete life cycle of the project. The information gained during the quantitative analysis allows the project manager to trade off taking actions now against the likelihood and impact of risk occurring. The project manager may choose to immediately amend his/her overall time and cost plan in order to increase the probability of achieving his/her time and cost objectives.

7. What experience is available?

The majority of the methods, techniques and processes described in this guide have been used in a number of industries since the early 1970s. PRAM has historically been associated with very large, high-capital projects in specific industries, such as defence, oil and gas, aerospace and civil engineering. The experience gained in these industries since the 1970s has disseminated through other industries, such as information technology manufacturing and business change projects.

The number of companies practising PRAM is continuing to increase due to the realisation that the methods, techniques and processes involved form an integral part of project and business management. The increase in its use has led not only to expertise being gained by individuals within companies, but the arrival of specialist consultancies that can train, advise and carry out PRAM for their clients. PRAM is also an established and important element in the syllabuses of many universities and higher educational establishments.

Further information on project risk management or the APM Risk Specific Interest Group can be found at APM RisK SIG.

Download white paper

APM Risk Specific Interest Group (SIG)

The Risk SIG provides a forum in which to share knowledge and ideas, develop expertise and understanding, foster ‘best practice’ and actively promote the adoption of project risk management.

Get involved in the community
APM Risk SIG 500Px Outlined (2)