Executive Summary
This report was prepared at the request of the U.S. Department of Energy (DOE) as a summary of the most effective risk management practices used by leading owner organizations in project management in the public and private sectors. The methods described here are appropriate for public- and private-sector project owners’ representatives, including senior managers, program managers, project directors, and project managers. The primary objective of this report is to provide DOE project directors with a basic understanding of both the risk management role of an owner’s representative member of a project management team and the knowledge needed for effective oversight of risk management activities that are delegated to contractors. The report also discusses the roles and responsibilities of senior managers and program managers in developing risk consciousness among all owner, contractor, and supplier personnel by educating them about the importance of explicit consideration of risks and the implementation of an effective risk management process. This document is not intended as a rigid process to be followed for all projects but as a guide for all project stakeholders to ensure that project risks are adequately addressed.
Identification and analysis of project risks are required for effective risk management. One cannot manage risks if one does not characterize them to know what they are, how likely they are, and what their impact might be. But project risk management is not limited to the identification and aggregation of risks, and it cannot be repeated too often that the point of risk assessment is to be better able to mitigate and manage the project risks. Additional effort is needed to develop and apply risk management
strategies: Project risk management tools and methods, discussed in this report, can facilitate this effort.
The major steps in a risk management process discussed in this report are the following:
-
Project risk identification,
-
Qualitative risk assessment,
-
Quantitative risk analysis,
-
Risk mitigation,
-
Setting contingency, and
-
Portfolio risk management.
The discussion of the project risk management process in this report is based on the tenets of a proactive approach in which owners take the following basic actions:
-
Establish and maintain management commitment to performing risk management on all capital projects.
-
Start the risk management process early in the project life cycle, prior to critical decision 0, approval of mission need (CD-0) for all projects.
-
Include key stakeholders in the process, with the DOE project director as the lead and the integrated project team intimately involved in the process.
-
Evaluate project risks and risk responses periodically during the project life cycle (CD-0 through approval of the start of operations [CD-4]).
-
Develop risk mitigation plans and update them as the project progresses.
-
Follow through with mitigation actions until risks are acceptable.
-
Tie a project’s level of risk to cost and schedule contingencies.
-
Effectively communicate to all key stakeholders the progress and changes to project risks and mitigation plans.
It should be noted that successful risk management needs to be performed by qualified personnel working within a project management process that includes review and approval by senior management. Critical decision points, such as those defined in DOE O 413.3, are essential for senior managers to ensure the quality of the risk management process and that the risks inherent in a project are necessary and acceptable. Reliance only on team experience, without critical decision reviews, can lead to gaps in analysis and lack of consistency.
In general, the owner is initially responsible for all of the project risks, as it is usually the owner’s decision to execute the project or not. In some cases, of course, there may be no completely risk-free strategy, because not executing the project may entail risks to the successful implementation of the owner’s mission or business plan. Therefore, the owner has the ultimate responsibility for identifying, analyzing, mitigating, and controlling project risks, including acceptance of the project risks, or modification, or termination of the project—all of which are project risk management activties. Owners who successfully manage projects develop expertise and excellence in actively managing project risks and ensure that this excellence is carried through by their contractors. Tools and methods are available that can form the basis for the development of risk management excellence by owners and contractors. However, traditional project management tools, methods, and practices that are satisfactory for typical, conventional projects may be inadequate for project success on unusual or first-of-a-kind projects. In addition to fundamental practices such as development of a risk management plan, repeated risk assessments, statistical analysis, setting contingencies, and mitigation planning, this report describes the following risk management tools and techniques:
-
Database of the events on past projects
-
Brainstorming sessions by the project team
-
Root cause and essential function analysis
-
Repeated risk assessments as new information becomes available
-
Impact and probability analysis
-
Pareto diagrams
-
Failure modes and effects analysis
-
Project Definition Rating Index
-
Multivariate statistical analysis
-
Event trees
-
System dynamics
-
Sensitivity analysis
-
Project simulation
-
Stochastic simulation
-
Additive models
-
Risk mitigation plan
-
Risk transfer
-
Risk buffering
-
Risk avoidance
-
Risk control
-
Organizational flexibility
-
Options
-
Risk assumption
-
Precise and consistent contingency-setting process
-
Risk management plan
-
Waterfall diagram
-
Risk register
Owners with ongoing programs of multiple projects also develop project portfolio risk management expertise and excellence. The intellectual, theoretical, computational, and other resources necessary to produce excellence in project risk management are available to DOE, but they need to be actively sought out and applied.