TCMFramework_SM.gif (5258 bytes)TCM Framework: An Integrated Approach to Portfolio, Program and Project Management
(Rev. 2012-01-09)



7.6 Risk Management

7.6.1 Description

    Risk management is the process of identifying risk factors (risk assessment), analyzing and quantifying the properties of those factors (risk analysis), mitigating the impact of the factors on planned asset or project performance and developing a risk management plan (risk mitigation), and implementing the risk management plan (risk control).[57] The goal of risk management is to increase the probability that a planned asset or project outcome will occur without decreasing the value of the asset or project. Risk management presumes that deviations from plans may result in unintended results (positive or negative) that should be identified and managed.

    The risk management process is applied in conjunction with the other asset and project control planning processes (i.e., scope development, cost estimating, schedule planning and development, and resource and procurement planning). For example, when risk management identifies a risk factor and impact that can be mitigated using an alternative project plan, the alternative plan is developed using the applicable planning process (e.g., cost estimating, scheduling, etc.). This iterative planning approach of assessing and analyzing risk factors and developing alternative plan concepts that mitigate the risk impacts is applied until a baseline project control plan (including the risk management plan) is implemented.

.1 Uncertainty and Risk

    Risk management is a process for addressing uncertainty in project outcomes. While uncertainty is generally understood to include both better and worse outcomes than planned (i.e., opportunities and threats), the term "risk" is not always interpreted to be the same as uncertainty. There are three conventions for defining the term "risk":

  1. risk is the same as uncertainty (i.e., threats + opportunities),

  2. risk is only the negative impacts of uncertainty (i.e., threats),

  3. risk is the net impact of uncertainty (i.e., threats – opportunities).

    In TCM, potential deviations from plans are all considered potentially adverse to overall performance (i.e., a perceived opportunity may also be a threat). However, properly managed, the asset management or project team may be able to capitalize on "opportune" uncertainties. Therefore, the term "risk" is defined in TCM as being the same as uncertainty; both threats and opportunities need to be assessed, analyzed, and controlled.

.2 Decision and Risk Analysis

    The full risk management process, as mapped in this section, is designed for addressing uncertainty in project outcomes (i.e., from a project control context). However, the process generally applies and is critical to addressing uncertainty in the outcomes of any decision. As discussed in Section 3.3, a key challenge in strategic asset planning and investment decision making is bringing an awareness of risk and probability concepts to those processes whether they result in an implemented project or not. Traditional economic analysis used in investment decision making may be somewhat meaningless when there are significant risks.

7.6.2 Process Map for Risk Management

    The risk management process centers on steps that assess risk factors and then analyze and mitigate their impacts. The primary outputs of risk management are baseline project scope definition and project control plans (including contingency) that address project risks, including a risk management plan for how to address risk factors that occur during project execution. Figure 7.6-1 is a process map for risk management.

Figure7.6-1.jpg (131616 bytes)

Figure 7.6-1 Process Map for Risk Management

    The following sections briefly describe the steps in the risk management process.

.1 Plan for Risk Management

    At the start of the process, risk management leadership is established with the responsibility to plan and prepare for the risk assessment, analysis, and mitigation efforts that will culminate in the risk management plan and risk control during execution. The leadership should establish the scope of risk management for the project (e.g., objective, methods, measures, assumptions, etc.). Roles and responsibilities should also be identified; this may include identifying a risk study team. The scope must be aligned with the strategic asset requirements and project implementation basis (see Sections 3.1 and 4.1, respectively) and with the current asset or project scope definition (see Sections 3.2 and 7.1).

    Planning for risk management is facilitated when the enterprise has a project system that establishes guidelines for when and how risk management is to be applied and provides capabilities for the process (i.e., methods, tools, and resources).

    Risk management is applicable to all enterprises and all asset or project life cycle stages. Risk assessment, analysis, and mitigation efforts studies are typically applied in a phased manner consistent with the project scope development phases described in Section 7.1.

    During planning, it is especially important to understand the interrelated nature of value engineering (Section 7.5) and risk management. Changes to plans to address value issues affect risk and vice-versa. Therefore, as indicated in the process map in Section 2.4, the value engineering and risk management processes generally need to be revisited together.

    Many individuals on the strategic asset or project team may be involved in the risk management process. Diversity of the risk management team is strongly encouraged, with participation by stakeholders and end users. However, risk management success is facilitated by having experienced cost management personnel coordinate the process because it is so closely linked to the other strategic asset and project control planning processes.

    Management support of the risk management process is vital to ensure that all the necessary resources are made available and are committed to the success of the process. Also, the project team must clearly understand management’s risk tolerance (i.e., willingness to accept or desire to avoid risks).

    While the risk management process presented here appears somewhat mechanistic, experience and judgment, supported by good historical data about risk factors, are essential to effective risk management.

.2 Identify and Assess Risk Factors

    Once the process has been planned, the risk study team identifies asset or project risk factors for analysis. Risk factors (or drivers) are events and conditions that may influence or drive uncertainty (i.e., either opportunities or threats) in asset or project performance. They may be inherent characteristics or conditions of the asset or project or external influences, events, or conditions such as weather or economic conditions.

    Checklists or databases of common risk factors may be developed and used to facilitate this risk factor identification step. Checklists and similar tools are generally based on project historical data. For example, research of industry historical data has shown that one of the most significant project risk factors is having a poor level of project scope definition and planning. However, other risk factors may be unique to the asset or project; therefore, input from the entire project team about its risk perceptions should be obtained using creative processes such as brainstorming or other facilitated risk assessment meetings.

    The output of this step is a list of potential risk factors or drivers. The list will generally include brief descriptions of each factor. Risk factors are also often classified by type. A common assessment classification is whether the project team can or cannot control the occurrence of the risk factor. For example, the project team cannot control the weather, but it can control the level of scope definition. For the weather, the project team can only mitigate impacts. However, for scope definition, the team can mitigate the risk factor itself (i.e., improve project definition before implementing the project control plan).

.3 Quantify Risk Factor Impacts

    Once the risk factors have been identified, their quantitative impact on the asset or project plans is analyzed by the study team. Methods of quantification include (but are not limited to) subjective risk study team assessments (e.g., rating each factor’s impact as high, medium, or low), manual estimates of the impact of each factor or group of factors, or complex simulation or parametric models.

    There are two key challenges for risk analysis. First, the impacts of some risk factors are difficult to imagine or estimate, even for the most experienced project teams. Second, even if individual risk factors are understood, it is difficult to understand the interaction of risk factors (Is the occurrence of one risk factor dependent on the occurrence of others? Are risk factor impacts added or compounded?). Parametric modeling is one method that helps address these challenges. Parametric models are typically multi-variable regressions of historical risk factors versus actual project outcomes. Regression empirically quantifies the impact while allowing the dependency of risk factors to be examined. Regression models also provide useful probabilistic outputs, and results are replicable. There are also proprietary commercial project risk analysis systems available that help address the risk analysis challenges.

    Simulation models can be created from project cost estimates, schedules, and any other plan component that can be expressed quantitatively. Monte Carlo simulations are often used because they provide probabilistic output that helps users understand the range of potential impacts of uncertainty on planned outcomes. However, if the simulation models are not empirically based, they tend not to adequately address the risk analysis challenges of properly addressing impacts and understanding risk factor interactions and dependencies.

    The most robust risk analysis methods tend to combine subjective expert and team judgment and objective, empirical based modeling.

.4 Screen Risk Factors and Mitigate Impacts

    Based on the understanding gained from initial risk analyses, the team should mitigate risk factors and/or their impacts and reduce uncertainty by identifying and analyzing project scope and planning alternatives that reduce risk without reducing the value of project outcomes. The risk factors of each mitigation alternative are then analyzed until the project team selects the project plan alternative to be implemented. In other words, risk analysis is done iteratively with risk mitigation.

    As was mentioned, one of the most significant project risk factors is having a poor level of project scope definition and planning. Therefore, a common risk mitigation alternative is for the project team to continue with project planning until the project scope and plans are better defined. Most project systems establish guidelines for expected levels of scope definition.

    Mitigating risks through alternative scope and plan development can be costly and time consuming. Therefore it may be useful to screen the risk factors to identify those for which mitigation efforts are most justified. Risk factors may be screened based on their properties, which include (but are not limited to) the following:

  1. Impact. The cost, schedule, or other quantitative outcome of the risk factor.

  2. Probability. The likelihood that a risk factor will occur. This may be based on an explicit or intuitive assessment and is often expressed as a measure from 0 to 100 percent.

  3. Immediacy. The probability that the occurrence of a risk factor will vary over the life cycle of the asset or project, and the relative influence of the factor at any given time. Risk factors that gradually reveal themselves may be more amenable to mitigation than sudden events.

    Figure 7.6-2 illustrates a common type of risk factor screening matrix. Risk mitigation is generally focused on those risk factors with both high impact and probability.







Ignore these risk factors.

Analyze and manage where justified. Monitor where appropriate.


Analyze and manage where justified. Monitor where appropriate.

Focus effort to identify alternatives that eliminate this factor, reduce its probability of occurring, and/or reduce its impact. Monitor these factors.

Figure 7.6-2. A Risk Factor Screening Matrix

.5 Develop a Risk Management Plan

    As was mentioned, risk factors of each project scope and plan alternative are analyzed until the project team selects an alternative with acceptable risks for implementation. A risk management plan is then developed for this alternative in alignment with the project implementation basis (see Section 4.1). The risk management plan is part of the project control baseline plans (see Section 8.1).

    The risk management plan will include plans for monitoring a project for the occurrence of key risk factors. The plan may also include optional contingency action plans for how the project team might respond to specific risk factors that might occur. For example, if a risk factor is the availability of people with a particular skill, the risk management plan may stipulate that, if fewer than a certain number of skilled people reply to a job posting (i.e., a threshold limit), a predetermined incentive pay program will be instituted.

    Other project plans may incorporate aspects of risk management as well. For example, the project budget and schedule may include contingency allowances as discussed in the following section.

.6 Analyze Contingency

    Contingency is an amount added to an estimate (of cost, time, or other planned resource) to allow for items, conditions, or events for which the state, occurrence, and/or effect is uncertain and that experience shows will likely result, in aggregate, in additional cost.[58]

    The change management process (see Section 10.3) is used to incorporate changes in the project scope definition and baseline plans; contingency management is part of that process. In change management, if a project team takes an approved corrective action (within the project scope) that will cost more or less than the amount budgeted for the affected cost accounts, or will take more or less time than planned for affected activities, then budgeted funds or float, as approved, may be shifted from or to the contingency budget or float as appropriate.

    Contingency analysis (a sub-step of risk analysis) quantifies the risk factor impacts after all mitigation efforts are complete. The team should guard against assumptions that the mitigation efforts will be entirely successful—or successful at all. Many mitigation efforts, themselves, can introduce additional variation in results that should be accounted for. The amount of contingency included in control plans depends in part on management’s willingness to accept risk. The less risk that management is willing to accept that the project will overrun its budget or schedule, the more contingency that will be included in the control plans.

    The risk management plan should document management’s willingness to accept risk or desire to avoid it. If modeling techniques that produce probabilistic outcomes are used to quantify risk factor impacts, then the documentation of management’s willingness to accept risk can be expressed simply as management’s desired percentage confidence that the project will not overrun its budget or schedule (e.g., 50 percent confidence).

    Contingency is normally controlled by the project team because experience shows that contingency will likely be required by the project. However, management may request that additional risk allowances be considered in the plans for objectives that it establishes. These allowances, typically controlled by management, are called reserves.

.7 Control Risk Factors and Impacts

    After the project control plan is implemented (see Section 8.1), risk factors and impacts are monitored and measured in accordance with the risk management plan (see Section 10.1). If a monitored risk factor occurs or a risk impact threshold limit is crossed, then contingency action plans may be implemented or other corrective actions taken as appropriate. These changes are managed using the change management process (see Section 10.3). In some cases, further risk assessment, analysis, and mitigation may be required for changes, if performance trends occur, or new risk factors otherwise arise.

    At the close of the project, historical data regarding risk factors and their impacts are captured in the project historical database (see Section 10.4).

.8 Develop and Maintain Methods and Tools.

    Risk management uses a variety of methods (e.g., parametric or simulation models) and tools (e.g., risk factor checklists, report templates, etc.) that are developed and maintained. Historical risk factor occurrence and impacts, risk management approaches, and results are key resources for creating risk management methods and tools.

7.6.3 Inputs to Risk Management

.1 Strategic Asset Requirements and Project Implementation Basis. (see Sections 3.1 and 4.1). These define the basis asset scope, objectives, constraints, and assumptions, including basic assumptions about risks.

.2 Asset or Project Scope. (see Sections 3.2 and 7.1). Deliverables (asset options, work breakdown structure, work packages, and execution strategy) that define the current asset or project scope. Risk factors may be inherent characteristics or conditions of the asset or project scope. Scope changes (see Section 10.3) for which risk assessment and analysis will be applied also channel through the scope development process.

.3 Planning Information. (see Sections 3.2, 3.3, 7.1, 7.2, 7.3, 7.4, 7.5, 7.7). All planning components may be subject to risk factors that must be assessed. Also, alternate plans may be considered to mitigate risk factor impacts. Results from Value Engineering (7.5) are particularly important to assess.

.4 Cost, Schedule, and Resource Information. (see Sections 7.2, 7.3, 7.4). The quantification of risk factor impacts employs the methods and tools of the respective planning processes. Risk analysis is iterative with the other planning processes.

.5 Risk Performance Assessment. (see Sections 6.1 and 10.1). In the performance assessment processes, the asset or project status is monitored for the occurrence of risk factors. New risk factors identified during asset operation or project execution may require updated risk management planning.

.6 Change Information and Contingency Management. (see Section 10.3). During project execution, changes to the baseline scope definition and plans are identified in the change management process. In some cases, further risk assessment and analysis may be required for changes and trends. Additional contingency may be required to address changes and performance trends.

.7 Historical Information. (see Sections 6.3 and 10.4). Past risk factor occurrence and impacts, risk management approaches, and results are key resources for understanding asset and project uncertainty and for creating risk management methods and tools.

7.6.4 Outputs from Risk Management

.1 Cost, Schedule, and Resource Information (including Contingency). (see Sections 7.2, 7.3, 7.4). The quantification of risk factor impacts employs the methods and tools of the respective planning processes. Contingency is incorporated in project plans as appropriate.

.2 Planning Basis Information. (see Sections 3.2, 3.3, 7.1, 7.2, 7.3, 7.4, 7.5, 7.7). Alternate concepts and plans may be considered to mitigate risk factor impacts. Ultimately, one alternative is selected as the asset or project planning basis. It is particularly important to determine the extent that alternate concepts may affect value (Section 7.5).

.3 Risk Management Plan. (see Section 8.1). This plan becomes part of the overall project control plan that is implemented. A risk management plan may also be developed for non-project asset investment decision actions (see Section 3.3).

.4 Change Information and Contingency Management. (see Sections 6.2 and 10.3). Findings from risk assessment and analysis may influence the management of changes and contingency.

.5 Historical Information. (see Sections 6.3 and 10.4). Risk management approaches are key resources for future planning and methods development. Historical risk outcomes are reported from the asset and project performance assessment processes.

7.6.5 Key Concepts and Terminology for Risk Management

.1 Risk. (See Section

.2 Uncertainty–Opportunities & Threats. (See Section

.3 Risk Factors (or drivers). (See Section

.4 Risk Assessment. (See Section

.5 Risk Analysis. (See Section

.6 Simulation and Modeling. (See Section

.7 Risk Factor Properties. (See Section

.8 Risk Factor Screening. (See Section

.9 Risk Mitigation. (See Section

.10 Risk Management Plan (See Section

.11 Contingency Action Plans. (See Section

.12 Contingency. (See Section

.13 Risk Control. (See Section

Further Readings and Sources

    This process is based on and is conceptually consistent with risk management steps identified in AACE "International’s Risk Management Dictionary" (see reference detail below). There are many other references describing risk analysis, management, and related practices for various asset and project types in various industries. Risk and decision analysis are often covered in the same texts. The following references provide basic information and will lead to more detailed treatments:


Copyright © 2008 By AACE® International
Comments/more information on the TCM Framework: An Integrated Approach to Portfolio, Program and Project Management may be directed to