I - PROJECT RISK MANAGEMENT – OVERVIEW

1. Introduction to Risk
In project management, risk is an unavoidable and integral component. Every project, regardless of its size or complexity,
operates in an environment filled with uncertainty. Risk refers to the possibility that an event or condition may occur which
can affect the achievement of project objectives such as cost, time, quality, safety, or performance.
For example, in construction projects, risks may arise due to adverse weather conditions, delays in material supply, labor
shortages, or changes in government regulations. While risks are often associated with negative consequences, it is important
to recognize that risk-taking can also result in positive outcomes, such as innovation, cost savings, or accelerated project
completion.
Thus, understanding and managing risk effectively is a core responsibility of a project manager.

2. Meaning and Definition of Risk

To ensure clarity and consistency, risk has been defined by various professional bodies and standards.
2.1 General Definition
According to the Oxford English Dictionary, risk is defined as:
“The chance of danger, loss, or negative consequences.”
This definition emphasizes the possibility of harm or loss but does not account for positive outcomes.
2.2 Professional Definitions of Risk
To overcome this limitation, professional organizations provide broader and more comprehensive definitions:
• ISO Guide 73 / ISO 31000
Risk is defined as:
“The effect of uncertainty on objectives.”
This effect may be positive, negative, or both, highlighting that risk is not always harmful.
Institute of Risk Management (IRM)
Risk is described as:
“The combination of the probability of an event and its consequences.”
This definition stresses both likelihood and impact.
• PMBOK Guide (Project Management Institute – PMI)
According to PMBOK:
“A project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more
project objectives.”
These definitions collectively establish that risk is closely linked to uncertainty, probability, and impact, and that it can
influence project outcomes in multiple ways.

3. Key Concepts in Risk Management

3.1 Risk vs. Uncertainty
Understanding the distinction between risk and uncertainty is fundamental in project management.
• Risk
o Risk is measurable.
o Possible outcomes can be identified.
o Probabilities can be assigned based on past data or experience.
o Example: There is a 30% chance of project delay due to monsoon rains.
• Uncertainty
o Uncertainty arises when there is insufficient information.
o Outcomes cannot be predicted or quantified.
o Example: Implementing a completely new construction technology with no prior experience.
This distinction is crucial because:
• Risks can be planned for and managed, while
• Uncertainty requires flexibility, learning, and adaptability.

4. Types of Risks in Project Management

4.1 Threats
A threat refers to a negative risk that can hinder or prevent project success.
Examples:
• Budget overruns due to inflation
• Delay in approval from authorities
• Equipment failure during execution
Threats typically require mitigation strategies such as contingency planning or risk transfer.
4.2 Crisis
A crisis is a sudden, severe, and unexpected event that demands immediate action.
Examples:
• Natural disasters such as floods or earthquakes
• Sudden labor strikes
• Major safety accidents on-site
Crises often disrupt normal project operations and require emergency response and crisis management plans.

4.3 Hazards
A hazard is a condition or situation that has the potential to cause harm or damage.
Examples:
• Unsafe scaffolding
• Poor electrical wiring
• Lack of protective equipment at a construction site
Hazards are closely related to safety risks and must be identified and controlled to prevent accidents.

5. Two-Directional Approach to Risk

Modern project management adopts a two-directional view of risk, recognizing both negative and positive aspects.
5.1 Upside Risks (Opportunities)
Upside risks are positive uncertainties that can benefit the project.
Examples:
• Adoption of advanced construction technology that reduces project duration
• Availability of skilled labor at lower costs
• Favorable market conditions leading to cost savings
Effective project managers aim to exploit or enhance these opportunities.
Downside Risks (Threats)
Downside risks represent potential losses or failures.
In construction projects, these risks often receive more attention due to:
• Strict contractual penalties
• Safety regulations
• High financial investments
Examples include delays, cost overruns, quality failures, and legal disputes.

6. Understanding Risk More Clearly

6.1 Core Concept of Risk
At its core, risk signifies that:
“Actual outcomes may differ from planned outcomes.”
Most individuals instinctively view risk as negative because it involves uncertainty and potential loss. However, recognizing
that risk also creates opportunities is essential for project success.

6.2 Risk Characteristics

Risk has the following characteristics:
• It arises from uncertainty
• It affects project objectives
• It can be analyzed and quantified
A commonly used expression for risk is:
Risk = Likelihood × Impact
Where:
• Likelihood refers to the probability of occurrence
• Impact refers to the severity of consequences if the event occurs
This formula helps project managers prioritize risks and allocate resources effectively.

7. Conclusion
Projects that are unique, complex, or innovative tend to carry higher risks, especially when teams lack prior experience or
sufficient knowledge. As project complexity increases, so does exposure to uncertainty.
Effective risk management involves:
• Identifying potential risks early
• Analyzing both threats and opportunities
• Implementing appropriate response strategies
By systematically recognizing and managing risks and uncertainties, project managers can not only protect project
objectives but also unlock hidden opportunities that enhance project value. A well-managed risk approach leads to better
decision-making, improved performance, and successful project outcomes in construction and other industries.

Course Lecture Notes: Session 02 – Types of Risk

Subject: 257004PRM - Project Risk Management Program: MBA-ACM
Why Categorize Risks
• Risk management's primary goal: avoid unpleasant surprises through comprehensive risk identification.
• Risk categories group risks under common areas, providing structured and systematic identification to
consistent detail levels.
• Strong risk categories enable greater management focus, provoke deeper thinking, and increase
opportunities to identify wider risk ranges.
Advantages of Categorizing Risks
Source & Nature
Source & Nature :Understand risk origins rather than treating as isolated events
Prioritization: Group similar risks for efficient evaluation
Targeted Strategies: Develop specific responses vs. generic actions
Clear Ownership: Map categories to responsible stakeholders
Systematic Identification : Avoid oversight of hidden or emerging risks
Resource Allocation: Optimize mitigation based on category impact
Pattern Recognition: Identify recurring risks for learning & benchmarking
Better Communication: Use structured categories recognized organization-wide

Part 1: The Eight Categories of Risk

The presentation establishes a comprehensive framework for understanding risk through eight distinct domains.
These domains categorize risks based on their source, scope, and the area of business they impact.
1. Traditional Risk Management: Focuses on risks associated with established practices, often rooted in
insurance history.
2. Project Management (PMBOK): Addresses risks specific to project execution and delivery.
3. Enterprise Risk Management (ERM): Covers risks affecting the entire organization’s strategic goals
(ISO 31000).
 4. Economics and Business: Pertains to risks related to market conditions and business operations.
5. Digital Technology: Involves risks arising from cybersecurity and technological advancements.
6. Construction and Engineering: Encompasses risks inherent in building and infrastructure projects.
7. Financial Markets: Relates to risks associated with investments and financial instruments.
8. Environmental/Global: Deals with risks stemming from climate change and global events.

Part 2: Detailed Breakdown of Types by Category

1. Traditional Risk Management Types
• Dynamic Risk This refers to the uncertainty caused by changes in the economy or society. Unlike static
accidents, dynamic risks are generated by macroeconomic shifts, technological innovation, or changes in
consumer preferences. While they often result in losses for some, they are the engine of economic progress
and can create opportunities for others. Because they alter the fundamental structure of the market, they
are generally considered uninsurable through standard policies.
• Fundamental Risk These are macro-level threats that impact entire societies, large populations, or whole
industries simultaneously. They are impersonal forces that are largely outside the control of any single
individual or organization. Examples include war, widespread inflation, natural disasters like hurricanes,
and pandemics. Because they affect everyone at once, the risk cannot be spread through a standard
insurance pool and often requires government intervention or collective aid.
• Static Risk Static risks exist even in a stable economy that is not growing or changing. They represent
the constant perils of life and business that are random and unforeseen. They do not generate economic
change but merely represent a loss of value. Common examples include lightning strikes, theft, accidental
fire, or death. These are the primary focus of traditional insurance because they occur frequently enough
to be predicted statistically.
• Particular Risk In contrast to fundamental risks, particular risks are micro-level threats that affect a
specific individual, firm, or project rather than the whole economy. These risks arise from specific causes
and have localized consequences. Examples include a car accident involving a specific delivery van, a fire
in a single factory, or the theft of a specific piece of equipment. These are easily manageable by the
affected party and are fully insurable.
• Speculative Risk This involves a situation where there are three possible outcomes: loss, no loss, or gain.
It is the risk of voluntary choice taken in the hope of a positive return. Historically, risk management
ignored these because “risk” was seen as purely negative. However, modern management recognizes
speculative risk as essential for growth. Examples include investing in a new market, launching a new
product, or betting on commodity prices. These are not insurable because they involve strategic decisions
rather than random chance.
• Subjective Risk This is the uncertainty that exists in the mind of an individual rather than in the external
world. It is based on personal perception, feelings, and mental state. It varies greatly from person to person
depending on their experience, confidence, and bias. For example, two project managers may look at the
same data; one may feel terrified of the risk (high subjective risk) while the other feels confident (low
subjective risk). This psychological variance often leads to poor decision-making if not checked with
objective data.
• Objective Risk This is the statistical variation of actual losses from expected losses. It is based on
observable facts, data, and the law of large numbers. Unlike subjective risk, objective risk is measurable
and independent of personal feelings. For instance, if historical data shows that 1 out of every 100
buildings burns down each year, that 1% is an objective risk. It is the scientific foundation for insurance
premiums and probability calculations.
 • Pure Risk A situation where the only possible outcomes are loss or no loss; there is no opportunity for
financial gain. These are typically unavoidable risks of existence. Examples include damage to property
from a storm or liability from a lawsuit. Since these risks offer no upside, the goal of management is
usually to minimize the impact or transfer the risk (typically through insurance).

2. Project Management (PMBOK) Risk Types

• Individual Project Risk This refers to a specific risk that affects a single task, work package, or a small
element of the project. It is a localized uncertainty. For example, if a specific piece of equipment breaks
down, that is an individual project risk. It impacts the project but is distinct from the overall viability of
the entire endeavor.
• Overall Project Risk This is the cumulative effect of uncertainty on the project’s entire objectives. It
looks at the “big picture” exposure—the combined impact of all individual risks plus the sources of
ambiguity that affect the project as a whole. It answers the question: “What is the probability that this
entire project will fail to deliver its benefits?” regardless of how well individual tasks are performed.
• Event-based Risks These are uncertainties that occur as distinct, sudden incidents at a specific point in
time. They have a clear trigger and an immediate consequence. Examples include a server crashing, a key
supplier going bankrupt overnight, or a worker getting injured. These are managed through contingency
plans (what to do if the event happens).
• Non-event Risks These are risks that are variations or ongoing conditions rather than sudden “events.”
They represent ambiguity or variability that is always present. Examples include “variable productivity
rates” (where the team might be faster or slower than average) or “planning variance.” These require
different management strategies, such as buffers or agile adaptive planning, rather than simple response
plans.
• Known Risks These are risks that the project team has identified and listed in the Risk Register. Because
they are known, they can be analyzed, prioritized, and assigned specific response strategies (mitigate,
transfer, avoid, or accept). Proactive management is possible here.
• Unknown Risks These are risks that cannot be foreseen or identified at the beginning of the project. They
are truly unpredictable events (often called “unknown unknowns”). Since they cannot be planned for
specifically, they are managed through Management Reserves (a budget of money and time set aside
specifically for unforeseen issues) and general contingency planning using workarounds.
• Threat (Negative Risk) Risks that, if they occur, will negatively impact one or more project objectives,
such as scope, schedule, cost, or quality. The traditional view of risk focuses almost entirely on threats.
Strategies for dealing with threats include avoiding the risk, reducing its impact (mitigation), transferring
it (e.g., insurance), or accepting it.
• Opportunity (Positive Risk) Risks that, if they occur, will benefit the project. Modern risk management
emphasizes identifying and pursuing these. Examples include a technology becoming available cheaper
than expected, or a competitor exiting the market. Strategies for opportunities include exploiting the risk
(making sure it happens), sharing the gain with a partner, enhancing the likelihood of it happening, or
accepting it if it occurs.

3. Enterprise Risk Management (ERM) Types

• Credit Risk This is the risk that a borrower or counterparty will fail to repay a debt or meet their
contractual obligations. It is the risk of default. For a bank, this means a borrower not paying their
 mortgage; for a business, it means a customer not paying an invoice. Managing this involves assessing the
creditworthiness of clients and setting credit limits.
• Liquidity Risk The risk that an organization cannot meet its short-term financial obligations as they fall
due without incurring unacceptable losses. It is distinct from solvency. A company can be profitable in
the long term but still face liquidity risk if it has all its money tied up in inventory or property and cannot
pay salaries or suppliers this week. This can lead to bankruptcy even for solvent companies.
• Compliance Risk The risk of legal or regulatory penalties, financial forfeiture, or material loss resulting
from a failure to comply with laws, regulations, rules, or self-imposed ethical standards. This includes
failing to meet environmental regulations, labor laws, data protection laws (like GDPR), or industry-
specific banking regulations.
• Insurance Risk Specific to the insurance industry, this is the risk that the claims paid out will exceed the
premiums collected, or that the pricing models used to calculate risk were incorrect. It is the risk that the
insurer itself loses money on its policies due to unforeseen catastrophic events or misjudged probabilities.
• Market Risk The risk of losses due to movements in market prices. This includes fluctuations in stock
prices, interest rates, currency exchange rates, and commodity prices. It is the risk that the value of an
asset or portfolio will decrease due to market factors that you cannot control.
• Legal Risk The risk that a transaction or contract will prove unenforceable, or that the organization will
face lawsuits or legal disputes that result in financial loss or damage to reputation. This differs from
compliance risk in that it involves the interpretation of law and the outcome of litigation, rather than just
following rules.
• Financial Risk A broad category covering how a company manages its capital structure. It relates to the
risk of financial loss resulting from poor financial management, such as having too much debt (leverage),
failing to secure funding for operations, or mismanaging cash flow. It directly impacts the company’s
bottom line and viability.
• Reputational Risk The risk of damage to an organization’s brand, image, or public perception. In the
digital age, this can escalate quickly. Negative publicity, poor customer service, or unethical behavior can
lead to a loss of trust, which directly translates to a loss of customers, revenue, and market value.
• Operational Risk The risk of loss resulting from inadequate or failed internal processes, people, and
systems, or from external events. This covers the day-to-day mechanics of running a business. Examples
include employee fraud, system crashes, typing errors in financial data, or physical accidents. It is one of
the oldest and most common forms of risk.
• Governance Risk Risks related to the ethical and effective leadership of the organization. It arises from
failures in the Board of Directors or executive management to provide proper oversight, strategic direction,
or ethical tone at the top. Poor governance can lead to scandals, mismanagement, and the collapse of the
organization.
• Strategic Risk The risk of losses arising from poor business decisions, the execution of inadequate
strategies, or the failure to adapt to changes in the business environment. This is a high-level risk involving
the long-term vision of the company. Examples include entering a market that fails, failing to innovate
against competitors, or pursuing a merger that destroys value.
4. Economics and Business Risks
• Market Dynamics This refers to the forces that influence the behavior of buyers and sellers in a market.
It involves the competitive environment, changes in consumer preferences, and the intensity of
competition. A business faces risk here if a competitor launches a superior product or if consumer tastes
shift away from their offering.
 • Economic Conditions These are macroeconomic factors that affect the entire business environment.
– Inflation: Reduces the purchasing power of money and increases the cost of inputs.
– Deflation: Can lead to delayed consumption as buyers wait for lower prices.
– Business Cycles: Recessions shrink demand, while booms can lead to labor and material shortages
due to overheated demand.
• Financial Markets Specific financial factors that impact the cost of doing business and profitability.
– Foreign Exchange: The risk that currency fluctuations will make exports less competitive or
increase the cost of imported goods.
– Interest Rates: Rising rates increase the cost of borrowing for the company and reduce the Net
Present Value (NPV) of future projects.
• Commodity Prices The volatility in the price of raw materials such as oil, steel, copper, or agricultural
products. Sudden spikes in these prices can erode profit margins significantly, especially for
manufacturing or construction firms where materials are a major cost component.
5. Digital & Technology Risk Types
• Cybersecurity Risk Threats to computer systems, networks, and data from malicious attacks by hackers,
criminals, or state-sponsored actors. This includes malware, ransomware (locking data until paid),
phishing (stealing credentials), and denial-of-service attacks that take websites offline. The impact can
range from financial loss to total operational shutdown.
• Information/Data Risk The risk of losing data integrity or availability due to accidental deletion,
corruption, hardware failure, or software bugs. This differs from cybersecurity as it is often internal or
technical rather than malicious. It involves the accidental loss of critical business records or historical
data.
• Privacy Risk The risk associated with the unauthorized access, collection, use, or disclosure of personal
information (PII). With regulations like GDPR, failing to protect employee or customer data can lead to
massive fines and loss of trust. It is distinct from cybersecurity in that it focuses on the rights of the data
subject.
• AI/Algorithmic Risk Emerging risks associated with artificial intelligence. This includes “Black Box”
risks where an AI makes a decision (like denying a loan) that humans cannot explain or understand. It also
includes algorithmic bias, where AI systems inadvertently discriminate against certain groups because of
the data they were trained on.
• Technology Obsolescence Risk The risk that the technology an organization relies on becomes outdated
or obsolete, hindering business operations. This occurs when a company invests heavily in a system that
is soon replaced by a superior standard, rendering their investment worthless and leaving them unable to
compete effectively.
6. Construction and Engineering Risk Types
• Technical Risks related to the physical design and engineering of the project. This includes design errors,
incorrect specifications, unforeseen geotechnical conditions (e.g., hitting rock where soil was expected),
or material failure during construction.
• Financial/Economic Risks impacting the budget. This includes cost escalation due to market forces,
inflation eroding the value of the budget, and delays in funding from banks or stakeholders that halt work.
• Legal/Regulatory Risks arising from the legal framework. This includes delays in obtaining permits, land
acquisition disputes, contract disputes between parties, and changes in zoning laws or building codes
during the project.
 • Safety/Health Critical risks involving human life. This includes accidents on the construction site (falls,
electrocution), exposure to hazardous materials, and health hazards. The cost here is not just financial but
human and reputational.
• Project Management Risks stemming from the management of the project itself. This includes inaccurate
cost estimates, poor scheduling, inadequate planning, and communication failures between stakeholders.
• Environmental Risks related to the natural environment and ecology. This includes extreme weather
events preventing work, pollution restrictions limiting work hours, or the discovery of protected wildlife
or archeological sites on the land.
• Stakeholder Risks arising from people affected by the project. This includes community disruption
(noise, traffic), protests from local residents, or conflicting expectations between investors, the
community, and the government.
• Political Risks arising from government actions. This includes changes in tax laws, political instability in
the region, corruption, and the revision of trade policies that affect material imports.
• Supply Chain Risks related to logistics and vendors. This includes labor shortages (not enough workers),
unavailability of specific materials (e.g., global shortage of steel), or the failure of a key vendor to deliver
on time.
• Operational Risks during the execution phase. This includes the breakdown of heavy machinery (cranes,
excavators), low labor productivity, and strikes by workers unions.
7. Financial Markets Risk Types
• Unsystematic Risk This is risk specific to a particular company or industry. It is also known as
“idiosyncratic risk.” Examples include a strike at an auto factory or a failed drug trial for a pharmaceutical
company. Crucially, this risk can be eliminated or reduced through diversification (not putting all your
eggs in one basket).
• Systematic Risk This is risk that affects the entire market or economy. It cannot be eliminated through
diversification. Examples include interest rate changes, global recessions, or geopolitical wars. When the
whole market crashes, even a diversified portfolio will lose value.
• Portfolio Risk The risk associated with the composition of an investment portfolio. It looks at how
different assets correlate with one another. A well-diversified portfolio minimizes risk by including assets
that move in opposite directions (e.g., stocks and bonds).
• Default Risk The risk that a borrower (issuer of a bond or loan) will fail to make the required interest
payments or repay the principal amount. This is a major concern for bond investors and banks, as it leads
to a total or partial loss of capital.
• Volatility Risk The risk of significant price fluctuations in the market. High volatility means the asset
price swings up and down dramatically over short periods. This creates uncertainty and the potential for
massive losses (or gains) in a very short time.
• Basis Risk The risk that the price difference between two related assets (usually a cash asset and a futures
contract used to hedge it) will change unfavorably. It is the risk that a hedge used to protect against loss
does not work perfectly because the “hedging instrument” and the “asset” do not move in perfect sync.
8. Environmental/Global Risks
• Sustainability/ESG Risk Risks related to Environmental, Social, and Governance factors. Investors
increasingly look at how a company manages carbon emissions, water usage, labor rights, and board
diversity. Failing to meet these sustainability standards can lead to a withdrawal of investment capital.
 • Geo-political Risk The risk arising from political instability and international relations. This includes
wars, terrorism, trade sanctions, and diplomatic tensions between countries. These events can disrupt
global supply chains and destroy assets located in conflict zones.
• Pandemic Risk The risk of widespread infectious diseases affecting the global population. As seen with
COVID-19, this can lead to global shutdowns, supply chain halts, labor shortages, and massive economic
recession.
• Country Risk Risks specific to doing business in a particular nation. This includes the risk of a
government nationalizing (seizing) foreign assets, imposing capital controls (preventing money from
leaving the country), or economic collapse specific to that region.
• Climate Change Risk Risks associated with long-term shifts in weather patterns and rising temperatures.
This includes physical risks (flooding of coastal assets due to rising sea levels) and transition risks (the
loss of value in fossil fuel companies as the world moves to green energy).
• Disaster/Catastrophic Risk Risks from acute, high-impact events. This includes both natural disasters
(earthquakes, massive wildfires, tsunamis) and man-made disasters (nuclear accidents, chemical spills).
These events cause damage so severe that it can exhaust insurance reserves and government aid.
9. Advanced Risk Types
• Moral Hazard A situation where one party takes on more risk because they don’t bear the full cost of
that risk. For example, a person might drive recklessly because they have full car insurance coverage, or
a bank might make risky loans because the government guarantees a bailout.
• Black Swan Risk A metaphor popularized by Nassim Taleb. It describes an event that is rare (outside
the realm of regular expectations), has an extreme impact, and is often rationalized in hindsight (as if it
could have been predicted). Examples include the 2008 Financial Crisis or the 9/11 attacks.
• Grey Rhino Risk A metaphor popularized by Michele Wucker. It describes a highly probable, high-
impact threat that is obvious to everyone but is ignored. Unlike the Black Swan (surprise), the Grey Rhino
is the danger we see coming but choose not to act against until it is too late (e.g., the housing bubble before
2008).
• Inherent Risk The level of risk that exists naturally in an activity or process before any controls or
mitigation measures are put in place. It is the “raw” danger of doing business.
• Cascading/Interdependent Risk The risk that a failure in one area triggers a series of failures in others,
like a row of dominoes. For example, an earthquake (physical risk) destroys a power grid (infrastructure
risk), which shuts down a factory (operational risk), causing a default on a loan (financial risk).
• Systemic Risk The risk of collapse of an entire financial system or entire market, triggered by the failure
of a major participant. It emphasizes the “too big to fail” problem where the interconnectedness of
institutions means one failure can bring down the whole system.
• Controlled/Residual Risk The risk that remains after an organization has implemented all its risk
mitigation and control strategies. It is impossible to eliminate risk entirely; therefore, companies must
decide if the residual risk is acceptable or if further action is needed.
• Information Asymmetry Risk The risk arising when one party in a transaction has more or better
information than the other. This leads to an imbalance of power and often results in bad decisions or
market failures (e.g., a used car seller knowing the car is a “lemon” while the buyer does not).
Risk Management Process
• The process involved with identifying, analyzing, and responding to risk.
• A logical and systematic approach for maximizing the results of positive risks (opportunities) and
Avoiding or minimizing the consequences of negative events(losses/ threats)
• Continuous Process that enable improvement in decision making

• Risk Tolerance – The amount of acceptable risk

• Risk Averse – Someone who prefers lower return with known risk than higher returns with unknown risk.
Want to take calculated risks
• Risk Factors

• Probability of occurrence
• Range of possible outcomes (impact or amount at stake)
• Expected Timing of event
• Anticipated frequency of risk events from that source
•
Risk Management Process for projects

Risk Identification
Definition & Objective

• Process: Identifying and documenting all potential risks that could affect a project after the Risk Management Plan
is prepared.
• Primary Objective: Create a comprehensive list of risks by examining:
o Past: Historical data/review.
o Present: Current project assessment.
o Future: Creative forecasting using tools & techniques.
Key Components to Identify
1. Sources of Risk: Whether within the project team's control or not.
2. Areas of Impact: Which project aspects (cost, time, quality) the risk affects.
3. Causes & Potential Consequences: Root causes and possible outcomes.
Core Principles & Best Practices
• Start Early: Begin in early project stages to inform strategy and maximize time for response planning.
• Be Comprehensive: Consider all possible risk sources/categories.
• Think Creatively: Encourage innovative thinking and leverage team expertise.
• Involve Stakeholders: Engage a broad range for diverse perspectives, not just the core team.
• Link to Objectives: Each identified risk must be linked to project objectives (cost, time, scope, quality).
• Create Clear Statements: Avoid single words or ambiguity. Use clear, complete descriptions.
• Assign Ownership: Each risk must have a single, accountable owner.
• Document Iteratively: The process is repeated throughout the project lifecycle, as risks evolve.
• Go Beyond Formal Reviews: Identification can happen at any time, not just scheduled events.
Process & Documentation
• Categorize Risks: Use sources, impact areas, or project phases to create a Risk Breakdown Structure (RBS)—a
hierarchical chart of risks.
• Review Project Documents: Examine WBS, schedules, cost estimates, plans to derive risks.
• Define Risk Triggers: Identify symptoms or indicators that signal a risk is occurring.
• Maintain a Risk Register: Formally document all risks in a structured table (see template Annex A). Record all
known information.
Important Concepts
• Secondary Risks: New risks created by implementing a risk response.
• Residual Risks: Risks that remain after responses are applied; the project must be executed while accepting these.
• Dynamic Nature: The risk list is not static. It changes due to project decisions, internal changes, and external
factors.

Risk Identification Methods in Construction

The project team should apply risk identification tools and techniques that are appropriate to its objectives and
capabilities, and also to the nature and type of project risks faced. Following are some simple risk identification tools.

a) Documentation review — A structured review of project documentation including that of previous similar projects.
This information may include risk audit information, variance and trend analysis information and other information of
previous similar projects which may help to identify risks in the project being planned.

b) Brain storming — This is an information gathering technique by group discussion. Goal is to obtain a comprehensive
list of project risks. Ideas about project risks are generated under the leadership of a facilitator.

C) Checklists & Templates- Structured tools based on historical project data and industry standards

Qualitative Risk Assessment Methods

a) Delphi technique — This is similar to brainstorming but participants are anonymous. A facilitator uses a questionnaire
and circulates to experts. Responses are submitted and assessed. Consensus is reached after few rounds of this process.

b) Interviewing/Expert Judgement — This is performed by talking individually or in group with experienced project
team members, stakeholders or subject matter experts. These interviews can be done informally or formally based on the
prepared questionnaire.

c) Strengths, weaknesses, opportunities and threat (SWOT) analysis — Assessment of strengths and/or weaknesses
of an organization or project team, focusing on either the project organization or the wider business opportunities and
threats are identified using brain storming.

d) A probability and impact matrix- It allows the user to prioritize risks for further analysis or responses. It helps to
distinguish between those risks that will have a minor impact on business activities and those that will have a major
impact. It usually classifies risks according to their impact probability, such as very high, high, moderate, low, and very
low.
 Technique Purpose Best For Output

Probability-Impact Quick screening of Risk ranking (High,

Prioritize risks visually
Matrix known risks Medium, Low)

Early-phase or data- Risk identification or

Expert Judgment Leverage experience
scarce situations ratings

Structured expert Complex decisions

Delphi Technique Prioritized risk list
consensus needing agreement

Strategic context Big-picture risk Strengths, Weaknesses,

SWOT Analysis
analysis understanding etc.

Quantitative Risk Assessment Techniques

1)Decision tree analysis —It is a tool used for decision making. It allows the user to specify the structure of the decision
with decision nodes, chance nodes, costs, benefits and probabilities. Different decisions can be evaluated using linear
utility functions based on expected monetary value.

Technique Purpose Best For Key Output

Expected
Calculate average risk cost. Cost-benefit analysis of ₹-value of each risk
Monetary
EMV = Probability × Monetary Impact alternatives (Expected Cost/Benefit)
Value (EMV)
Projects with many
Monte Carlo Simulate a range of outcomes based on Probability distributions
uncertainties and
Simulation probability of outcomes
variables
Identify which variables most affect
Sensitivity Focusing risk response on Ranked list of sensitive
outcome. Changes one variable at a time to
Analysis high-impact factors variables
see effect on outcome.
Evaluate decisions under [Link]
Decision Tree a tree of decision branches with probability Risk-informed decision- Visual tree with best
Analysis & cost at each node → choose best EMV making decision path and EMVs
path.”
Prioritize failure risks by severity,
FMEA (Failure
occurrence, and detection. Rates each
Mode and Risk Priority Number
failure mode by Severity × Occurrence × Technical/system risks
Effect (RPN) for each risk
Detectability → RPN (Risk Priority
Analysis)
Number)

2) Expected monetary value (EMV) — This is a simple calculation of a value such as weighted average or expected
cost or benefit when the outcomes are uncertain. All reasonable alternative outcomes are identified. Their probabilities
of occurring (summing to 100 percent) and their values are estimated. The EMV calculation is made for the entire event
by weighting the individual possible outcomes by their probabilities of occurring.

Expected monetary value (EMV) = Probability × Impact

3) Monte Carlo simulation — It is a detailed, computer-intensive simulation approach to determine the value and
probability of possible outcomes of a project objective such as a project schedule or cost estimate.
 4) Sensitivity analysis — This is an approach to study different project scenarios in terms of probability of their
occurrence.

5) Failure modes and effects analysis (FMEA) -It uses a model structured to identify the various elements that can cause
system failure by themselves, or in combination with others, based on the logic of the system. Failure-mode effect analysis
assesses and analyzes the potential reliability of a system and/or products. It is used together with failure-mode effect and
criticality analysis as part of the general program to assess reliability of a system and potential failure modes.
• We list potential failure modes (e.g., retaining wall collapse), rate each on Severity, Occurrence, and Detectability
(scale 1–10), then compute RPN = S×O×D.
The following are some other points that should be considered during risk assessment:

a) During risk management planning, the risk management team should define the levels of probability and of impact on
objectives, which would be required for risk assessment.

b) Data collected for risk assessment should be reliable and of high quality. It should also be unbiased.

c) Risk assessment for individual risks should be performed periodically throughout the project.

Comparison: Qualitative vs. Quantitative Risk Analysis

Aspect Qualitative Risk Analysis Quantitative Risk Analysis

To prioritize risks based on their likelihood To numerically assess risks and predict their
Objective
and impact using subjective judgment probable impact on cost, time, or scope

Descriptive, subjective, uses expert Numerical, data-driven, uses models and

Nature
opinions and categories simulations

Input General descriptions, ratings Quantitative data like cost ranges, probability
Requirement (High/Medium/Low), expert opinion distributions, historical data

Statistical models, simulations, probability

Tools rating scales, interviews, group techniques theory, software tools (e.g., @RISK,
Primavera)

Speed & Cost Faster and inexpensive Time-consuming and requires resources

- Limited data is available– Early project - Detailed data available– Major financial or
Best Used When
phase– Need a quick risk overview scheduling decisions– High-stakes projects

Ranked list of risks (High, Medium, Low); Numerical outputs: cost/time estimates,
Outcome
qualitative risk register probability curves, EMVs

Risk Response Planning

Risk assessment and risks categorization of all identified risks leads to risk response plans formulation. These will
comprise a report on identified risks and recommended actions for reducing the probability of occurrence of these risks
and minimizing the impact of risks if they occur.

For negative risks, recommended actions shall fall under any, some or all of the following categories:

a) Hold or retain or accept — Low category risks may be retained or accepted by the project execution team and dealt
with during project execution. For such risks, there shall be a fall back plan to be implemented, if the risk affects the
project. For example, unanticipated increase in cost of material.
 b) Reduce — This action shall apply to those risks for which we can reduce the probability of their occurrence and
impact, if they occur. Some of these actions may be modifying the design specifications, working methodologies and
procurement strategies.

c) Share — Risks can be shared by the project team with other entities where mutual incentives are recognized. Some of
these risk sharing mechanisms may be sub-contracting and joint ventures.

d) Transfer — This action shall apply to those risks for which probability of occurrence cannot be reduced but impact
can be minimized by transferring the liability to another entity through insurance or relevant contract clauses.

e) Avoid — This applies to high or extreme risks for which probability of occurrence and impact cannot be reduced.
Such risks may be totally avoided, for example, changing the location of the project, changing specifications, technology
and working methodologies. Contingency reserves allocated for the project shall be utilized for above stated five risk
response actions.

For positive risks, recommended actions shall fall under any, some or all of the following categories:

1) Exploit — Actions are taken so that opportunities may occur and project shall be able to take advantage of those
opportunities. This includes strategically planning the project location near the location of sourcing resources.

2) Share — Benefits of positive risks are opportunities shared with agencies that are better placed to take the benefit of
those opportunities. This includes executing a project through a joint venture where the profits are shared by all the
agencies that constitute the joint venture.

3) Enhance — Actions are taken to increase the probability of opportunities occurring for the project or to increase their
positive impact on the project. This may be achieved by changing the specifications, design elements or the structure of
the project team.

4) Accept — Some opportunities may occur for the project and be accepted by the project execution team. For example,
unanticipated change in cost of material. If the cost of material does not increase, it shall be beneficial for the project, but
if it happens, that shall have negative impact on the project.

Risk Register Example- Risk Register is a Comprehensive documentation of identified risks.

It is a database of captured risks containing a summary of the information necessary for managing the risks

Risk breakdown structure

The risk breakdown structure (RBS) is a hierarchical framework of potential sources of risk. An organization may develop
a generic or specific RBS. The RBS helps to identify specific risks in relation to its category and offers a framework for
other risk identification techniques such as brainstorming. An RBS helps to ensure coverage of all types of risk and tests
for blind spots or omissions.
 Example of a Generic Risk Breakdown Structure for a Project (PMBOK)

MAJOR RISK CATEGORIES for RBS in Construction Project-

PROJECT
│
├── 1. Strategic & Regulatory Risks
├── 2. Land, Site & Geotechnical Risks
├── 3. Design & Engineering Risks
├── 4. Construction & Execution Risks
├── 5. Health, Safety & Fire Risks
├── 6. Logistics & Urban Interface Risks
├── 7. Contractual & Financial Risks
└── 8. Market, Reputational & Stakeholder Risks
 Project Life Cycle Risks-

• This lifecycle diagram illustrates the relationship

between project phases, investment levels, and the
evolving nature of risk exposure.
• Notice how uncertainty is highest at the beginning
when commitments are lowest, while later phases
involve higher financial commitments but
theoretically lower uncertainty—though the
consequences of unforeseen events become more
severe.

Phase Wise Risk as per IS 15883

Pre-construction Stage
1) inadequate soil and other required investigations and surveys;
2) inadequate detailed project reports (dprs) including inadequate cost estimates;
3) delay in project specific clearances including environmental clearances;
4) inadequate handling of social issues;
5) incomplete/inadequate project drawings and documents;
6) inappropriate technology adoption decision;
7) unrealistic project schedules and inadequate programme scheduling;
8) lack of proper study of project documents; and
9) inadequate project tenders and bidder response.

Construction stage –
1) land acquisition and non-availability of site 11) inadequate disputes’ settlement mechanism;
free of encumbrances; 12) lack of awareness of safety norms and lack
2) organisational inter-disciplinary interfaces; of implementation of safety requirements;
3) variations in geotechnical conditions; 13) accidents;
4) delay in issue of ‘good for construction 14) multiplicity of laws to be followed and delay
drawings’; in project specific clearances required at the
5) design variations and other changes by construction stage;
consultants, client and other stakeholders; 15) inefficient payment system/paucity of funds;
6) variations in construction programme; 16) ineffective contract management;
7) non-availability/shortage of adequate 17) interpretation of contract clauses;
resources including manpower, material and 18) law and order issues;
machines; 19) currency fluctuation;
8) lack of commitment/co-ordination by various 20) political uncertainty;
stakeholders/project participants; 21) unpredictable weather conditions;
9) lack of team work and inter-disciplinary 22) lack of transportation and infrastructure
interfaces; availability;
10) lack of commitment and leadership skills in 23) force majeure; and
senior management; 24) change in statutory stipulations.

Commissioning and handing over stage Anticipated risks

1) final payments and related settlements;
2) contract closure; IS 15883 (Part 8) : 2015
3) final project documentation;
4) final disputes resolution;
5) political interference/public pressure;

RISK ALLOCATION FROM STAKEHOLDERS' PERSPECTIVE

Key Philosophy – “Risk allocation is not about pushing risk — it is about placing risk where it hurts the least.”

Aspect Complete Summary

Risk must be allocated to the stakeholder best able to control, manage, or absorb it at
Core Principle
the lowest cost
Why It Matters Proper allocation improves efficiency, bankability, and project success
What Goes Wrong If Ignored Abnormally low bids, claims, delays, arbitration, financial failure
Ability to allocate risk logically, justify allocation, link to contracts, insurance, and
Learning Outcomes
real cases
Applies to EPC, FIDIC i.e International Federation of Consulting
Contract Context Engineers (French name-Fédération Internationale Des Ingénieurs-Conseils), BOT,
HAM, PPP, item-rate contracts)

Example of Primary Stakeholders and Their Risk Appetite: Risk allocation assigns risks to stakeholders
based on control and capability to minimise cost and disputes.

Stakeholder Primary Concern Risk Tolerance Typical Position

Value for money, Schedule, Low (wants

Owner/Client "Transfer all risk to contractor"
Quality certainty)

Medium (business
Contractor Profitability, Cash flow, Resources "Only accept controllable risks"
risk)

Consultants Professional liability, Reputation Very Low "Limit scope, exclusions"

Subcontractors Narrow scope, Payment, Access Very Low "Only our direct work"

Financiers Project viability, ROI, Security Low-Medium "Completion guarantees"

Insurers Probability, Severity, Moral hazard Calculated "Exclude uninsurables"

Public/Community Safety, Environment, Disruption Zero for core issues "No negative impacts"

Risk Allocation Matrix Example (Who Faces What?)

Risk Category Owner Contractor Designer Subcontractor Insurer

✓
Design Errors ✓ (if retains) ✓ (if Design & Build) ✗ ✓ (PI insurance)
(primary)

Site Conditions ✓(unlessdisclosed) ✓ (if accepted) ✗ ✗ ✗ (excluded)

Weather Delays ✗ ✓ (unless force majeure) ✗ ✓ ✓ (if insured)

Material Price
Escalation ✗ ✓(unlessfluctuationclause) ✗ ✓ ✗

Labor Disputes ✗ ✓ ✗ ✓ ✗
 Regulatory
✓ (if post-bid) ✗ ✗ ✗ ✗
Changes

Shared/Contract
Force Majeure Shared/Contract specific Shared Shared ✓ (if covered)
specific

International guidelines for project risk management

1. Bureau of Indian Standards (BIS).
2. Royal Institution of Chartered Surveyors (RICS) and
3. ISO 31000,
4. Project Management Body of Knowledge (PMBOK),

1. Bureau of Indian Standards (BIS)

This Indian Standard (Part 8) was adopted by the Bureau of Indian Standards, after the draft finalized by the Construction
Management (Including Safety in Construction) Sectional Committee had been approved by the Civil Engineering
Division Council.

SCOPE
This standard (Part 8) covers guidelines for risk management aspects of construction project management. The risk
management aspects during the project formulation and appraisal stage of the project are not covered in this standard. The
scope of this standard,
therefore, covers the stages subsequent to the stage of approval (when a decision to implement the project including its
financing is taken) till commissioning and handing over of the project.
This standard is prescriptive in nature and the generic approach described herein provides the principles and guidelines for
managing any form of risk in a systematic, transparent and credible manner within any scope and context. By meeting the
various provisions of this standard, though in different ways, project teams will be in a position to report that they are in
compliance and they can benchmark their risk management practices.

The Risk Management Process (IS 15883 Part 8)-

1. Risk Management Planning - Define how to conduct risk management

2. Risk Identification - Identify and categorize all potential risks
3. Risk Assessment - Evaluate probability and impact
4. Risk Response Planning - Develop strategies for each risk
5. Risk Monitoring & Control - Track and manage risks continuously
6. Post-Construction Review - Document lessons learned

2. Royal Institution of Chartered Surveyors (RICS)-

Members: 134,000+ accredited professionals worldwide

The Royal Institution of Chartered Surveyors (RICS) is a global professional body for those working in the Built
Environment, Construction, Land, Property and Real Estate. The RICS was founded in London in 1868. It works at a
cross-governmental level, and aims to promote and enforce the highest international standards in the valuation,
management and development of land, real estate, construction and infrastructure.

RICS professionals manage over $4 trillion in construction assets globally.

The RICS Risk Management Framework - 3 Levels

Level 1: Knowing (General Principles)

• Understanding fundamental concepts
 • Risk definitions and categories
• Response strategies: Avoid, Reduce, Transfer, Share, Retain
Target Audience: All construction professionals
Level 2: Doing (Practical Application)
Risk identification techniques
Qualitative and quantitative assessment
Risk response planning
Target Audience: Project managers, risk practitioners
Level 3: Doing/Advising (Strategic Application)
• Advising on procurement routes
• Risk quantification for contingency
• Client advisory services
Target Audience: Senior managers, consultants, advisors

3 The Project Management Body of Knowledge (PMBOK)

• It is a set of standard terminology and guidelines for project management.
• This document results from work overseen by the Project Management Institute (PMI), which offers the CAPM
(Certified Associate in Project Management) and PMP (Project Management Professional) certifications.

The Seven Principles of Risk Management – PMBOK

◦ Strive for Excellence (Tailoring): Tailor process maturity to the complexity of the project.
◦ Align with Strategy: Integrate risk management with organizational governance and strategy.
◦ Focus on Impact: Prioritize resources for risks that directly influence goals.
◦ Balance Value vs. Risk: Find the equilibrium where expected business value justifies risk exposure.
◦ Foster Risk Culture: Encourage transparency and proactive identification of threats.
◦ Navigate Complexity: Use risk management to handle ambiguity and system interdependencies.
◦ Continuous Improvement: Refine behavioral and technical competencies as technology evolves.
◦
4 ISO 31000:2018
• It was developed in November 2009 by International Organization for Standardization.
• The goal is to provide a consistent vocabulary and methodology for assessing and managing risk, resolving the
historic ambiguities and differences in the ways risk are described.
• The standards were designed to fit into an integrated management system.
• Emphasis on the integration of risk management into core business activities, decision-making processes, and
organizational culture.
• It also reinforced the leadership role of top management in embedding risk management throughout the
organization and promoted a more flexible, principles-based approach adaptable to organizations of all sizes and
sectors.
• The version ISO 31000:2018 was confirmed again in October 2023 and valid for the next five years

Structure of ISO 31000

ISO 31000 is built on three interconnected components:
◦ Principles – Why and how risk management adds value
◦ Framework – How risk management is embedded in the organization
◦ Process – How risks are identified, assessed, treated, and monitored
These components must work together to ensure risk management is:
◦ Structured
◦ Integrated
◦ Aligned with organizational objectives
◦ Removing any one element weakens the entire system.

Eight ISO principles of risk management

◦ Integrated: Risk management should be an integral part of all organisational processes and activities.
◦ Structured and comprehensive: Risk management should follow a logical and systematic approach that covers
all types of risks and their interrelationships.
◦ Customised: Risk management should be tailored to the specific context and needs of the organisation and its
stakeholders.
◦ Inclusive: Risk management should involve relevant and appropriate stakeholders in the decision-making process.
◦ Dynamic: Risk management should be responsive to changes in the internal and external environment and monitor
and review risks regularly.
◦ Uses best available information: Risk management should use reliable and accurate information from various
sources and acknowledge its limitations and uncertainties
◦ Considers human and cultural factors: Risk management should consider the perceptions, values, behaviours,
and capabilities of people involved in or affected by risk.
◦ Practices continual improvement: Risk management should seek to learn from experience and improve its
performance over time.