**2. Communication and knowledge creation in risk management**

Identifying and assessing risk sources and their impacts on project activities as well as developing responses to risk rely on a heterogeneous knowledge basis made up of past experiences, skills, and perspectives of involved people. However managing data, information, and in general the knowledge generated during the life cycle of a project is a difficult task and an inappropriate way of doing that may be a cause of failure. In particular, communication about risk is often very poor, even if the interactive process of exchanging information and opinions among all the concerned parties is a critical condition in the risk management process to effectively support decision-making [18]. Projects are often organised and managed in ways that create information and communication disconnects. Decisions about risk are made independently from one another according to the different nature of possible risky events (e.g. business, technical, operation, and country-specific) and the interactions among them are not taken into account. Participants in a project do not share a comprehensive understanding of the risks that may affect it and a life cycle view of uncertainty is usually uncommon. This brings compartmentalisation of risks because they are identified, assessed, and controlled by using only one perspective [19]. A structured communication of the objectives, instruments, and findings of the risk management process as well as of the required actions as a result of its output is strongly needed, being organisational and individual learning increasingly important when dealing with risk [20].

68 Risk Management – Current Issues and Challenges

towards risk.

and political environments have led to a variety of definitions, concepts, terms, and

Since the Nineties, most of the contributions have focused on the establishment of a risk management process: significant examples are the Project Uncertainty MAnagement (PUMA) process [11],the Multi-Party Risk Management Process (MRMP)[12],the Shape, Harness and Manage Project Uncertainty (SHAMPU) process [13], the Two-Pillar Risk Management (TPRM) process [14],the risk management process developed by the Project Management Institute [1], the Project Risk Analysis and Management (PRAM) process [15], the Risk Analysis and Management for Projects (RAMP) process [16], and The Active Threat

An effective application of risk management processes is not disjointed from sound enabling instruments. So, another research stream is running parallel to that focusing on the overall risk management structure: the development, implementation, and evaluation of

However, in literature there is a scarce systematisation of the actual capabilities of such practices. In addition, there is a lack of frameworks categorising them based on a comprehensive set of the peculiar characteristics of a project, of its management process, and of its surrounding business environment, as well as on the attitude of an organisation

In order to contribute to fill this gap, the present work puts forward a taxonomy supporting the selection of the most suitable risk management techniques in any given project scenario, with the aim of fostering knowledge creation about how to treat risky events. The research mainly focuses on projects characterised by the achievement of a final work product not completely defined at the beginning of the project itself, such as in the construction,

After discussing the value of communication and knowledge in risk management, a set of dimensions reflecting the most important managerial and operational conditions characterising a project is developed starting from a review of pertinent literature. Widely applied techniques to support project risk management are presented and classified according to the framework. Finally, implications, ramifications, and future research

Identifying and assessing risk sources and their impacts on project activities as well as developing responses to risk rely on a heterogeneous knowledge basis made up of past experiences, skills, and perspectives of involved people. However managing data, information, and in general the knowledge generated during the life cycle of a project is a difficult task and an inappropriate way of doing that may be a cause of failure. In particular, communication about risk is often very poor, even if the interactive process of exchanging information and opinions among all the concerned parties is a critical condition in the risk

engineering, and information and communication technology industries.

**2. Communication and knowledge creation in risk management** 

directions are elaborated and conclusions drawn.

approaches, all highlighting the need for systematically addressing uncertainty.

and Opportunity Management (ATOM) Risk Process [10].

operational means to put in practice risk management [17].

Communication among project parties generates awareness of risk and supports knowledge creation about both drivers and effects of uncertainty and approaches to cope with it.

A variety of practices exists to deepen the understanding of causes and consequences of uncertainty [4,21-23]. However, their application is still limited because several organisations do not systematically track past data and performance for this purpose. When there is a substantial lack of explicit information an important source of knowledge is represented by the implicit information held by the so called "experts". The term expert refers to those people to whom special knowledge about specific issues is attributed and from whom it is possible to obtain information that is useful for risk investigation. The process of extracting information from experts is named elicitation, which is defined as formulating a person's knowledge and beliefs about one or more uncertain quantities into a probability distribution for these quantities [24]. Elicitation of implicit expert knowledge is a core component of qualitative risk assessment, by means for instance of Delphi analysis or SWOT analysis, where it is used to define probability distributions for the occurrence and the impact of risky events.

Another relevant issue in knowledge creation about risk is related to the guidelines on how to approach it. As mentioned, literature offers a wide range of frameworks to identify risk sources, evaluate their probabilities and impacts in both a qualitative and a quantitative way, and set up risk response strategies. Also, there are some attempts to categorise these practices according to the nature of the data they rely on, the phase of the risk management process, the kind of project, or the purpose of the analysis [1,25-27]. However, existing contributions usually focus on just one single aspect and there is a lack of taxonomies that simultaneously look at all the relevant dimensions that should be taken into account when choosing an appropriate means of treating risk. In addition, the terminology used to address risk management practices is somewhat confused. The most common words that can be found in literature are tool, technique, and method but there is no widely accepted definition of these concepts and of the relationships among them in the field of risk management. Sometimes a same practice is referred to with different terms. For instance, while Delphi is generally classified as a technique [1,26], the Failure Mode and Effects Analysis (FMEA) is defined as either a tool [4] or a method [25]. However, determining the exact nature of risk instruments and creating a hierarchy among them help to recognise their

scope and range of application and allow a more appropriate use at various risk management levels.

A Framework to Select Techniques Supporting Project Risk Management 71

approaches to risk identification for the following situations: the majority of risks are known, the risks have been prioritised, the risk list is short, risks are classified according to some criteria, risks are broken down to build a hierarchy, relationships among risk are investigated, and risk evolution is studied overtime. Also, techniques for risk management differ according to whether the main aim is monitoring economic and financial outcomes, checking quality variance, tracking time delays or estimating the probability of the overall

In addition, risk management practices can be distinguished based on how the investigation is performed. Gidel and Zonghero [31] focus on selected techniques and suggest when they are suitable depending whether an analogical, heuristic, or analytic approach is applied to risk identification. With an analogical approach the study of risk mainly relies on the experience coming from the management of previous and similar projects. The heuristic approach uses the project team creativity or expertise through for instance brainstorming sessions. Finally, the analytic approach is typically based on FMEA and Fault Tree Analysis and aims to decompose a system to identify risky events for each sub-system together with

Also, the nature, size, and phase of the life cycle of a project as well as the kind of associated consequences determine which techniques to support risk management should be used. Some authors highlight that, although risk management should assist in the entire life cycle of a project, it is particularly crucial in the planning stage and its scope and depth increase as the project moves towards the execution phase, while they decrease in the termination phase [13,32]. As a matter of fact, the earlier the risks are identified, the more realistic the project plan and the expectation of results and the more effective the contingency plans both

Other works focus on the strong correlation between the risk profile of a project and its organisation: for instance, different procurement schemes require different risk practices

Furthermore, every single step of managing risks, whether identifying or assessing them, developing response plans, or monitoring their execution, implies a different level of information and detail, thus it requires the application of different techniques. Literature reports numerous classifications of techniques according to the phase of risk management

Finally, the project risk management capabilities of an organisation improve as its risk culture increases. A scarce awareness towards risk drives occasional applications of informal risk techniques to specific projects and problems are dealt with only when they show up. Recognising the relevance of risk, instead, is the condition for proactively managing uncertainty [33,36,37]. As a consequence, techniques supporting risk management require different levels of corporate risk maturity in order to yield the expected benefits and this constitutes a criterion according to which risk techniques may be

success or failure of a project.

their causes and effects.

[22].

classified [25].

during the development of the project and beyond [1,33].

for which they are most suitable [1,34,35].

How to select the correct practices and capture their actual potentialities is of paramount importance to enhance the knowledge that is necessary to manage in an effective and efficient manner the risk and the associated information throughout the development of a project. Such understanding facilitates a clear view of the critical conditions of a project, thus fostering performance improvement and enhancing trust within the project team [28].

The developed framework focuses on the need for a comprehensive perspective on the factors affecting risk investigation and proposes a taxonomy based on the most significant elements characterising the scenario in which project risk is approached. The aim is assisting in the choice of the appropriate practices according to the level and the purpose of the risk management effort. Since the distinction among the different terms to address risk management practices is not the purpose of this work, they are all referred to as "techniques".
