**3.3. Phases of the risk management process**

72 Risk Management – Current Issues and Challenges

that among the discussed criteria

against the expected performance.

themselves in previous phases.

 the phase of the risk management process; the phase of the life cycle of a project; the corporate maturity towards risk;

**3.2. Three dimensions to characterise project risk management techniques** 

Based on a careful analysis of the characteristics of the techniques supporting risk management proposed in literature and applied in business practice, the authors believe

are the three dimensions that encompass the most relevant aspects for understanding and choosing among project risk management techniques. In fact, the focus is on "risks" that occur in "projects" which are in turn run by "companies". Moreover, such dimensions adequately reflect the crucial concept that risk practices can only be selected once a problem is structured and well understood and the application of these instruments depends on the

Every specific risky event in a project has its own escalation process characterised by one or more sources or causes, an occurrence, and one or more consequences [35]. Each of these phases requires its own approach to be studied. Sources of risk are analysed by concentrating on their identification, description, and classification (e.g. internal and external causes), the occurrence is defined by the probability and the impact of the risky event, and the consequences are described in terms of time, cost, and quality variance

Additionally, no practice is perfectly tailored to deal with every risk occurring in the course of a project [22]. Each of the risks faced during a project has its own specificity depending on its position within the project life cycle. For example, throughout the feasibility study, when the main issue is making appropriate strategic choices, the probabilities of occurrence of risks are difficult to be defined because of the still scarce level of information associated with that phase. By contrast, in the following phases risks are mainly related to the consequences of decisions made in the previous steps of the project and their sources, manifestation, and effects can be characterised in a more accurate way. Also, in the late phases of a project a risk may be the effect of other risks that manifested

Besides the phases of the risk management process and the life cycle of a project, a third pillar constitutes the foundation of a sound selection of techniques supporting risk treatment: the reference context of the organisation that develops a project. In particular, this work is interested in the maturity towards risk, that is basically achieved through risk awareness, the consideration that the risk management activity is on the same level as cost, time, and scope management tasks, commitment to high quality of data, systematic implementation of instrument to deal with risk, development of responses to risk, and assessment of the obtained results [38]. The extent to which a company possesses these features represents that cultural bedrock that enables the application of specific techniques to prevent, accept, mitigate or exploit risky events and their effects. In particular, a high

circumstances of the problem, hence on the need to fully comprehend it.

According to Hillson [40], risk management is about finding an answer to six simple questions such as "What do we want to achieve?", "What might affect us?", "Which of the things that might affect us are most important?", "What should we do about them?", "Did our actions work?", and "What has changed in the new scenario?". These questions represent the main issues of the risk management process, which is generally recognised as the process concerned with conducting the following phases: risk management planning, risk identification, risk analysis, risk response, and risk monitoring and control [1].

In risk management planning the objectives and the approach to carry out risk treatment tasks are decided together with assigning resources and time to these activities, with the aim of allowing a smooth conduction of the subsequent phases. Risk identification defines the risks to which the project is exposed and describes their causes and characteristics. The goal of the risk analysis phase, sometimes named risk assessment, is giving an importance priority to the identified risks to enable managerial actions and establishing the overall level of risk exposure of the project. In particular, qualitative risk analysis is focused on determining the probabilities of occurrence of risky events and the associated impacts on project outcomes, the time periods when the risks could affect the project, when it is possible to influence them, and the relationships between risks and cost, schedule, scope, and quality constraints. Quantitative risk analysis operates on those risks that substantially impact the project and numerically evaluates their effects. Risk response starts from the previously identified risks and their significance to develop actions to increase opportunities and decrease threats. Resources and activities are inserted into the budget, schedule, and project management plans. The final phase, risk monitoring and control, is the on-going identification and management of new risks that become known during a project, the tracking of already identified risks, the monitoring of residual risks, the implementation of planned responses as well as the review of their effectiveness, the development of additional actions, if needed, and the formalisation of lessons learned about risk [1,35].

The importance of the dimension of the risk management process phases for selecting techniques to support the treatment of risk is witnessed by the many works discussing instruments for each phase existing in literature. Some of them have been already presented in Section 3.1.

### **3.4. Phases of the project life cycle**

In a similar way as when the risk management process is approached, undertaking a project means tackling some basic questions: "Who are the parties ultimately involved?", "What do

the parties want to achieve?", "What is it the parties are interested in?", "How is it to be done?", "What resources are required?", and "When does it have to be done?". These questions are answered during the life cycle of a project, which is defined as a systematic way of conceptualising the generic structures of projects into a number of phases that assure better management control [1,13,41].

A Framework to Select Techniques Supporting Project Risk Management 75

in order to optimise its impacts. In addition, a project life cycle-oriented view of risk management techniques helps to avoid compartmentalisation in approaching risk, which occurs when each participant looks at risks with a single, specific perspective and based on

The concept of maturity indicates an evolution from an initial state to a more advanced one through multiple intermediate states corresponding to different levels of awareness towards risk and capability to deal with it. The degree of maturity towards risk of an organisation depends on its risk culture, which is stimulated by the available informational context and the type and size of the organisation itself. All these factors also impact on the maturity of the project management process, that may go from basic project management, to the systematic planning and control of a single project, to the integrated planning and control of multiple projects, to the continuous improvement of the project management process [43],

Hillson [37] proposes a risk maturity model made up of four stages: Naïve, Novice, Normalised, and Natural. Naïve means that an organisation has not yet captured the need for managing risks and no structured approach is in place for this purpose. Novice defines an organisation that recognises the benefits of managing risk and is actually implementing some form of risk governance but it lacks a formalised process to perform this task. Normalised is the degree of maturity characterised by a formalised risk process included in routine business activities whose benefits, however, are not consistently achieved in every project. Finally, the Natural maturity level denotes an organisation that is completely aware of risk and proactively manages opportunities and threats through consistent risk information. A similar organisation will benefit from improved corporate planning, more

Moving from one level to the upper one in this maturity scale implies that an organisation is willing to perform a more thorough and systemic analysis of the escalation processes of project risks. In order to do that, not only different but also more sophisticated and detailed techniques have to be applied [33,38]. Based on this, it can be stated that the more mature is an organisation towards risk, the more the phases of the risk management process it will implement. Companies with a low maturity degree only limit themselves to risk identification or qualitative risk analysis, while organizations with a higher level of maturity deal with all the stages of the risk management process, including collecting past data to carry out quantitative analysis. Thus, the maturity of a company towards risk and its response to possible consequences are strictly related to the development of the risk

transparent relationships with stakeholders, and better global performance [44].

**4. Classifying techniques supporting project risk management** 

The three defined dimensions characterising the choice of project risk management techniques are here applied to a selection of practices that can be commonly found in both

his own goals, irrespective of the other project parties [19].

which in turn influences how risk management is applied.

**3.5. Corporate maturity towards risk** 

management phases.

literature and practice.

The project life cycle is domain specific and, because of the complexity and diversity of projects, its breakdown into phases is different based on several factors such as the size (e.g. small or large-scale projects) and the type (e.g. engineering and construction projects or new product development projects) of the project. Four general phases can be associated to the kinds of projects that are considered by this work: conceptualisation, planning, execution, and termination [1,13].The conceptualisation phase regards identifying an opportunity or a need, clarifying the purpose of the project by defining the relevant performance objectives and their importance, formalising the concept of the project, and evaluating its feasibility. The planning phase includes undertaking the basic design, developing performance criteria, formulating a base plan together with targets and milestones, and allocating internal and external resources to achieve the plan. With the execution step of a project action begins: the main tasks here are coordinating and controlling the performing of planned activities, monitoring progress, and changing targets, milestones, and resource allocation as required. Finally, the termination phase involves commissioning and handover, reviewing the lessons learned during the project, and assuring the necessary support to the product of the project until it is discarded or disposed.

It is widely recognised that a structured view of the project life cycle provides a proper frame for understanding major sources of uncertainty, as well as their occurrence timing and impacts, during all its phases [13]. Also, the project life cycle is a natural setting for distinguishing among approaches to risk management. As the life cycle evolves, different information becomes available about the aspects and components of both a project and its environment, such as stakeholders, scope, time, and cost as well as corresponding assumptions and constraints. Therefore, there are more risks at the beginning of a project, while they decrease as the project progresses towards its termination. As a consequence, the greatest opportunity to risk reduction resides in the early project stages. In general, during the conceptualisation phase, decision makers should focus on different sources of uncertainty, such as technological, cultural, social, and economical ones, to make sure about the feasibility of the project [42]. The identified uncertainties should be then taken into account during the planning phase of the project. The risk management process should monitor the changes as well as the new risks emerging in the execution phase and manage the appropriate actions to reduce or eliminate them [1]. Finally, the typical risks in the termination phase are related to the proper maintenance, improvement, and changing needs in light of evolving societal, demographic, operational, or economic conditions.

Since the sources of uncertainty change during the project life cycle, it is vital to understand how the risk management process has to vary accordingly. This consideration supports the need to enable project managers to focus on specific sources of uncertainty in each stage of the project by means of appropriate practices to identify, assess, and treat such uncertainty in order to optimise its impacts. In addition, a project life cycle-oriented view of risk management techniques helps to avoid compartmentalisation in approaching risk, which occurs when each participant looks at risks with a single, specific perspective and based on his own goals, irrespective of the other project parties [19].

## **3.5. Corporate maturity towards risk**

74 Risk Management – Current Issues and Challenges

better management control [1,13,41].

until it is discarded or disposed.

the parties want to achieve?", "What is it the parties are interested in?", "How is it to be done?", "What resources are required?", and "When does it have to be done?". These questions are answered during the life cycle of a project, which is defined as a systematic way of conceptualising the generic structures of projects into a number of phases that assure

The project life cycle is domain specific and, because of the complexity and diversity of projects, its breakdown into phases is different based on several factors such as the size (e.g. small or large-scale projects) and the type (e.g. engineering and construction projects or new product development projects) of the project. Four general phases can be associated to the kinds of projects that are considered by this work: conceptualisation, planning, execution, and termination [1,13].The conceptualisation phase regards identifying an opportunity or a need, clarifying the purpose of the project by defining the relevant performance objectives and their importance, formalising the concept of the project, and evaluating its feasibility. The planning phase includes undertaking the basic design, developing performance criteria, formulating a base plan together with targets and milestones, and allocating internal and external resources to achieve the plan. With the execution step of a project action begins: the main tasks here are coordinating and controlling the performing of planned activities, monitoring progress, and changing targets, milestones, and resource allocation as required. Finally, the termination phase involves commissioning and handover, reviewing the lessons learned during the project, and assuring the necessary support to the product of the project

It is widely recognised that a structured view of the project life cycle provides a proper frame for understanding major sources of uncertainty, as well as their occurrence timing and impacts, during all its phases [13]. Also, the project life cycle is a natural setting for distinguishing among approaches to risk management. As the life cycle evolves, different information becomes available about the aspects and components of both a project and its environment, such as stakeholders, scope, time, and cost as well as corresponding assumptions and constraints. Therefore, there are more risks at the beginning of a project, while they decrease as the project progresses towards its termination. As a consequence, the greatest opportunity to risk reduction resides in the early project stages. In general, during the conceptualisation phase, decision makers should focus on different sources of uncertainty, such as technological, cultural, social, and economical ones, to make sure about the feasibility of the project [42]. The identified uncertainties should be then taken into account during the planning phase of the project. The risk management process should monitor the changes as well as the new risks emerging in the execution phase and manage the appropriate actions to reduce or eliminate them [1]. Finally, the typical risks in the termination phase are related to the proper maintenance, improvement, and changing needs

in light of evolving societal, demographic, operational, or economic conditions.

Since the sources of uncertainty change during the project life cycle, it is vital to understand how the risk management process has to vary accordingly. This consideration supports the need to enable project managers to focus on specific sources of uncertainty in each stage of the project by means of appropriate practices to identify, assess, and treat such uncertainty The concept of maturity indicates an evolution from an initial state to a more advanced one through multiple intermediate states corresponding to different levels of awareness towards risk and capability to deal with it. The degree of maturity towards risk of an organisation depends on its risk culture, which is stimulated by the available informational context and the type and size of the organisation itself. All these factors also impact on the maturity of the project management process, that may go from basic project management, to the systematic planning and control of a single project, to the integrated planning and control of multiple projects, to the continuous improvement of the project management process [43], which in turn influences how risk management is applied.

Hillson [37] proposes a risk maturity model made up of four stages: Naïve, Novice, Normalised, and Natural. Naïve means that an organisation has not yet captured the need for managing risks and no structured approach is in place for this purpose. Novice defines an organisation that recognises the benefits of managing risk and is actually implementing some form of risk governance but it lacks a formalised process to perform this task. Normalised is the degree of maturity characterised by a formalised risk process included in routine business activities whose benefits, however, are not consistently achieved in every project. Finally, the Natural maturity level denotes an organisation that is completely aware of risk and proactively manages opportunities and threats through consistent risk information. A similar organisation will benefit from improved corporate planning, more transparent relationships with stakeholders, and better global performance [44].

Moving from one level to the upper one in this maturity scale implies that an organisation is willing to perform a more thorough and systemic analysis of the escalation processes of project risks. In order to do that, not only different but also more sophisticated and detailed techniques have to be applied [33,38]. Based on this, it can be stated that the more mature is an organisation towards risk, the more the phases of the risk management process it will implement. Companies with a low maturity degree only limit themselves to risk identification or qualitative risk analysis, while organizations with a higher level of maturity deal with all the stages of the risk management process, including collecting past data to carry out quantitative analysis. Thus, the maturity of a company towards risk and its response to possible consequences are strictly related to the development of the risk management phases.
