**1. Introduction**

66 Risk Management – Current Issues and Challenges

Company, Environmental Quality Management.

Journal of Project Management , Vol. 28, 245-255.

Management Efforts, Internet Working Paper. Available at

Bedford, Massachusetts.

Vol 44, No. 5, pp. 445-460.

pp. 438–456.

[3] Engert P.A., Lansdowne Z. F. 1999. Risk Matrix User's Guide, Version 2.2, MITRE

[4] Baccarinia D., Archerb R., 2001. The risk ranking of projects: A methodology, International Journal of Project Management, Volume 19, Issue 3, Pages 139-145. [5] Ochsner M., 2000. Case study: Risk prioritization and ISO 14001 at Acushnet Rubber

[6] Li H., Apostolakis G.E., Gifun J., VanSchalkwyk W., Leite S., Barber D. 2009. Ranking the Risks from Multiple Hazards in a Small Community, Risk Analysis, Vol. 29, Issue 3,

[7] Cox L. A. 2008. Some Limitations of "Risk = Threat × Vulnerability × Consequence" for Risk Analysis of Terrorist Attacks, Risk Analysis, Volume 28, Issue 6, pages 1,749–1,761. [8] Klein J. H. 1993. Modelling Risk Trade-Off, Journal of The Operational Research Society,

[9] Ben David I., Raz T, 2001. An Integrated Approach for Risk Response Development in Project Planning, Journal of The Operational Research Society, Vol 52, pp. 14-25. [10] Gonen A., Zeitouni N. 2010. Risk management of water resources in a changing climate in: Advances in Risk Management ed. Giancarlo Nota Ch.10, 199-222 Publishers: Sciyo. [11] Kutsch E., Hall M., 2009. Deliberate ignorance in project risk management, International

[12] Ben David I., Rabinowitz G., Raz T, 2004. Economic Optimization of Project Risk

http://www.fisher.osu.edu/fin/faculty/Ben-David/articles/BDRR2002.pdf

Projects may be conceived as temporary endeavors with a finite completion date aimed at generating unique products or services [1]. Today's marketplace characterised by fierce competition requires increased accuracy and reduced time and costs in running projects [2]. In such a context, the variability of actual quality, time, and cost performance compared to the expected one crucially impacts on the success of a project and makes risk a central issue in project management [3]. It has been demonstrated that failure to deal with risk is a main cause of budget exceeding, falling behind schedule, and missing performance targets [4,5]. Additionally, in several industries, such as the construction and information and communication technology ones, the growing level of complexity, due to increased size and scope, huger investments, longer execution processes, more required resources, an augmented number of stakeholders, instable economic and political environments, and changing regulations, exacerbates the degree of risk in projects [6]. Therefore, these aspects ask for assessing and controlling risk throughout all the phases of a project. Before going into detail about project risk management, it is beneficial to recall the notions of uncertainty and risk. Uncertainty arises from either the natural variability or randomness of a system or an incomplete information or knowledge of some of its characteristics. In the first instance, uncertainty cannot be reduced by increasing data collection or knowledge, though they are valuable for assessing it, while in the second case a more accurate data collection and understanding are able to decrease the level of uncertainty [7-9]. Project risk is defined as an uncertain event or condition that, if it occurs, has either a positive or a negative effect on project objectives [1,10].

The management of risk is currently one of the main topics of interest for researchers and practitioners working in the field of project management. Different perceptions, attitudes, values regarding risk, needs, project sectors, specifications, geographical, social, economic,

© 2012 Cagliano et al., licensee InTech. This is an open access chapter distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. © 2012 Cagliano et al., licensee InTech. This is a paper distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

and political environments have led to a variety of definitions, concepts, terms, and approaches, all highlighting the need for systematically addressing uncertainty.

A Framework to Select Techniques Supporting Project Risk Management 69

management process to effectively support decision-making [18]. Projects are often organised and managed in ways that create information and communication disconnects. Decisions about risk are made independently from one another according to the different nature of possible risky events (e.g. business, technical, operation, and country-specific) and the interactions among them are not taken into account. Participants in a project do not share a comprehensive understanding of the risks that may affect it and a life cycle view of uncertainty is usually uncommon. This brings compartmentalisation of risks because they are identified, assessed, and controlled by using only one perspective [19]. A structured communication of the objectives, instruments, and findings of the risk management process as well as of the required actions as a result of its output is strongly needed, being organisational and individual learning increasingly important when dealing with risk [20].

Communication among project parties generates awareness of risk and supports knowledge

A variety of practices exists to deepen the understanding of causes and consequences of uncertainty [4,21-23]. However, their application is still limited because several organisations do not systematically track past data and performance for this purpose. When there is a substantial lack of explicit information an important source of knowledge is represented by the implicit information held by the so called "experts". The term expert refers to those people to whom special knowledge about specific issues is attributed and from whom it is possible to obtain information that is useful for risk investigation. The process of extracting information from experts is named elicitation, which is defined as formulating a person's knowledge and beliefs about one or more uncertain quantities into a probability distribution for these quantities [24]. Elicitation of implicit expert knowledge is a core component of qualitative risk assessment, by means for instance of Delphi analysis or SWOT analysis, where it is used to define probability distributions for the occurrence and

Another relevant issue in knowledge creation about risk is related to the guidelines on how to approach it. As mentioned, literature offers a wide range of frameworks to identify risk sources, evaluate their probabilities and impacts in both a qualitative and a quantitative way, and set up risk response strategies. Also, there are some attempts to categorise these practices according to the nature of the data they rely on, the phase of the risk management process, the kind of project, or the purpose of the analysis [1,25-27]. However, existing contributions usually focus on just one single aspect and there is a lack of taxonomies that simultaneously look at all the relevant dimensions that should be taken into account when choosing an appropriate means of treating risk. In addition, the terminology used to address risk management practices is somewhat confused. The most common words that can be found in literature are tool, technique, and method but there is no widely accepted definition of these concepts and of the relationships among them in the field of risk management. Sometimes a same practice is referred to with different terms. For instance, while Delphi is generally classified as a technique [1,26], the Failure Mode and Effects Analysis (FMEA) is defined as either a tool [4] or a method [25]. However, determining the exact nature of risk instruments and creating a hierarchy among them help to recognise their

creation about both drivers and effects of uncertainty and approaches to cope with it.

the impact of risky events.

Since the Nineties, most of the contributions have focused on the establishment of a risk management process: significant examples are the Project Uncertainty MAnagement (PUMA) process [11],the Multi-Party Risk Management Process (MRMP)[12],the Shape, Harness and Manage Project Uncertainty (SHAMPU) process [13], the Two-Pillar Risk Management (TPRM) process [14],the risk management process developed by the Project Management Institute [1], the Project Risk Analysis and Management (PRAM) process [15], the Risk Analysis and Management for Projects (RAMP) process [16], and The Active Threat and Opportunity Management (ATOM) Risk Process [10].

An effective application of risk management processes is not disjointed from sound enabling instruments. So, another research stream is running parallel to that focusing on the overall risk management structure: the development, implementation, and evaluation of operational means to put in practice risk management [17].

However, in literature there is a scarce systematisation of the actual capabilities of such practices. In addition, there is a lack of frameworks categorising them based on a comprehensive set of the peculiar characteristics of a project, of its management process, and of its surrounding business environment, as well as on the attitude of an organisation towards risk.

In order to contribute to fill this gap, the present work puts forward a taxonomy supporting the selection of the most suitable risk management techniques in any given project scenario, with the aim of fostering knowledge creation about how to treat risky events. The research mainly focuses on projects characterised by the achievement of a final work product not completely defined at the beginning of the project itself, such as in the construction, engineering, and information and communication technology industries.

After discussing the value of communication and knowledge in risk management, a set of dimensions reflecting the most important managerial and operational conditions characterising a project is developed starting from a review of pertinent literature. Widely applied techniques to support project risk management are presented and classified according to the framework. Finally, implications, ramifications, and future research directions are elaborated and conclusions drawn.
