**3.2. Three dimensions to characterise project risk management techniques**

Based on a careful analysis of the characteristics of the techniques supporting risk management proposed in literature and applied in business practice, the authors believe that among the discussed criteria

A Framework to Select Techniques Supporting Project Risk Management 73

level of risk awareness, together with appropriate availability of knowledge, make possible

A selection of support techniques based on the above dimensions represents a strength inside the risk management process because it stimulates the achievement of improved

According to Hillson [40], risk management is about finding an answer to six simple questions such as "What do we want to achieve?", "What might affect us?", "Which of the things that might affect us are most important?", "What should we do about them?", "Did our actions work?", and "What has changed in the new scenario?". These questions represent the main issues of the risk management process, which is generally recognised as the process concerned with conducting the following phases: risk management planning,

In risk management planning the objectives and the approach to carry out risk treatment tasks are decided together with assigning resources and time to these activities, with the aim of allowing a smooth conduction of the subsequent phases. Risk identification defines the risks to which the project is exposed and describes their causes and characteristics. The goal of the risk analysis phase, sometimes named risk assessment, is giving an importance priority to the identified risks to enable managerial actions and establishing the overall level of risk exposure of the project. In particular, qualitative risk analysis is focused on determining the probabilities of occurrence of risky events and the associated impacts on project outcomes, the time periods when the risks could affect the project, when it is possible to influence them, and the relationships between risks and cost, schedule, scope, and quality constraints. Quantitative risk analysis operates on those risks that substantially impact the project and numerically evaluates their effects. Risk response starts from the previously identified risks and their significance to develop actions to increase opportunities and decrease threats. Resources and activities are inserted into the budget, schedule, and project management plans. The final phase, risk monitoring and control, is the on-going identification and management of new risks that become known during a project, the tracking of already identified risks, the monitoring of residual risks, the implementation of planned responses as well as the review of their effectiveness, the development of additional

risk identification, risk analysis, risk response, and risk monitoring and control [1].

actions, if needed, and the formalisation of lessons learned about risk [1,35].

in Section 3.1.

**3.4. Phases of the project life cycle** 

The importance of the dimension of the risk management process phases for selecting techniques to support the treatment of risk is witnessed by the many works discussing instruments for each phase existing in literature. Some of them have been already presented

In a similar way as when the risk management process is approached, undertaking a project means tackling some basic questions: "Who are the parties ultimately involved?", "What do

to obtain that objective information allowing the quantification of risk.

outcomes in terms of time, cost, and quality performance [39].

**3.3. Phases of the risk management process** 


are the three dimensions that encompass the most relevant aspects for understanding and choosing among project risk management techniques. In fact, the focus is on "risks" that occur in "projects" which are in turn run by "companies". Moreover, such dimensions adequately reflect the crucial concept that risk practices can only be selected once a problem is structured and well understood and the application of these instruments depends on the circumstances of the problem, hence on the need to fully comprehend it.

Every specific risky event in a project has its own escalation process characterised by one or more sources or causes, an occurrence, and one or more consequences [35]. Each of these phases requires its own approach to be studied. Sources of risk are analysed by concentrating on their identification, description, and classification (e.g. internal and external causes), the occurrence is defined by the probability and the impact of the risky event, and the consequences are described in terms of time, cost, and quality variance against the expected performance.

Additionally, no practice is perfectly tailored to deal with every risk occurring in the course of a project [22]. Each of the risks faced during a project has its own specificity depending on its position within the project life cycle. For example, throughout the feasibility study, when the main issue is making appropriate strategic choices, the probabilities of occurrence of risks are difficult to be defined because of the still scarce level of information associated with that phase. By contrast, in the following phases risks are mainly related to the consequences of decisions made in the previous steps of the project and their sources, manifestation, and effects can be characterised in a more accurate way. Also, in the late phases of a project a risk may be the effect of other risks that manifested themselves in previous phases.

Besides the phases of the risk management process and the life cycle of a project, a third pillar constitutes the foundation of a sound selection of techniques supporting risk treatment: the reference context of the organisation that develops a project. In particular, this work is interested in the maturity towards risk, that is basically achieved through risk awareness, the consideration that the risk management activity is on the same level as cost, time, and scope management tasks, commitment to high quality of data, systematic implementation of instrument to deal with risk, development of responses to risk, and assessment of the obtained results [38]. The extent to which a company possesses these features represents that cultural bedrock that enables the application of specific techniques to prevent, accept, mitigate or exploit risky events and their effects. In particular, a high level of risk awareness, together with appropriate availability of knowledge, make possible to obtain that objective information allowing the quantification of risk.

A selection of support techniques based on the above dimensions represents a strength inside the risk management process because it stimulates the achievement of improved outcomes in terms of time, cost, and quality performance [39].
