**2. Risk management methodology**

Risk management methodology was first described in detail by Wideman in [1]. The methodology was then improved by the PMI [2], adding details based on users' experience.

Project Risk management involves the following steps:


4. A Risk Response plan includes answers to the threats that are identified in the risk assessment phase. There are a number of ways to address these threats.

Selecting a Response Plan Under Budget Constraints 57

al. in [4] describe the use of a methodology for the risk ranking of projects by some subjective judgment; this method has been implemented in construction projects and multiproject environments. Engert from MITRE [3] wrote a user's manual for an Excel application for risk management. The application includes a ranking method of risks based on Borda's method. The Borda method is more quantitative than the subjective judgment method, but still includes some fuzzy ranking when it combines the rank of risk probability with the rank of impact. Ochsner [5] emphasizes the limited attention to risk-based priorities and the growing consensus among industries that risk considerations need to be better integrated into decisions. He agrees that although money is not always the best way to measure risks, no better alternative has thus far been suggested. His ranking method is based on discussions with consultants and experts, assigning scores from 1 to 10 for each category. Li et al. [6] present a ranking method for multiple hazard risks; the method is based on screening all the risks with experts and weighting the risks according to frequency, severity,

In [7] the author presents the difficulties involved in ranking risks. He utilizes the following framework: Risk = Threat×Vulnerability×Consequence, which is usually used in military operations research. The Threat*×*Vulnerability framework actually reflects the probability to damage a target, when the consequence is the damage impact. Our study is important in that for some qualitative measures, it presents counter examples that highlight the limitation of this measurement type. Klein [8] developed a conceptual model for analyzing alternative risk mitigation responses, while accounting for the possibility of trade-off risk among the three main success criteria: cost, duration and scope (or quality). He showed that, given the numerical estimates of risks probabilities and impacts, of all the relevant responses, mathematical techniques - such as dynamic programming or integer programming - could be applied to find the best combination of responses that minimizes project uncertainty. This

Ben-David et al. [9] analyzes a problem that is similar to the current one, but takes a different approach. Assuming that several risk mitigation responses can be implemented with different costs and different expected results, a selection of the best combination of responses is needed. All of the responses are broken down to their work elements, so that each risk can belong to several of them. The Total Risk Cost (TRC) is minimized by two heuristic algorithms; the greedy and the naïve, after which a comparison is presented. The current manuscript does not take into account the budget limitation, and assumes that as long as risk

There are many studies that use subjective judgment to rank risks in different areas, industries, projects and programs. However, none of these ranking methods take into account *the response capability to risks*. There might be a huge difference between two risks that have the same probability to occur and the actual impact*,* when one of the risks occurs. However, for the first risk there is a mitigation plan that reduces its effect substantially and costs \$1,000, while for the second risk, any type of mitigation plan costs more than \$100,000. The study of Gonen et al. [10] proposes an additional criterion for the assessment of risks – that of *controllability*. The introduction of this criterion adds a third dimension to the risk

can be mitigated and it is worthwhile from the budget point of view – it will be done.

availability of warning, awareness, etc.

approach analyzes trade-off among success criteria.


Out of the five responses, only three (avoidance, transfer and mitigation) involve a real investment and require budget allocation.

5. A Control Plan is a series of course adjustments within the project's main objectives. These adjustments include scheduling and tracing the advance of risk situations. The control plan defines indicators that provide warnings regarding the realization of specific risks.

Continuously assessing program risks is the implementation of the control plan by checking any changes in the assessment of risks, and conducting a continuous search for warning signs that indicate any realization of known risks.

This part of the project plan includes the updating of the risk management plan.

The current study concentrates on allocating a budget to the response plan in an optimal manner.

This paper includes a literature review, problem definition, algorithms' definition, an example that is solved by all algorithms, and a comparison among the algorithms by simulation results. The research is quantitative and presents simulation results. Since the difference among the algorithms for different budgets are so big, statistical analysis is unnecessary.

The simulation and algorithms were verified by solving known problems and their solutions.

### **3. Literature review**

Project risk management literature commonly describes the need to rank and prioritize project risks in order to focus the risk management effort on the higher risks. Baccarinia et al. in [4] describe the use of a methodology for the risk ranking of projects by some subjective judgment; this method has been implemented in construction projects and multiproject environments. Engert from MITRE [3] wrote a user's manual for an Excel application for risk management. The application includes a ranking method of risks based on Borda's method. The Borda method is more quantitative than the subjective judgment method, but still includes some fuzzy ranking when it combines the rank of risk probability with the rank of impact. Ochsner [5] emphasizes the limited attention to risk-based priorities and the growing consensus among industries that risk considerations need to be better integrated into decisions. He agrees that although money is not always the best way to measure risks, no better alternative has thus far been suggested. His ranking method is based on discussions with consultants and experts, assigning scores from 1 to 10 for each category. Li et al. [6] present a ranking method for multiple hazard risks; the method is based on screening all the risks with experts and weighting the risks according to frequency, severity, availability of warning, awareness, etc.

56 Risk Management – Current Issues and Challenges

agreements.

manner.

unnecessary.

**3. Literature review** 

solutions.

preventing the risk.

4. A Risk Response plan includes answers to the threats that are identified in the risk

b. Transfer – transfer responsibility for the particular risk to a third party, either by utilizing insurance or, in the international arena, by forming treaties and international

c. Acceptance - a rational decision to accept a known risk without taking any action to prevent its outcome or deal with its consequences. The risk is usually dealt with when it is recognized as a risk. An acceptance of risk is recommended in situations where the consequences of the risk are less costly or less traumatic than the effort required

d. Mitigation - refers to action taken to reduce either the probability of occurrence of an unfavorable event or the impact of this event. Mitigation is usually executed in the form

e. Contingency Planning – refers to specific actions to be taken when a potential risk event occurs. In general, contingency plans should be developed in advance in preparation

Out of the five responses, only three (avoidance, transfer and mitigation) involve a real

5. A Control Plan is a series of course adjustments within the project's main objectives. These adjustments include scheduling and tracing the advance of risk situations. The control plan defines indicators that provide warnings regarding the realization of specific risks.

Continuously assessing program risks is the implementation of the control plan by checking any changes in the assessment of risks, and conducting a continuous search for warning

The current study concentrates on allocating a budget to the response plan in an optimal

This paper includes a literature review, problem definition, algorithms' definition, an example that is solved by all algorithms, and a comparison among the algorithms by simulation results. The research is quantitative and presents simulation results. Since the difference among the algorithms for different budgets are so big, statistical analysis is

The simulation and algorithms were verified by solving known problems and their

Project risk management literature commonly describes the need to rank and prioritize project risks in order to focus the risk management effort on the higher risks. Baccarinia et

This part of the project plan includes the updating of the risk management plan.

assessment phase. There are a number of ways to address these threats.

a. Avoidance - generate a course of action that eliminates the risk.

of a plan designed to handle high-threat possible events.

for the moment when risk events are realized.

investment and require budget allocation.

signs that indicate any realization of known risks.

In [7] the author presents the difficulties involved in ranking risks. He utilizes the following framework: Risk = Threat×Vulnerability×Consequence, which is usually used in military operations research. The Threat*×*Vulnerability framework actually reflects the probability to damage a target, when the consequence is the damage impact. Our study is important in that for some qualitative measures, it presents counter examples that highlight the limitation of this measurement type. Klein [8] developed a conceptual model for analyzing alternative risk mitigation responses, while accounting for the possibility of trade-off risk among the three main success criteria: cost, duration and scope (or quality). He showed that, given the numerical estimates of risks probabilities and impacts, of all the relevant responses, mathematical techniques - such as dynamic programming or integer programming - could be applied to find the best combination of responses that minimizes project uncertainty. This approach analyzes trade-off among success criteria.

Ben-David et al. [9] analyzes a problem that is similar to the current one, but takes a different approach. Assuming that several risk mitigation responses can be implemented with different costs and different expected results, a selection of the best combination of responses is needed. All of the responses are broken down to their work elements, so that each risk can belong to several of them. The Total Risk Cost (TRC) is minimized by two heuristic algorithms; the greedy and the naïve, after which a comparison is presented. The current manuscript does not take into account the budget limitation, and assumes that as long as risk can be mitigated and it is worthwhile from the budget point of view – it will be done.

There are many studies that use subjective judgment to rank risks in different areas, industries, projects and programs. However, none of these ranking methods take into account *the response capability to risks*. There might be a huge difference between two risks that have the same probability to occur and the actual impact*,* when one of the risks occurs. However, for the first risk there is a mitigation plan that reduces its effect substantially and costs \$1,000, while for the second risk, any type of mitigation plan costs more than \$100,000. The study of Gonen et al. [10] proposes an additional criterion for the assessment of risks – that of *controllability*. The introduction of this criterion adds a third dimension to the risk

evaluation process, in addition to its probability and impact. The controllability of a given risk reflects the ability to control it, mitigate it, or even prevent it. Assessing controllability may reduce the efforts and spending of managerial time and expenses on non-controllable risks and, in the end, direct the attention of management solely to controllable risks.

Selecting a Response Plan Under Budget Constraints 59

Let B=50. In this case, we can either choose the second or the third row. If we choose the second row, we reduce the expected damage of Risk 1 to 100 and stay with Risk 2 at an expected damage of 210. All together, the expected damage of both risks is 310. The same is true if we choose to handle Risk 2 and reduce the expected damage to 110. Since the expected damage of Risk 1 is 200, the total is 310. Let B=80. In this case, we can choose the first row or the previous option of B=50. Choosing Row 1 derives the total expected damage to 90+210=300 (the 210 is from R2). If we choose the second row (mitigating R1), our total expected damage will be 310, and the third row (mitigating R2) will be the same - 310. However, in both mitigation plans we only invest 50, while in the transfer policy we invest a minimum of 80. People who are risk-averse will prefer this option, while others who are attracted to risk might prefer the second or third row. If B=100, then an additional option is open which allows us to choose Rows 2 and 3 and reduce the expected damage to 210. If B=130 and up, we can choose Rows 1 and 3 and reduce the

If we try to minimize the expected damage when B=80, then transferring R1 would be optimal, although usually risk management methods will rank R2 higher and recommend

In order to define the optimal response problem, we will use the following terminology and

There are *n* risks R1,…,R*n*. For each risk R*i*, the probability of its occurrence is Pi and the damage when it occurs is Di. Therefore, for each risk R*i*, the expected damage is *Q*i *= P*i*·D*i*.*

For each risk Ri, there are *k* responses (some can be empty; others can be transfer or mitigation) out of which we can choose, at most, **one**. This can be done by combining

The response *j* to risk Ri costs Cij; after its implementation, the probability of its occurrence is Pij and the corresponding damage is Dij. The expected damage after its implementation is

Qij= Pij·Dij.

(Only if the investment + the expected damage after the implementation are lower than the original expected damage). A response plan that is not worthwhile will not be included in

ܳ െ ൫ܥ ܳ൯. Let us now define the decision variables *X*ij as 1, if response j is selected for risk Ri, and 0,

the list of possible responses. Actually, the savings in selecting response *j* to risk R*i* is:

ܳ ൫ܥ ܳ൯݂ݎ݅ ൌ ͳǡ ǥ ǡ ݊ (1)

mitigation plans together. Index *j will be used for a response plan*.

A response plan is defined as "worthwhile" only if

expected damage to 200.

Index *i will be used for risks.*

treating it first.

symbolization:

otherwise.

Controllability adds a new criterion that takes into account the response capability, but still does not propose a method to quantitatively rank the risks. In the current paper, we overcome the problem of ranking risks by utilizing a method of selecting the optimal mitigation plan for a given budget, and therefore, the risks to be mitigated or transferred.

Kutsch et al. [11] have investigated the type of risks that can be deliberately ignored. In the current study, we deal with risks that are not supposed to be ignored.
