Risk Assessment and Allocation for Highway Construction Management

3. Risk Assessment

3.1. Objectives of Risk Assessment

Risk assessment is the process of quantifying the risk events documented in the preceding identification stage. Risk assessment has two aspects. The first determines the likelihood of a risk occurring (risk frequency); risks are classified along a continuum from very unlikely to very probable. The second judges the impact of the risk should it occur (consequence severity). Risks affect project outcomes in diverse ways. Risk effects are usually apparent in direct project outcomes by increasing costs or schedules. Some risks influence the project by affecting the public, public perception, the environment, or safety and health considerations. Risk can also affect projects in indirect ways by requiring increased planning, review, and management oversight activity. The risk assessment phase has as its primary objective the systematic consideration of risk events, their likelihood of occurrence, and the consequences of such occurrences.

3.2. Conducting Risk Assessment

Risk assessment is fundamentally a management activity supported by persons familiar with risk management activities. Managers and analysts approach risk using different but complementary viewpoints. Managers tend toward qualitative assessment of risks. They evaluate risks on their worst-case effects and their relative likelihood of occurrence. Managers also tend to focus on strategies and tactics for avoiding risks or reducing a risk's negative impacts. Analysts, on the other hand, tend toward quantitative assessment of risks. They evaluate risk impacts in terms of a range of tangible results and they evaluate risk of occurrence in terms of probabilities. The analyst's focus is on the combined tangible effect of all of the risks on project scope, cost, and schedule. A comprehensive risk assessment combines both qualitative and quantitative assessments. The qualitative assessment is useful for screening and prioritizing risks and for developing appropriate risk mitigation and allocation strategies. The quantitative assessment is best for estimating the numerical and statistical nature of the project's risk exposure. This chapter will discuss qualitative risk assessments and Chapter 4 will cover quantitative risk assessment.

3.3. Complex Nature of Risk in Highway Project Delivery

Transportation projects are complex endeavors, and risk assessment for transportation projects is likewise a complex process. Risk events are often interrelated. Occurrence of a technical risk usually carries cost and schedule consequences. Schedule risks typically impact cost escalation and project overhead. One must carefully consider the likelihood of a risk's occurrence and its impact in the context of a specific set of project conditions and circumstances. A project's goals, organization, and environment influence every aspect of a given risk assessment. Some projects are primarily schedule driven; other projects are primarily cost or quality driven. Whether a specific risk event is perceived fundamentally as a cost risk or a schedule risk is governed by the project-specific context. The next several paragraphs discuss some risk characteristics that are salient to their assessment.

3.3.1. Risk to Whom

A fundamental concept for any risk assessment is "risk to whom," or whose risk is being assessed and measured. A typical transportation project has many participants, most of whom carry some share of the risk. Some risks are carried by the construction contractor, others by the agency or its design consultants. Some risks are allocated between parties by contract or through insurance. From the vantage point of a performing contractor, changes in the scope of a project (i.e., differing site conditions) are not traditionally a cost risk because the cost consequences of the site condition fall to the transportation agency. From the vantage point of the agency, everything must be in its scope. Whether it maintains the risk itself or allocates it to the contractor via a contract, it ultimately bears the risk and must understand it. This essential concept-whose risk is being assessed-is central to an accurate and effective risk assessment. The allocation of these risks through the design or construction contract is discussed in Chapter 6.

3.3.2. Sources of Risks

Although project risks are interrelated and interdependent, most risks spring from a definite origin. The customary origins for project risks are the following:

• Performance, scope, quality, or technology issues
• Environment, safety, and health concerns
• Scope, cost, and schedule uncertainty
• Political concerns

Many risk checklists (see Chapter 2 and Appendix B) have been developed that classify different types of risks according to their source.

3.3.3. Foundations of Risk

It is useful to consider the source of the risk when conducting a risk assessment. Risks can be classified as either internal or external. Internal risks are those that arise within the scope and control of the project team. Most internal risks can be referenced to a specific project document such as a cost estimate or a schedule. Internal risks usually refer to items that are inherently variable (i.e., what is the cost of concrete or how long will it take to require the right-of-way?). External risks are items that are generally imposed on the project from establishments beyond the limits of the project. Interactions with citizens groups or regulators are typical external risks. Funding constraints and restrictions are other common external risks. External risks tend to refer to items that are inherently unpredictable but generally foreseeable. The Project Management Institute uses this classification of risk, shown in figure 8.¹⁶

3.3.4. Incremental and Discrete Risks

One can think of measuring risks two different ways. Some risks are measured incrementally and continuously. That is, occurrence of the risk evidences itself in a series of small changes over the life of the project. For example, the cost of one item may be 5 percent higher, the cost of another 10 percent. Most internal risk (costs, durations, quantities) are of this type. On the other hand, external risks are usually incident-oriented or discrete risks. In other words, the risk either occurs or it does not

Many frequent, small changes characterize incremental risks. They are high-frequency but low-consequence risks. Discrete risks are characterized by a single large change. They are low-frequency but high-consequence events.

3.3.5. Model Risk and Data Risks

One risk distinction that is especially important in quantitative risk assessment is whether risks are epistemic or aleatory. Aleatory (data) risks refer to uncertainty associated with the data used in risk calculations. An example of an aleatory risk is the uncertainty surrounding the cost of a material (i.e., steel or asphalt). Epistemic (model) risks refer to risks that arise from the inability to accurately calculate a value. For example, one may know precisely the soils characteristics and still be unable to precisely calculate the number of compactor passes needed to attain a certain compacted soil density.

Figure 8: Risk identification classification

3.4. Risk Screening: Risk Severity and Frequency

Following the risk identification and qualitative risk assessment phases, one has developed a set of risks characterized by their frequency of occurrence and the severity of their consequences. Frequency and severity are the two primary characteristics used to screen risks and separate them into minor risks that do not require further management attention and significant risks that require management attention and possibly quantitative analysis. Various methods have been developed to help classify risks according to their seriousness. One common method is to develop a two-dimensioned matrix that classifies risks into three categories based on the combined effects of their frequency and severity. Figure 9 requires classifying risks into one of five states of likelihood (remote through near certain) and into five states of consequence (minimal through unacceptable). These assessments yield a five-by-five matrix that classifies a risk as either "high" (red), "moderate" (yellow), or "low" (green).

3.4.1. Low-Risk Events

Risks that are characterized as low can usually be disregarded and eliminated from further assessment. As risk is periodically reassessed in the future, these low risks are closed, retained, or elevated to a higher risk category.

3.4.2. Moderate-Risk Events

Moderate-risk events are either high-likelihood, lowconsequence events or low-likelihood, high-consequence events. An individual high-likelihood, low-consequence event by itself would have little impact on project cost or schedule outcomes. However, most projects contain myriad such risks (material prices, schedule durations, installation rates, etc.); the combined effect of numerous high-likelihood, lowconsequence risks can significantly alter project outcomes. Commonly, risk management procedures accommodate these high-likelihood, low-consequence risks by determining their combined effect and developing cost and/or schedule contingency allowances to manage their influence.

Low-likelihood, high-consequence events, on the other hand, usually warrant individualized attention and management. At a minimum, low-likelihood, high-consequence events should be periodically monitored for changes either in their probability of occurrence or in their potential impacts. The subject of risk registers or risk watch lists is discussed in more detail in Chapter 5. Some events with very large, albeit unlikely, impacts may be actively managed to mitigate the negative consequences should the unlikely event occur.

3.4.3. High-Risk Events

High-risk events are so classified either because they have a high likelihood of occurrence coupled with at least a moderate impact or they have a high impact with at least moderate likelihood. In either case, specific directed management action is warranted to reduce the probability of occurrence or the risk's negative impact.

Figure 9: Risk assessment process

3.5. Application of Risk Assessment

Risk assessment techniques are scalable. They can be applied to small highway reconstruction projects or to large corridor programs. An application of a risk assessment on a small highway reconstruction project can yield a prioritized list of red flag items to monitor over the course of a project's development, design, and construction. Red flag item lists are discussed in Chapter 5.

Risk assessment can also be conducted on a program of many projects. Figure 10 shows the results of a risk assessment used to identify areas of risk in the project and program delivery of the FHWA Federal Lands Highway Division. The agency was able to identify areas (the red cells in figures 10 and 11 ) that it needed to put more effort into for stewardship and oversight of the program. The intent in implementing this matrix was to use it as a framework to further refine the risk assessment of projects and program areas. It provides an excellent example of risk assessment at the programmatic level for highway project delivery.

Figure 10: Likelihood-impact matrix for the Federal Lands Highway Division

Figure 11: Example of a Federal Lands Highway Division critical elements risk assessment

3.6. Conclusions

The goal of risk assessment is not to eliminate all risk from the project. Rather, the goal is to recognize the significant risk challenges to the project and to initiate an appropriate management response to their management and mitigation. A more complete discussion of risk mitigation and planning is in Chapter 5.

3.7. Illustration: Assessment of Risks

The following continues the illustration of QDOT's US 555-SH 111 interchange project. The risk assessment process has progressed from the risk identification phase to the risk assessment phase.

US 555-SH 111 Interchange Project Risk Assessment

QDOT has retained the services of the consultant who facilitated the risk identification workshop to conduct the risk assessment because of the facilitator's skills and experience in risk elicitation, which is the process of drawing out judgments about uncertain events from the project team. The facilitator conducted meetings with a smaller group of the most experienced QDOT staff to elicit qualitative assessments of the major risks for the project. With each team member, the facilitator elicited the likelihood and consequences of each risk event. Whenever possible, the facilitator used caution in the assessment of these risks to compensate for individual biases. The facilitator also used caution in assessing risks that have differing consequences, such as time, cost, or political implications. QDOT has decided that it would like to standardize risk assessment in its process and use a variation of PMI's risk assessment method. An example of the outcome for two of the more severe assessments is provided here.

Figure 12: Assessment outcome

With the risks quantified in terms of their likelihood and impact, a ranked list of risks can be generated. QDOT management will use this knowledge to formulate a risk management plan. It will also determine if a rigorous quantitative risk analysis is required.