Risk Assessment and Allocation for Highway Construction Management

5. Risk Mitigation and Planning

5.1. Objectives of Risk Mitigation and Planning

The objectives of risk mitigation and planning are to explore risk response strategies for the highrisk items identified in the qualitative and quantitative risk analysis. The process identifies and assigns parties to take responsibility for each risk response. It ensures that each risk requiring a response has an owner. The owner of the risk could be an agency planner, engineer, or construction manager, depending on the point in project development, or it could be a private sector contractor or partner, depending on the contracting method and risk allocation.

Risk mitigation and planning efforts may require that agencies set policies, procedures, goals, and responsibility standards. Formalizing risk mitigation and planning throughout a highway agency will help establish a risk culture that should result in better cost management from planning through construction and better allocation of project risks that align teams with customer-oriented performance goals.

Once the agency planner, engineers, and construction managers have thoroughly analyzed the critical set of risks, they are in a better position to determine the best course of action to mitigate those risks. Pennock and Haimes of the Center for Risk Management of Engineering Systems state that three key questions can be posed for risk mitigation:⁽¹⁴⁾

1. What can be done and what options are available?
2. What are the tradeoffs in terms of all costs, benefits, and risks among the available options?
3. What are the impacts of current decisions on future options?

An understanding of these three questions is critical to risk mitigation and risk management planning. Question 1 addresses the available risk response options, which are presented in the following section. An understanding of questions 2 and 3 is necessary for risk planning because they determine the impact of both the immediate mitigation decisions and the flexibility of risk mitigation and planning on future events.

5.2. Risk Response Options

Risk identification, assessment, and analysis exercises form the basis for sound risk response options. A series of risk response actions can help agencies and their industry partners avoid or mitigate the identified risks. Wideman, in the Project Management Institute standard Project and Program Risk Management: A Guide to Managing Risks and Opportunities, states that a risk may be the following:

• Unrecognized, unmanaged, or ignored (by default).
• Recognized, but no action taken (absorbed by a mater of policy).
• Avoided (by taking appropriate steps).
• Reduced (by an alternative approach).
• Transferred (to others through contract or insurance).
• Retained and absorbed (by prudent allowances).
• Handled by a combination of the above.

The above categorization of risk response options helps formalize risk management planning. The Caltrans Project Risk Management Handbook suggests a subset of strategies from the categorization defined by Wideman above.⁽⁶⁾ The Caltrans handbook states that the project development team must identify which strategy is best for each risk and then design specific actions to implement that strategy. The strategies and actions in the handbook include the following:

• Avoidance-The team changes the project plan to eliminate the risk or to protect the project objectives from its impact. The team might achieve this by changing scope, adding time, or adding resources (thus relaxing the so-called triple constraint).
• Transference-The team transfers the financial impact of risk by contracting out some aspect of the work. Transference reduces the risk only if the contractor is more capable of taking steps to reduce the risk and does so. (This strategy is discussed in depth in Chapter 6.).
• Mitigation-The team seeks to reduce the probability or consequences of a risk event to an acceptable threshold. It accomplishes this via many different means that are specific to the project and the risk. Mitigation steps, although costly and time consuming, may still be preferable to going forward with the unmitigated risk.
• Acceptance-The project manager and team decide to accept certain risks. They do not change the project plan to deal with a risk or identify any response strategy other than agreeing to address the risk if it occurs.

Given a clear understanding of the risks, their magnitude, and the options for response, an understanding of project risk will emerge. This understanding will include where, when, and to what extent exposure will be anticipated. The understanding will allow for thoughtful risk planning.

5.3. Risk Planning

Risk planning involves the thoughtful development, implementation, and monitoring of appropriate risk response strategies. The DOE's Office of Engineering and Construction Management defines risk planning as the detailed formulation of a plan of action for the management of risk.⁽⁴⁾ It is the process to do the following:

• Develop and document an organized, comprehensive, and interactive risk management strategy.
• Determine the methods to be used to execute a risk management strategy.
• Plan for adequate resources.

Risk planning is iterative and includes describing and scheduling the activities and processes to assess (identify and analyze), mitigate, monitor, and document the risk associated with a project. For large projects or projects with a high degree of uncertainty, the result should be a formal risk management plan.

Planning begins by developing and documenting a risk management strategy. Early efforts establish the purpose and objective, assign responsibilities for specific areas, identify additional technical expertise needed, describe the assessment process and areas to consider, delineate procedures for consideration of mitigation and allocation options, dictate the reporting and documentation needs, and establish report requirements and monitoring metrics. This planning should also address evaluation of the capabilities of potential sources as well as early industry involvement.

5.4. Risk Planning Documentation

Each risk plan should be documented, but the level of detail will vary with the unique attributes of each project. Large projects or projects with high levels of uncertainty will benefit from detailed and formal risk management plans that record all aspects of risk identification, risk assessment, risk analysis, risk planning, risk allocation, and risk information systems, documentation, and reports. Projects that are smaller or contain minimal uncertainties may require only the documentation of a red flag item list that can be updated at critical milestones throughout the project development and construction.

5.4.1. Red Flag Item Lists

A red flag item list is created at the earliest stages of project development and maintained as a checklist during project development. It is perhaps the simplest form of risk identification and risk management. Not all projects will require a comprehensive and quantitative risk management process. A red flag item list can be used in a streamlined qualitative risk management process.

A red flag item list is a technique to identify risks and focus attention on critical items that can impact the project's cost and schedule. Issues and items that can potentially impact project cost or schedule in a significant way are identified in a list, or red flagged, and the list is kept current as the project progresses through development and construction management. By listing items that can potentially impact a project's cost or schedule and by keeping the list current, the project team has a better perspective for setting proper contingencies and controlling risk. Occasionally, items considered risky are mentioned in planning but soon forgotten. The red flag item list facilitates communication among planners, engineers, and construction managers about these items. By maintaining a running list, these items will not disappear from consideration and then later cause problems.

Caltrans has developed a sample list of risks (see Appendix B) in its Project Risk Management Handbook.⁽⁶⁾ While this sample list can be used to create a list of red flag items for a project, it is quite comprehensive and any single project's list of red flag items should not include all of these elements. The next section discusses risk charters, which is a more formalized and typically more quantitative extension of a red flag list.

5.4.2. Risk Charters

The creation of a risk charter is a more formal identification of risks than the listing of red flag items. Typically, it is completed as part of a formal and rigorous risk management plan. The risk charter provides project managers with a list of significant risks and includes information about the cost and schedule impacts of these risks. It also supports the contingency resolution process described in Chapter 6 by tracking changes in the magnitude of potential cost and schedule risk impacts as the project progresses through the development process and the risks are resolved.

A risk charter is a document containing the results of a qualitative or quantitative risk analysis. It is similar to a list of red flag items, but typically contains more detailed information about the potential impact of the risks and the mitigation planning. The risk charter contains a list of identified risks, including description, category, and cause. It may contain measurements of magnitude such as the probability and impact of occurrence. It may also include proposed mitigation responses, "owners" of the risk, and current status. This method may be more effective than simply listing potential problem areas through red flagging because it integrates with the risk monitoring and control processes. The terms "risk charter" and "risk register" are synonymous in the highway industry.

A risk charter is used as a management tool to identify, communicate, monitor, and control risks. It provides assistance in setting appropriate contingencies and equitably allocating risks. As part of a comprehensive risk management plan, the risk charter can help control cost escalation. It is appropriate for large or complex projects that have significant uncertainty.

The charter organizes risks that can impact cost estimates and project delivery. A risk charter is typically based on either a qualitative or quantitative assessment of risk, rather than simple engineering judgment. The identified risks are listed with relevant information for quantifying, controlling, and monitoring. The risk charter may include relevant information such as the following:

• Risk description
• Status
• Date identified
• Project phase
• Functional assignment
• Risk trigger
• Probability of occurrence (percent)
• Impact ($ or days)
• Response actions
• Responsibility (task manager)

Two examples of risk charters are in Appendix D. The first example, from Caltrans, is a spreadsheet that forms the basis of the agency's risk management plan.⁽⁶⁾ The spreadsheet contains columns for identification, analysis, response strategy, and monitoring and control. The second example is from an FTA report on risk assessment, which uses the term risk register synonymously with risk charter.⁽¹¹⁾ The FTA risk register contains more quantitative risk assessment information than the Caltrans example, but the goal of the documentation is similar. FTA adds issues such as correlation among dependent components, type of distribution used to model the risk, and expected value of the risks.

5.4.3. Formal Risk Management Plan

The project development team's strategy to manage risk provides the project team with direction and basis for planning. The formal plan should be developed during the planning and scoping process and updated at subsequent project development phases. Since the agency and contractor team's ability to plan and build the facility affects the project's risks, industry can provide valuable insight into this area of consideration.

The plan is the road map that tells the agency and contractor team how to get from where the project is today to where the public wants it to be in the future. Since it is a map, it may be specific in some areas, such as the assignment of responsibilities for agency and contractor participants and definitions, and general in other areas to allow users to choose the most efficient way to proceed. The following is a sample risk management plan outline:

1. Introduction
2. Summary
3. Definitions
4. Organization
5. Risk management strategy and approach
6. Risk identification
7. Risk assessment and analysis
8. Risk planning
9. Risk allocation
10. Risk charter and risk monitoring
11. Risk management information system, documentation, and reports

Each risk plan should be documented, but the level of detail will vary with the unique attributes of each project. Red flag item lists, risk charters, and formal risk management plans provide flexibility in risk management documentation.

5.5. Conclusions

Risk mitigation and planning use the information from the risk identification, assessment, and analysis processes to formulate response strategies for key risks. Common strategies are avoidance, transference, mitigation, or acceptance. The mitigation and planning exercises must be documented in an organized and comprehensive fashion that clearly assigns responsibilities and delineates procedures for mitigation and allocation of risks. Common documentation procedures frequently include the creation of red flag item lists, risk charters, and formal risk management planning documentation. Risk mitigation and planning efforts may necessitate that agencies set policies, procedures, goals, and responsibility standards. Formalizing risk mitigation and planning throughout the agency will help establish a risk culture that should result in better cost management from planning through construction and better allocation of project risks that align teams with customer-oriented performance goals.

5.6. Illustration: Risk Mitigation and Planning

The following provides an example of the risk mitigation and planning strategies for the illustrative project. It shows the portion of the overall risk charter used to manage the risks on the project. It also shows a sample of the risks and their associated mitigation strategy and mitigation actions. The columns for responsibility and interval or milestone check enable monitoring and control, as described in Chapter 7.

US 555-SH 111 Interchange Risk Mitigation

The QDOT project team examined all of the risks for the project that would have a high impact if they were realized. The team also focused on those risks with a high probability of occurrence. This information was valuable for the team's understanding of the critical issues and helped them determine where they should expend their design effort. The team created a risk charter based on the initial risk identification and the detailed risk assessment and analysis. A number of the risks from this charter are illustrated below to show how the team proceeded with risk mitigation and planning. This charter formed the basis for the monitoring and control process described in Chapter 7.