Vous êtes sur la page 1sur 6


Categorizing Risks in Seven Large

ProjectsWhich Risks Do the
Projects Focus On?
Hans Petter Krane, Norwegian University of Science and Technology, Trondheim, Norway
Asbjrn Rolstads, Norwegian University of Science and Technology, Trondheim, Norway
Nils O. E. Olsson, Norwegian University of Science and Technology, Trondheim, Norway



In a hierarchy of project objectives, strategic

objectives will often be principally different
from the operational ones. Operational objectives concern the project outputs/results, and
strategic objectives concern the project goal
and purpose. In this study, risks are categorized as risks to operational, long-term, or shortterm strategic objectives, and, by studying a
dataset of some 1,450 risk elements that make
up the risk registers of seven large projects, we
examine how operational and strategic risks
are distributed in the projects. The study
strongly indicates that risks to a projects
strategic objectives rarely occur in the projects
risk registers, though project success and failure stories indicate their importance.

here are numerous publications that show that projects often fail to
meet their cost or schedule target or provide intended benefits, and
there are numerous solutions to solve that problem. One of the early
approaches to improve this was to focus on success factors. Pinto and
Slevin (1987) were among the first to publish success factors. Their ten success factors include project mission, management support, schedule/plan,
client consultation, client acceptance, personnel, technical aspects, monitoring, communication, and feedback. A couple of years later, Duffy and
Thomas (1989) published a study giving the main causes of unsuccessful
projects. The most important were part-time project management, inappropriate organization, inadequate definition of scope, poor planning and
change order control, and risk not identified. It is interesting to note that the
study by Duffy and Thomas has risk as an important factor, whereas Pinto
and Slevin do not mention this in their list. Recent thinking focuses significantly on risk (Maytorena, Winch, Freeman, & Kiely, 2007; Miller & Lessard,
2001; Moynihan, 1997; Simister, 2004). Risk management is considered by
many to be the essence of project management.
Hetland, Sandberg, and Torsy (2005) have studied 44 capital projects
and suggest a new understanding of project-specific uncertainties and offer
a proactive communication strategy that will outwit attackers attempts to
escalate cost deviations. A recent study of mega-oil sand projects in Canada
(Jergeas, 2008) points in the same direction as it highlights overly optimistic
original cost estimates and schedules. Some practitioners have started to
look at volatility as an expression of uncertainty in projects (Costa Lima &
Suslick, 2006).
Today, risk is considered to be a major factor influencing project success,
and Project Risk Management is an important activity in any capital project.
Project Risk Management is also one of the nine Knowledge Areas in
the Project Management Institutes (PMIs) standard A Guide to the Project
Management Body of Knowledge (PMBOK Guide; 4th ed.; 2008a). It is also
part of most maturity models including PMIs Organizational Project
Management Maturity Model (OPM3; 2008b). In 2009, PMI published the
Practice Standard for Project Risk Management. Several authors have published Project Risk Management approaches (Chapman & Ward, 2003; Gareis,
2005; Hartman, 2000; Kerzner, 2006; Morris & Pinto, 2004). The classical
approach to Project Risk Management normally contains four to six steps.
The underpinning idea is to identify risk factors, evaluate and analyze them,
and finally try to manage them. The analysis may be purely qualitative or
quite sophisticated quantitatively.

KEYWORDS: risk management; uncertainties; strategic and operational risks; risk categories

This student paper was presented at the PMI

Global Congress 2009EMEA, held 1820 May
2009, in Amsterdam, Netherlands.

Project Management Journal, Vol. 41, No. 1, 8186

2010 by the Project Management Institute
Published online in Wiley InterScience
DOI: 10.1002/pmj.20154

March 2010 Project Management Journal DOI: 10.1002/pmj



Categorizing Risks in Seven Large Projects

Some authorsfor example, Westney
and Dodson (2006)use the term
strategic risk. Focusing on negative risk,
they regard strategic risk as the prospective impact on earnings or capital from
adverse business decisions, improper
implementation of decisions, or lack of
responsiveness to industry changes. It
is beyond the control of the project
team but may be controlled by the project owner or sponsor. It is a function of
the compatibility of an organizations
strategic goals, the business strategies
that are developed, the resources that
are deployed, and the quality of the
In addition to operational and strategic risk, Rolstads and Johansen (2008)
define contextual risk. This is risk that is
connected to circumstances outside of
the project that may influence the scope
of work and the performance of the
organization. Examples are competing
projects, change in ownership and management, legislation and governmental
directives, media attention, extreme
market conditions, and accidents.
Contextual risk may be difficult to
predict and may have a significant
impact. Taleb (2007) calls such risk
black swans. The black swan logic
makes what you do not know more
important than what you do know.
It may seem trivial to state that both
in the academic and practical discipline
of management there has, for a long
time, been an acceptance that uncertainty plays a major rolenot all factors
of importance may be regarded as well
defined or static. When speaking of project management in particular, the focus
has shiftedfrom a view of the ideal
well-managed project having fixed and
firm plans based on a thorough analysis
of needs and detailed specifications of
the solution, to a greater attention to the
impact of uncertainty.
If it is accepted that uncertainty
may have a substantial impact on projects and how they achieve their goals,
then risk/uncertainty management
becomes an important issue. And it
becomes important to find out more on

how Project Risk Management contributes to achieving objectives. A case

study has therefore been undertaken to
see how Project Risk Management can
address project objectives and to see
whether strategic risks are addressed at
all or not.
In this article, we will do the following:
Define the research questions, discuss
some of the terms commonly used,
establish the terminology that will be
used in this article, and then discuss
the classification of risks.
Describe the method and present the
projects that have been studied.
Present results of the study. Relate the
results to some common hypotheses
from the literature and discuss their
Finally, provide some conclusions and
point out necessary further work.

Research Questions
In this article, a simple categorization of
risks/uncertainties is used, where a distinction is made among operational,
short-term, and long-term strategic
risksbeing risks to project objectives
at different levels. Within such a categorization, many authors have claimed
that the uncertainty is at its largest in
early project stages and that the strategic risks are of greater importance
in the earlier phases of the projects, and
the operational risks in the later phases
(Christensen & Kreiner, 1991; Jaafari,
2001; Samset, 1998). However, Miller
and Lessard have given indications
(2000) that in large engineering projects
that were studied, there was also typically a greater impact from strategic
risks in longer periods of the later stages
of the projects.
So what is the case with the projects
that may be observed today? Do we find
that the projects are struggling with
strategic risks even in the late implementation phase, or are only operational risks found in this phase? Are
there other factors influencing the
dominance of operational risks than
just the project phase? And how are the

March 2010 Project Management Journal DOI: 10.1002/pmj

different risk categories handled with

regard to risk reduction, closing, number of actions, etc. No studies have
been found on how Project Risk
Management is performed with regard
to these aspects. Therefore the authors
conducted an investigation on how risk
management was performed in seven
projects in a large oil and gas company.
The purpose of this study was to find
out which risks were actually being
handled/managed by means of their
risk registers, and how these risks were
assessed and treated. For each of the
projects (through interviews), information was collected on the assessments
of the project owners, the project teams
and other key stakeholders of the projects, and the means in which the evolving risk scenarios of the projects were
More precisely the data collected in
this study has been used to provide
answers to the following questions:
Q1: When risks are identified, how
are they then distributed among the
risk categories?
Q2: Are there any significant differences between the projects regarding
this (for example, differences related
to project size, the project phase, or
other project characteristics)?

A Brief Discussion of Terms

Risk and Uncertainty
A risk is defined herein as an uncertain
event or condition that, if it occurs, has
a positive or negative effect on a projects objectives (PMI, 2008a, p. 373). It
must be emphasized that a risk is characterized by having both a consequence and a probability.
An uncertainty is defined as the
difference between the amount of
information required to perform the
task and the amount of information
already possessed by the organization
(Galbraith, 1977, pp. 3637).
Therefore, a risk is categorized as
having an impact, while an uncertainty
may or may not have a known impact.
An uncertainty is therefore the most

comprehensive term. Both terms do

here include both positive and negative
To investigate closer the relation
between risk and uncertainty for projects, there is a need to look at the use of
the terms risk and uncertainty seen
from two perspectives:
1. The term used for risk/uncertainty as
a situation:
This approach is based on a view of
the entire situationwhere it will be
considered to have more or less of
uncertainty. This is closely related to
the concept of environmental uncertainty, as described by Karlsen
(2001). Karlsens environmental
uncertainty must be regarded as usually forming/making up a substantial
part of (what is here defined as) the
uncertainty of the given situation.
This will be a relevant approach to a
situation where there is a significant
difference between the knowledge
available and the knowledge needed
for making necessary decisions in the
actual situation.
2. The term used for a specific risk/
uncertainty element:
This approach, which might be considered as more pragmatic, selects the
factors/elements most likely to cause
risk (in this case, risk to the objectives
of a project) and defines these as the
main risks (of the project). This
approach is highly relevant in situations with many possible outcomes,
and where some of those outcomes
will have a major impact on the project or the results of the project. In
such a situation it should (in some
way) be possible to make assessments of the probable impact of
those outcomes.
Depending upon the actual situation, these two approaches may be
more or less suitable for preparing a
basis for successful risk/uncertainty
management in a given situation.
There is a need for common terms.
Logically there is a need for a term that
can include both risk and uncertainty

management. One could either select

one of the two (that is, risk or uncertainty) to also act as a superior term, or
one could try to avoid confusion by
introducing a new term as the superior
one. We choose not to introduce a new
term for this, but rather use one that
already exists. Of the two terms, uncertainty wouldwith the specific definitions given herebe the most logical
choice for a term spanning the two elements. This will be because the term
riskwith its direct link to the effects
from riskscannot include uncertainties, where the effects may be unknown.
We will therefore here use uncertainty
as the common term for risks and
uncertainties. Therefore, when the term
risk is used in this article, it will have the
meaning of a risk element that is considered to have an impact.

Risk Categories
It is possible to construct an abundance
of different risk categorizationsand it
has been done. The obvious, pragmatic
approach is to sort the risks in groups
based on common features. For example, risks are sorted by organizational
areas, technical areas, or contract areas.
So-called risk-breakdown structures
(Hillson, 2004; PMI, 2008a) may also be
used as frameworks for such classifications. Our assertion to the majority of
such classifications is the following:
The selection of categories often seems
to be based on a tradition (e.g., the
organization or professional area) of
how to organize ones world. Or they
may have a more operational purpose
for the risk reduction in a given project,
as discussed by Hillson (2004, pp. 130 ff).
Therefore it will implicitly be organized
according to what in our close surroundings we regard the risk to be a risk
against. Or it will be organized according
to who or which area is the most affected. However, for our study, this pragmatic view of risks should be replaced by a
more generic view, requesting a more
generic categorization.
The purpose of this study is to investigate the contribution from Project Risk

Management to the achievement of

project objectives. Therefore, there is a
need for a risk classification starting out
from the objectives of the project, including the higher/more superior objectives
for the project organization (Hillson,
2004). Hence, the categorization proposed here will be based on the levels in
a hierarchy of management objectives,
as shown by, for instance, Mintzberg
(1994). As stated previously, categories
should directly relate to the level of
objectives they affect.
Establishing Operational Criteria
for the Risk Categories
In order to relate the risk categories to
the levels of project objectives, the
three categories are defined as:
1. Operational RisksRisks related to
operational objectives of the project.
This means risks constricted to the
direct results from the project: its
2. Short-Term Strategic RisksRisks
related to short-term strategic objectives of the project. The project owner
will have a set of objectives related to
his use of the project results. The
short-term strategic risks are the risks
related to those objectives, or the risks
for first-order effects of the project
that is, risks for the effects that should
be achieved for the target group or
3. Long-Term Strategic RisksRisks
related to the long-term strategic
objectives of the project. This means
those risks related to the project
purposethe long-term objective that
the project is meant to contribute to.
Operational Criteria Used to Evaluate
Whether a Given Risk Element Is
Long-Term Strategic, Short-Term
Strategic, or Operational
1. The risk element is an operational risk
when the risk element is a risk to the
project output (which should be
specified in a project definition/
delivery contract)that is, a risk to
the projects ability to deliver.
2. The risk element is a short-term
strategic risk when the risk element is

March 2010 Project Management Journal DOI: 10.1002/pmj



Categorizing Risks in Seven Large Projects

a risk to a functionality not clearly
specified in project definition/delivery contract, but necessary in order
to achieve the effects of the project
(restricted to the first-order effects
for the target group/users).
3. The risk element is a long-term
strategic risk when the risk element is
a risk to achieve the long-term objectives of the project but not a risk of
the two categories mentioned previously (i.e., operational or short-term
strategic risk).

The Study
Method and Subject of Study
For this study, a combined approach
was chosen, using both qualitative and
quantitative data-collection methods
(Creswell, 2003; Flyvbjerg, 2006). An
introductory interview for each project
provided insight into their differences
and similarities. Data were collected
from the risk registers in the projects
over a period of six months. Follow-up
interviews were conducted with selected persons in order to give better
insight into specific aspects brought to
light through the data analysis.
The main data source for this article
was the reports with data extracted
from the project risk registers. This has
been supplemented (to some extent)
with information from the interviews.
The projects studied may all be characterized as engineering and construction
projects, and they are all large projects
(i.e., projects with total costs of 100 million euros [M] or more).
The projects studied are in different
project phases, varying from one that
has not yet made all decisions on conceptual choices to one that is close to
takeover and start-up of production.
For the study, all identified risks
were categorized according to their
possible impact to the projects or the
organizations objective levels: operational, short-term strategic, and longterm strategic. A set of criteria was
established, making it possible to categorize the risks based on the information in the risk register.

The study was based on an extract of all
the seven projects risk elements, both
open and closed, as they occurred in
their risk registers at the end of
September 2008. Based on the descriptions given in these registers and the
criteria for the categories given in previous sections of this article, the risk elements were categorized. A summary of
the results is presented in Table 1.
Table 1 is based on a total of 1,313
risk elements registered in the seven
projects from April 2005 until September
2008. In all projects, the operational risks
are dominating the totals. This is particularly true in Projects B, D, and G
(9698%). In all projects, the long-term
strategic risks are making up a negligible
fraction (02%, overall 0.5%).

There are a number of possible
explanations as to why so few strategic
risks are identified, and in some projects almost none:
Strategic risks do not occur at this
Long-term strategic risks are not the
projects responsibility.
Strategic risks are mainly the asset
owners responsibility.
Strategic Risks Do Not Occur at This
Many issues have been resolved at earlier project stages. Most of the strategic

decisions have already been made, and

since many of the projects are developed as fast as possible, this has been
done quite recently. Or it may be
because the project context may simply
have a low complexity.
The results seem to correlate with
the assumption that strategic risks are
basically identified and dealt with at
earlier stages of the project. If this
assumption were true, then there
would be mainly operational risks
remaining to handle at later project
Long-Term Strategic Risks Are Not the
Projects Responsibility
Strategic risks may not have been perceived as the projects responsibility.
This may either have been communicated more or less explicitly by the project management (and/or risk management) function, or it may have been a
generally accepted view in the project. For some projects, ensuring project
efficiency, not effectiveness, may be the
main responsibility (Samset, 2003).
This is a matter regarding the focus of
the project team.
But if such risks should occur, they
should be identified as part of the
Project Risk Management process. This
should be done, even if it will not eventually be the project teams responsibility to take all actions necessary to close
the risk.

Type of Risk


Short-Term Strategic

Long-Term Strategic


























Table 1: Distribution of the 1,313 risks among risk categories.

March 2010 Project Management Journal DOI: 10.1002/pmj

Strategic Risks Are Mainly the Asset

Owners Responsibility
Many consider strategic risks to be mainly
a management concern (Mintzberg,
1994), and that the project team should
not be responsible for managing/
handling such risks. However, the project
teams unique position and usually deep
involvement in the project-development
process will often enable them to identify strategic risks earlier and more reliably
than most other actors.
Regarding the time aspect of risk
identification/management of the projects, time has not yet permitted any
deeper studies of the time aspect of risk
identification/managementthat is, to
study in detail different categories of
risks with regard to the project phase
when they are identified. For example,
further studies are needed to determine
whether more strategic risks really are
identified earlier in the projects. This
will be studied in further detail later on
in this study, and will be the main
theme of a subsequent article.
Strategic Risks May Have a Serious
Impact on the Project
There is much experience and many
examples indicating that strategic risks
may have a significant impact on the
success of projects (Miller & Lessard,
2000; Rolstads & Johansen, 2008;
Westney & Dodson, 2006). Strategic
risks may mean important changes
to project assumptions, introduce new
project assumptions, or introduce new
or changed conditions.
The results indicate that projects
should emphasize the identification of
more short- and long-term strategic
risks at all stages of projects. It may
be assumed that further handling/
management of some or all strategic
risks should not be the responsibility of
the project team (Cooke-Davies, 2002).
If so, the project must have efficient
procedures for identifying and forwarding these risk elements to the appropriate entity. This also implies that identifying these risks may be more important to project success than the identification of many operational risks.

For this study, all identified risks were
categorized according to their possible
impact to the projects objectives. An
operational set of criteria was established, making it possible to categorize
the risks based on the information
in the risk register.
In a study of 1,313 risk elements
identified in seven large projects, operational risks were making up a dominating part of the total number (90%).
Some possible reasons for this have been
discussed, and will be further explored in
forthcoming studies. Though strategic
risks are not commonly regarded as the
projects responsibility to manage, it is
in the asset owners interest that projects contribute in identifying strategic
risks. This is brought about by the fact
that such risks may present major
threats or opportunities for project success.

Further Work
Further studies based on the data gathered in this study should be focused on
how risks of different categories are
handled in the different projects studied, and at different stages of the projects. Further studies will also be made
regarding the involvement of actors
outside the project team, in particular
representatives from the project owner
(and company management).
Other investigations should be
made on the relation to project (budget)
sizea number of risks per million
spent factor may give some insight
into the risk management in the different projects. Number and type of risks
identified should also be related to the
duration of the projects.
All projects in the organization studied here are performed according to a
structured decision process model. In
this model, the projects at certain welldefined decision points are evaluated
to determine whether they should be
further developed or whether all further
development should be stopped. A further study focusing on number and type
of risks identified, relating this to the

projects decision points, is also a candidate for further studies.

Chapman, C., & Ward, S. (2003).
Project risk management: Processes,
techniques and insights. Chichester,
UK: Wiley.
Christensen, S., & Kreiner, K. (1991).
Prosjektledelse under usikkerhet [Project
management under uncertainty]. Oslo:
Cooke-Davies, T. (2002). The real
success factors on projects.
International Journal of Project
Management, 20(3), 185190.
Costa Lima, G. A., & Suslick, S. B.
(2006). Estimation of volatility of
selected oil production projects.
Journal of Petroleum Science and
Engineering, 54(34), 129139.
Creswell, J. W. (2003). Research design:
Qualitative, quantitative, and mixed
methods approaches. Thousand Oaks,
CA: Sage.
Duffy, P. J., & Thomas, R. D. (1989).
Project performance auditing.
International Journal of Project
Management, 7(2), 101104.
Flyvbjerg, B. (2006). Five misunderstandings about case-study research.
Qualitative Inquiry, 12, 219245.
Galbraith, J. R. (1977). Organization
design. Reading, MA: Addison-Wesley.
Gareis, R. (2005). Happy projects! Wien,
Germany: Manz Verlag.
Hartman, F. T. (2000). Dont park your
brain outside: A practical guide to
improving shareholder value with
SMART management. Newtown Square,
PA: Project Management Institute.
Hetland, P. W., Sandberg, F. H., &
Torsy, T. (2005). Communicating
uncertainties in major projectsA
struggle for existence to CEOs and presidents. Paper presented at the Offshore
Technology Conference. Retrieved
December 22, 2009, from http://www.

March 2010 Project Management Journal DOI: 10.1002/pmj



Categorizing Risks in Seven Large Projects

Hillson, D. (2004). Effective opportunity management for projects: Exploiting
positive risk. New York: Marcel Dekker.
Jaafari, A. (2001). Management of
risks, uncertainties and opportunities
on projects: Time for a fundamental
shift. International Journal of Project
Management, 19(2), 89101.

Pinto, J. K., & Slevin, D. P. (1987).

Critical factors in successful project
implementation. IEEE Transactions on
Engineering Management, 34(1), 2227.
Project Management Institute (PMI).
(2008a). Organizational project management maturity model: OPM3
(2nd ed.). Newtown Square, PA: Author.

Jergeas, G. F. (2008). Analysis of the

front-end loading of Alberta mega oil
sand projects. Project Management
Journal, 39(4), 95104.

Project Management Institute (PMI).

(2008b). A guide to the project management body of knowledge (PMBOK
guide). Newtown Square, PA: Author.

Karlsen, J. T. (2001). Hndtering av

prosjektets interessenter: En studie av
hvilke utfordringer og problemer prosjekter mter: Praktisk rapport
[Handling of project stakeholders: A
study of the challenges and problems
that projects meet]. Trondheim,
Norway: Norsk senter for prosjektledelse.

Project Management Institute (PMI).

(2009). Practice Standard for Project
Risk Management. Newtown Square,
PA: Author.

Kerzner, H. (2006). Project management: A systems approach to planning,

scheduling, and controlling. Hoboken,
NJ: Wiley.
Maytorena, E., Winch, G. M., Freeman,
J., & Kiely, T. (2007). The influence of
experience and information search
styles on project risk identification
performance. IEEE Transactions on
Engineering Management, 54, 315326.
Miller, R., & Lessard, D. R. (2000). The
strategic management of large engineering projects: Shaping institutions,
risks, and governance. Cambridge, MA:
MIT Press.
Miller, R., & Lessard, D. (2001).
Understanding and managing risks in
large engineering projects.
International Journal of Project
Management, 19, 437443.
Mintzberg, H. (1994). The rise and fall
of strategic planning. New York:
Prentice Hall.
Morris, P. W. G., & Pinto, J. K. (2004).
The Wiley guide to managing projects.
Hoboken, NJ: Wiley.
Moynihan, T. (1997). How experienced
project managers assess risk. IEEE
Software, 14(3), 3541.


Rolstads, A., & Johansen, A. (2008).

From protective to offensive project
management. Paper presented at the
PMI Global Congress 2008EMEA.
Samset, K. (1998). Project management in
a high-uncertainty situation uncertainty,
risk and project management in international development projects. Trondheim,
Norway: Norwegian University of Science
and Technology (NTNU).
Samset, K. (2003). Project evaluation:
Making investments succeed. Trondheim,
Norway: Tapir Academic Press.
Simister, S. J. (2004). Qualitative and
quantitative risk management. In P. W. G.
Morris & J. K. Pinto (Eds.), The Wiley
guide to managing projects (pp. 3047).
Hoboken, NJ: Wiley.
Taleb, N. N. (2007). The black swan:
The impact of the highly improbable.
London: Allen Lane.
Westney, R. E., & Dodson, K. (2006).
CAPEX VaR: Key to improving predictability [electronic version]. World
Energy Magazine, 9, 134138. Retrieved
December 22, 2009, from http://www.
Hans Petter Krane holds an MS in roads planning (civil engineering) and is currently a PhD
student at the Norwegian University of Science
and Technology (NTNU). His MS is from the

March 2010 Project Management Journal DOI: 10.1002/pmj

Department of Civil and Transport Engineering

at NTNU. He has more than 20 years experience
in Norwegian railway management, within a
variety of areas, such as rail infrastructure planning, train operations planning, and systems
development, among others. His academic interests include quality management, performance
management, and organizational and cultural
issues with a large impact on project results.

Asbjrn Rolstads is a professor of production

and quality engineering and vice dean for
research at the Faculty of Engineering Science
and Technology at the Norwegian University of
Science and Technology. He is a former member
of PMI Standards MAG and president of the
Norwegian Academy of Technical Sciences. He
has worked with project management for more
than 25 years and has made several studies on
project performance in large projects. He has
been managing two large national projects
involving cooperation between industry and
academia, and has extensive experience in consulting and training in industry. His main fields
are project performance and risk management.
He is president of the Norwegian Academy of
Technical Sciences. He serves on the editorial
board of a number of journals (including Project
Management Journal and the International
Journal of Project Management) and is the
founding editor of the International Journal of
Production Planning and Control. He is past
president of the International Federation for
Information Processing.

Nils O.E. Olsson is a senior research scientist,

specializing in project and performance management. He is also an adjunct professor in
project management at the Norwegian
University of Science and Technology. He has a
PhD from NTNU and an MSc from Chalmers in
Sweden. Recently, his main research focus has
been on project ownership and project flexibility. He has extensive experience as a consultant, research scientist, and manager. The consulting experience includes Ernst & Young
Management Consulting and Det Norske Veritas
(DNV). He has also coordinated major research