Vous êtes sur la page 1sur 7


Project Risk

Leadership Series 9


About the Leadership Series

KPMG’s Project Advisory Leadership Series is targeted towards owners of major capital programmes, but
its content is applicable to all entities or stakeholders involved with major projects. The intent of the Project
Leadership Series is to describe a framework for managing and controlling large capital projects based
on the experience of our project professionals. Together with our simplified framework, we offer a sound
approach to answer the questions most frequently asked by project owners.

Project risk management

Project risk management is frequently overlooked yet is one of the more critical elements
to successful project delivery. Generally, delivering a project’s defined scope on time and
within budget are characteristics of project success. Unfortunately, these success factors are
often not achieved, especially for large complex projects where both external influences and
internal project requirements may change significantly over time. Project risk management is
a continuous process of identifying, analysing, prioritising and mitigating risks that threaten
a projects likelihood of success in terms of cost, schedule, quality, safety and technical
performance. Organisations and owners often consider project risk management activities as
“nice to have” on a project rather than as a core component of project controls. Additionally
there is some confusion between organisations and project teams as to what exactly
constitutes risk management activities.
In this paper, we provide a standard
framework for risk management and
discuss implementation techniques for
projects of all types and sizes. This should
provide you with a better understanding
of how to address the following challenges:

»» Do we have a comprehensive project

risk management policy?
»» What elements of project risk
management are necessities for our
organisation to implement?
»» How do we balance the requirements
and controls of a risk management
programme with efficient and
streamlined project execution?
»» Are our current project risk management
procedures effective at mitigating
project risk?
»» How do we align our project specific
risk management activities with our
enterprise risk management objectives?
»» What are some key questions we should
be asking about project risks throughout
the project lifecycle?

Defining project risk management

The objective of project risk management

is to understand project and programme
level risks, minimise the likelihood
of negative events and maximise the
likelihood of positive events on projects components, which should be scalable »» Available resources (staffing, budgets);
and programme outcomes. Project risk to the specific project’s size and type:
management is a continuous process »» Preferred reporting and
that begins during the planning phase 1. Strategy and planning; communication protocols; and
and ends once the project is successfully 2. Risk identification; »» The organisation’s strategic objectives.
commissioned and turned over
to operations. 3. Analysis (quantitative and qualitative); Strategy and planning activities include:

Construction owners, project teams and 4. Response planning; and »» Assigning roles and responsibilities
contractors often define and apply risk 5. Monitoring and control. related to risk management activities;
management activities differently on a identifying and defining requirements
project. Owners may use informal or ad 1. Strategy and planning for project stakeholders regarding risk
hoc practices, such as stage gate approval, management activities;
Strategy and planning activities set
that they interpret as risk management »» Establishing common risk categories for
the foundation for a risk management
activities, contractors may define risk identified risks. Categories can wither
programme and ultimately determine
management as tracking potential be based on common industry risks
whether the initiative is successful.
change orders, and project teams may or on the organisations risk categories
During the strategy and planning phase
express the view that “everything we do (e.g. construction, financial, operations,
an organisation will define how risks are
is risk management”. While all of these governance etc); and
addressed and managed. Strategy and
activities help to identify and manage
planning should take into consideration: »» Developing a risk matrix and assigning
discrete elements of project risk, they
do not fully describe a comprehensive »» Corporate or enterprise-wide risk risk ratings to identify risks. The risk
approach to project risk management. A management guidelines (including matrix should define risk ratings based
comprehensive project risk management tolerance level for risk); on probability and impact by taking into
approach should have the following account the organisations risk tolerance.
2. Risk identification 3. Analysis 4. Response planning

Risk identification is the identification of all The analysis phase determines the Response planning is the phase where
possible risks that could either negatively or likelihood and impact of each identified the project team develops response
positively affect the project. It is important in risk and prioritises risks for management actions and alternative options to reduce
the risk identification process to solicit input attention. Successful risk analysis requires project risks. Project teams use response
from all project stakeholders including those objective thinking and input from those planning to decide ahead of time how they
outside of the core project team. Potential most familiar with the area affected by the will address possible risk occurrences and
contributors to risk identification include: possible risk. Analysis is typically a two- how they will avoid, transfer, mitigate or
step approach: accept project risks. Response planning
»» Project team members (planners,
must take into consideration available
engineers, architects, contractors etc);
Step 1 – Qualitative analysis resources and potential repercussions
»» Risk management team members; of the response plans. The goal of
For the qualitative analysis, the project
»» Subject matter professionals response planning is to align risks with
team assigns a priority level (e.g high,
(IT, Safety, Legal etc); an appropriate response based on the
medium, low) to each risk. The priority level
severity of the risk along with cost, tie and
»» Customers (internal and external); should be aligned with the organisations
feasibility considerations. Risk response
risk management plan, risk tolerance level
»» End users; and planning includes:
and other organisational objectives. The
»» Organisation management priority levels can be used to rack the risks »» Assigning responsibility for identified
and leadership. on the risk register and develop efficient risks to appropriate project team
response plans that focus attention on members or stakeholders. It is
Successfully capturing all project risks
items with a higher priority. It is important imperative that the assignment takes
increases with frequent communication
to identify all potential risks that will into consideration the individual’s
and feedback amongst team members
require follow up by the project team. capability to address specific risk areas.
and stakeholders. These discussions
Assigning a risk to someone who has
should attempt to identify inaccuracies,
Step 2 – Quantitative analysis little or no knowledge of a risk area is
inconsistencies and assumptions regarding
not an effective risk planning approach.
the project. The resulting product of these For the quantitative analysis, the project
working sessions should be the initial list of team assigns a most likely cost value to »» Developing a response plan to address
identified risks. each identified risk. This value takes into the identified risk. This process should
consideration both the probability and be iterative and include all stakeholders
From the initial list of identified risks, a risk
potential impact of the risk event occurring. affected by the risk. Common options for
register or log can be populated to ensure
Determining probability and impact can a response include:
that all risk items are analysed, prioritised
and monitored. Risk registers should typically result from a variety of exercise including: ÌÌ Avoidance – modifying the project plan
include the following fields: »» Interviews – gathering impact and to avoid the potential condition
probability data for a range of scenarios or occurrence
»» Risk type;
(e.g optimistic, most likely and ÌÌ Transference – shifting the
»» Description; pessimistic) consequences and responsibilities
»» Cost impact; »» Decision trees – comparing the associated with the risk to a third
»» Probability; probability of risks and rewards party (often accomplished by
between various decisions contractual agreement)
»» Risk level;
»» Model simulations – conducting a ÌÌ Mitigation – taking preventative
»» Possible responses; and project simulation in order to quantify action to reduce the probability of risk
»» Action owner. potential impacts to the project. occurrence or impact on the project
ÌÌ Acceptance – proceeding as planned
and accepting the outcome of a risk.
»» Finalising and documenting the various
risk responses identified by each
responsible party. The plan should
clearly define the agreed upon response
for a risk, the responsible party, results
from both the quantitative and qualitative
analysis and a budget and timeframe for
the risk response.
5. Monitoring and control

The final step of risk management is if monitoring and control reveals that an the project. However, without a risk
monitoring and control. This process should identified risk is unlikely to materialise, management diminished. The two case
be set up to track potential risks, oversee the the plan can be adjusted to re-prioritise studies below help demonstrate the
implementation of risk plans, and evaluate the risk to a lower level. value and benefit of a comprehensive
the effectiveness of risk management risk management process.
procedures. Monitoring and control should Potential benefits of risk management
occur throughout the project lifecycle and Embedding risk management into
Although a well designed and well executed
help improve and guide the overall risk day-to-day activities
risk management process can significantly
management process. This step should: reduce the risk of failure, the benefit of Effective risk management is typically
»» Equip management and the project team performing a comprehensive risk analysis achieved when an organisation undertakes
to make informed decisions regarding risk; may be costly and burdensome for smaller an active commitment to integrating risk
projects with limited complexity. As noted management into their project protocols
»» Evaluate the effectiveness of risk
earlier in this paper, risk management and controls. Primary considerations for
response actions; and
processes should be scalable to the size and an organisation to establish an effective
»» Identify risk characteristics that appear to complexity of an organisations programme plan include:
have changed from what was documented or project. To achieve this, an organisation
»» Allotting appropriate resources to
in earlier identification and analysis stages. should consider defining a baseline set of
perform risk management activities;
procedures to apply to all projects along
Monitoring and control is essential
with more rigorous set of procedures for »» Creating an environment that embraces
for maintaining effective and efficient
high-value, complex projects. and promotes risk management
risk management, it is a barometer for
and actively encourages and pursues
determining how well your risk management The value of risk management has
risk management at all levels of the
plan is designed. If monitoring and control traditionally been a difficult concept
organisation; and
reveals certain risks are not being mitigated to quantify. Many organisations and
or avoided as planned, then an adjustment project teams understand the risks as »» Clearly defining and training personnel
can be made to the response plan. Likewise, they impact their respective roles on on risk management controls.

CASE STUDY 1 – New medical office building- $30 million

Risk description: In order to commission the building at the completion of construction, the
utilities needed to be connected to the utility system (gas and electric). Throughout the project,
the team could not get a commitment from the utility company for when they would complete the
connection. This risk was never communicated beyond the project team and there was no analysis
of the impact for a delay or an alternative plan developed to address the risk.

Impact: The risk ultimately did occur and resulted in the need for temporary generators,
an increase in the contractor’s general conditions and several months delay to the
project completion.

CASE STUDY 2 – New bridge construction - $600 million

Risk description: During the design and planning stages of the project, a decision was made to
rely on a geotechnical report that was 30+ years old and in a different location than the planned
bridge foundations. The engineers designing the bridge understood this as a risk; however there
was no process in place to capture this risk and quantify or communicate the risk to project
leadership or to the team responsible for managing the construction phase of the project.

Impact: The bedrock in the actual location of the bridge foundations was substantially different
than the geotechnical report indicated. This resulted in a complete redesign of the foundations
and several months delay on the project. The financial impacts were greater than $30 million.
This In both case studies, the risks were well known by the project teams and could have been
specific avoided or mitigated if a risk management process would have been in place. Having a risk
cts. management process would have allowed the organisations to track, quantify, plan and
communicate the risks to individuals with the capability to help mitigate or avoid the risk.
Developing a risk management process

Training is the keystone to any risk

management plan. Without a formal
training effort, a risk management
approach will most likely not be embraced
or followed. Not only should training occur
at the inception of the policy but it should
also include:

»» On-boarding for new hires;

»» Regular “brown bag” or informational
Many companies set up separate project management organisations
session to review any lessons learned,
(PMO’s) to manage the unique risk of major capital programmes. This
updates to policy, or identified
leading practices; and TIP assists the organisation in aligning dedicated resources with the specific
skill sets and team structure to manage major construction projects.
»» Required refresher sessions to
maintain staff awareness of the risk
management policies and procedures
and to emphasise the organisations CONCLUSION
commitment for risk management.
Training is often forgotten aspect of A well defined risk management process can help to greatly increase project and
policy implementation; however this is programme success. However, risk management has traditionally been overlooked
a particularly crucial function to establish and is considered by many of the more fuzzy areas of project management. At a
an effective risk management approach. minimum, organisations with significant capital expenditures should clearly define
Often overlooked training is crucial their procedures and expectations for risk management, communicate its importance,
for informing employees about the adequately train its personnel, and monitor high risk projects for compliance with risk
importance of risk management and management procedures.
its various elements.
About KPMG Project Advisory

KPMG’s Project Advisory services are KPMG applies leading concepts Project Advisory Services can assist
objective, professional approaches to and practices, supported by: organisations to generate significant
managing the many risks associated › Experienced practitioners cost savings by minimising poor
with major change: risks that involve selection decisions, costly overruns,
› Recognised best practices
complexity, technology, governance, misalignment with business needs,
selection and management of vendors › Effective tools and templates poor quality deliverables and
and partners, implementation of › International standards failed projects.
solutions and acceptance of change › Built-in knowledge transfer
throughout the organisation.

Our project advisory services include


ASSURANCE (IQA) AND MONITORING Advisory and Assistance services help
Is your project or programme on track? These services provide a highly focused, organisations to develop appropriate
Are the key risks and issues being activity-based approach to project risk processes and capabilities to achieve
effectively managed and addressed? management. They provide management this aim. We provide practical guidance
Independent Quality Assurance is with an objective and independent for conducting capability development,
KPMG’s approach to providing objective, assessment of the risks associated maturity assessments and performance
practical and open feedback to senior with a business initiative, programme or reviews. Our methodology provides a
executives, independently assessing project, and evaluate the effectiveness flexible, comprehensive approach that
project status, risks and issues. Advice of planned or implemented controls to can help our clients achieve their goals.
is provided by experienced staff who mitigate the risks.
are not part of the delivery team. PROGRAMME MANAGEMENT
AND PROJECT MANAGEMENT KPMG professionals help you identify the Assistance is intended to help our
(P3M) PRACTICES measurable business changes that you clients develop the processes to
P3M provides services for the purpose will to see at the successful completion support a Programme Management
of designing or evaluating portfolio, of your project and to tie these into Office. We assist with the development
programme, or project management an effective Benefits Management of a client’s programme office processes
practices. The objective is to assist and Realisation strategy which can and facilitate communication across
in implementing or improving P3M be referenced in your Business Case. client leadership to help make sure that
practices to reduce project costs, Even for projects where outcomes are enterprise programme initiatives are
increase project success and create an “enabling” or “intangible”, our Project aligned with the organisation’s business
organisational P3M support environment Advisory team will be able to assist with strategies. The focus of the PMO is to
which is valued by internal and external the identification of proxy indicators increase project visibility across client
stakeholders alike. and benefit relationships to support the leadership in order to help achieve
approval of your Business Case and its strategic programme performance.
LARGE PROJECT AND PROGRAMME successful delivery.
This cornerstone service of KPMG’s PORTFOLIO MANAGEMENT Our practitioners know that successful
Advisory practice is designed to Effective portfolio management helps projects are the result of clear vision,
address the full lifecycle of a project or large organisations make sound careful planning, and meticulous
programme, providing an integrated decisions by prioritising the deployment execution.
approach to managing large initiatives of scarce resources to change initiatives
Bottom line: Project Advisory services
– the result: significant efficiencies and and maximising their value to help
drive speed and effectiveness of change
enhanced outcomes. The methodology achieve the organisation’s strategy.
within your organisation by reducing
incorporates concepts from well-known Organisations operate in increasingly
costs and increasing success.
risk, benefits, project and quality dynamic environments, which often
management disciplines to help make it a struggle to satisfy fluid
companies achieve the results they business requirements.
expect during every phase of a large
project or programme.
Leadership Series

Please look for important topics covered

by our Project Advisory Leadership Series
in the coming months:

»» A three part mini series on: How to

successfully manage your major projects
»» Integrated project delivery
»» Building a foundation for a project
health check
»» Effective reporting for construction
projects: increasing the likelihood of
project success
»» Handling labour risk in construction

Contact us

Gina Barlow Perry Woolley

Director Director
Project Advisory Project Advisory
T: (04) 816 4798 T: (09) 367 5960
E: gbarlow@kpmg.co.nz E: pwoolley@kpmg.co.nz

Chris Dew Harriet Dempsey

Partner Associate Director
Project Advisory Project Advisory
T: (09) 363 3230 T: (04) 816 4883
E: cdew@kpmg.co.nz E: harrietdempsey@kpmg.co.nz


© 2014 KPMG, a New Zealand partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved. Printed in New Zealand. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely
information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without
appropriate professional advice after a thorough examination of the particular situation. 00403