Question

Risk registers are a common part of professional practice in construction in identifying and analysing risk. Critically appraise the limitations of the risk register in effectively managing risks during the project delivery stage.

Answer 1

Given these two levels of risk exposure, any approach to risk management in projects needs to be able to answer the questions of both project manager and project sponsor. An effective Project Risk Management process should identify individual risk events within the project and enable them to be managed appropriately, and it should also provide an indication of overall project risk exposure. This second aspect is less well developed in current thinking and practice, although it is the subject of active development by leading practitioners (for example, Hillson & Simon, 2012) and professional bodies.

Managing risk effectively requires action at both levels. But the typical Project Risk Management process only addresses the lower level of individual risks within the project, which are recorded in the risk register. It is far less common to consider the overall risk exposure of the project as a whole, or to have any structured approach to managing risk at that higher level.

So how can overall project risk be identified, assessed, and managed? The simplest way to address overall project risk is during the pre-project or concept phase, when the scope and objectives of the project are being clarified and agreed. Here the project sponsor or owner defines the benefits that the project is expected to deliver, together with the degree of risk that can be tolerated within the overall project. Each decision about the risk-reward balance involves an assessment of overall project risk, representing the inherent risk associated with a particular project scope and its expected benefits. At this level, overall project risk is managed implicitly through the decisions made about the scope, structure, content, and context of the project.

Once these decisions have been made and the project is initiated, then the traditional Project Risk Management process can be used to address explicitly the individual risks that lie within the project. At key points within the project, it will be necessary to revisit the assessment of overall project risk to ensure that the defined risk thresholds have not been breached before returning to the ongoing task of managing individual risks within the project.

So, two levels of risk management are important for projects, as illustrated in Exhibit 2:

• Implicit risk management addresses overall project risk through decisions made about the structure, scope, content, and context of the project, particularly (though not exclusively) in the pre-project phase;
• Explicit risk management deals with individual project risks through the standard risk management process to identify, analyse, respond to, and control risks, mostly during the remainder of the project lifecycle.