Risk is defined as an uncertain event or condition that, if it occurs, has either positive or negative effects on project objectives (Hillson and Simon 2007; Project Management Institute 2008). Nowadays sound management of risk is a crucial determinant of the success of a project due to increased attention to the variability of actual quality, time, and cost performance compared to the expected one as a consequence of growing pressure on reducing time and costs. It has been demonstrated that failure to deal with risk is the main cause of budget exceeding, falling behind schedule, and missing performance targets (Carbone and Tippet 2004). In several industries, such as the construction and information and communication technology ones, this situation is exacerbated because projects characterized by huge investments, long execution processes, many resources and stakeholders, and unstable economic and political environments introduce a high level of complexity (Guofeng, Min and Weiwei 2011).
Therefore, there is a strong need for assessing and controlling risk throughout all the phases of a project. Different perceptions, attitudes, and requirements have led to a variety of definitions and approaches. To be more precise, risk management processes and supporting techniques have been extensively developed and implemented in both literature and practice. The multitude of different methods asks for instruments suggesting under what circumstances each of them should be adopted and criteria for choosing among risk techniques have been identified. However, these criteria usually do take into account neither a comprehensive set of the peculiar characteristics of a project and of its surrounding environment nor the attitude of an organization towards risk.
The present work develops a theoretical taxonomy supporting the selection of risk management techniques. The classification is based on the significant features of the context of analysis derived from the study of literature about project and risk management (Association for Project Management 2004; Chapman and Ward 2003; Project Management Institute 2008): phase of the risk management process, phase of the project life cycle, and corporate maturity towards risk. This contributes to enhancing the knowledge about how to treat risky events and in turn to improve the risk knowledge management process in order to allow risk management processes to give the expected benefits. The research focuses on projects according to their general definition provided by the Project Management Institute: ‘A project is a temporary endeavor undertaken to create a unique product, service, or result. The temporary nature of projects indicates a definite beginning and end. The end is reached when the project’s objectives have been achieved or when the project is terminated because its objectives will not or cannot be met, or when the need for the project no longer exists’ (Project Management Institute 2008).
After discussing the pertinent literature, a set of dimensions reflecting the managerial and operational conditions characterizing a project is defined. Widely applied techniques to support project risk management are classified according to such framework. Finally, implications, ramifications, and future research directions are elaborated and conclusions are drawn.
With the aim of understanding the context of the work, this section presents the main processes for dealing with risk in projects together with the techniques they rely on and the available criteria for selecting such techniques. Also, the risk knowledge management process is introduced highlighting the necessity to improve it so that it can support effective risk management.
2.1 Processes for project risk management
Several contributions have developed systematic project risk management processes since the Nineties.
Project Uncertainty Management (PUMA) (Del Cano and De La Cruz 2002), Risk Analysis and Management for Projects (RAMP) (The Institution of Civil Engineers & The Faculty and Institute of Actuaries 2005), the Two-Pillar Risk Management (TPRM) process (Seyedhoseini and Hatefi 2009), the Active Threat and Opportunity Management (ATOM) process (Hillson and Simon 2007), Shape, Harness, And Manage Project Uncertainty (SHAMPU) (Chapman and Ward 2003), and Project Risk Analysis and Management (PRAM) (Association for Project Management 2004) have very similar structures and common goals. In fact, they could be summarised into three macro-phases. The first steps of these processes are aimed at understanding the characteristics and objectives of the project at issue and planning the risk management effort by deciding its level, scope, and purpose. The intermediate steps are intended to identify risks together with their causes, effects, and how they relate to each other, assess their probabilities of occurrence and impacts, prioritize them, devise risk response strategies, and establish contingency plans. The final steps are in general dedicated to carrying out the identified responses to risk, monitoring and refining them, identifying, evaluating, and treating new emerging risks as well as to communicating the results of the risk management process and recording all the knowledge, experience, and lessons learned during its implementation.
However, there are also processes, such as the Multi-party Risk Management Process (MRMP) (Pipattanapiwong and Watanabe 2000) and the risk management process developed by the Project Management Institute (Project Management Institute 2008), that just include activities related to risk identification, qualitative and quantitative analysis, and response and do not present phases specifically aimed at clarifying project goals or formalizing the knowledge acquired during risk management.
2.2 Risk management techniques and their classification criteria
Each risk management process requires specific tools to be applied. To this end, a great variety of techniques have been developed in literature: the most widely adopted ones are presented in Table 1.
Table 1. Risk management techniques
The reviewed techniques have different goals. For example, some of them are aimed at evaluating multiple scenarios, depending on which risky events occur, such as Decision Tree Analysis, Expected Monetary Value, Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis, SWIFT Analysis, and What-if Analysis. Other techniques, instead, focus on the investigation of origins and implications of risky events in order to establish chains of causes and consequences. They include Cause and Effect Diagram or Cause Consequence Analysis, Event and Causal Factor Charting, the 5 Whys Technique, Event Tree Analysis (ETA), Fault Tree Analysis (FTA), and Human Reliability Assessment among others.
Multiple aspects may be taken into account when choosing among techniques for managing risk in a project.
A commonly used criterion looks at the nature of the information that is available. Qualitative techniques require qualitative information and present results in form of descriptions and recommendations, while quantitative techniques rely on quantitative information and numerically analyze the occurrence and effects of risks (Project Management Institute 2008). Another criterion suggests selecting techniques according to the subject of the information needed by a project (Association for Project Management 2004)
Also, the nature, size, complexity, degree of innovation, and phases of the life cycle of a project determine which techniques should be used. In particular, risk management is crucial in the planning stage of a project and its scope and depth increase as the project moves towards the execution phase, while they decrease in the termination phase (Chapman and Ward 2003).
Furthermore, every single phase of a risk management process implies a different level of information and detail, thus requiring proper techniques (Hillson 2004).
The goal of the risk analysis, for instance, monitoring economic and financial outcomes, checking quality variance, or tracking time delays, may also be a criterion for identifying appropriate risk management techniques (Kmec 2011).
Finally, techniques supporting risk management need appropriate levels of corporate maturity in order to yield the expected benefits and this may constitute a further criterion according to which they can be selected (Del Cano and De La Cruz 2002).
2.3 The risk knowledge management process
Besides the processes presented in Section 2.1, a further one is acquiring prominence in risk management, namely the knowledge management process (Botet 2012; Macgillivray et al. 2007).
Nowadays, creating, maintaining, transferring, and increasing knowledge is of paramount importance to efficiently deal with the complexity of projects (Disterer 2002). This is even more relevant when addressing risks because of the high variability and the scarce available information.
Nevertheless, managing data, information, and in general the knowledge generated during the life cycle of a project is a difficult task and an inappropriate way of doing that may be a cause of failure. In particular, projects are often organized in ways that create information disconnects, thus leading to very poor communication about risk, in the same way as it happens in many other fields (Smillie and Blissett 2010; Tah and Carr 2001; Thompson and Bloom 2000).
Several techniques exist in literature to assist in extracting information and data from multiple and heterogeneous sources and organizing them to increase risk knowledge. The most common example is given by expert judgement elicitation, where the term expert refers to those people to whom special knowledge about specific issues is attributed and from whom it is possible to obtain information that is useful for risk investigation. They are also named ‘specialists’, opposite to ‘generalists’ who collect and integrate the information from the specialists (Le Coze, Salvi and Gaston 2006). Elicitation of implicit expert knowledge is a core component of qualitative risk assessment by means for instance of Delphi or SWOT analysis, where it is used to define probability distributions for the occurrence and the impact of risky events.