With the aim of understanding the context of the work, this section presents the main processes for dealing with risk in projects together with the techniques they rely on and the available criteria for selecting such techniques. Also, the risk knowledge management process is introduced highlighting the necessity to improve it so that it can support effective risk management.
2.1 Processes for project risk management
Several contributions have developed systematic project risk management processes since the Nineties.
Project Uncertainty Management (PUMA) (Del Cano and De La Cruz 2002), Risk Analysis and Management for Projects (RAMP) (The Institution of Civil Engineers & The Faculty and Institute of Actuaries 2005), the Two-Pillar Risk Management (TPRM) process (Seyedhoseini and Hatefi 2009), the Active Threat and Opportunity Management (ATOM) process (Hillson and Simon 2007), Shape, Harness, And Manage Project Uncertainty (SHAMPU) (Chapman and Ward 2003), and Project Risk Analysis and Management (PRAM) (Association for Project Management 2004) have very similar structures and common goals. In fact, they could be summarised into three macro-phases. The first steps of these processes are aimed at understanding the characteristics and objectives of the project at issue and planning the risk management effort by deciding its level, scope, and purpose. The intermediate steps are intended to identify risks together with their causes, effects, and how they relate to each other, assess their probabilities of occurrence and impacts, prioritize them, devise risk response strategies, and establish contingency plans. The final steps are in general dedicated to carrying out the identified responses to risk, monitoring and refining them, identifying, evaluating, and treating new emerging risks as well as to communicating the results of the risk management process and recording all the knowledge, experience, and lessons learned during its implementation.
However, there are also processes, such as the Multi-party Risk Management Process (MRMP) (Pipattanapiwong and Watanabe 2000) and the risk management process developed by the Project Management Institute (Project Management Institute 2008), that just include activities related to risk identification, qualitative and quantitative analysis, and response and do not present phases specifically aimed at clarifying project goals or formalizing the knowledge acquired during risk management.
2.2 Risk management techniques and their classification criteria
Each risk management process requires specific tools to be applied. To this end, a great variety of techniques have been developed in literature: the most widely adopted ones are presented in Table 1.
Table 1. Risk management techniques
The reviewed techniques have different goals. For example, some of them are aimed at evaluating multiple scenarios, depending on which risky events occur, such as Decision Tree Analysis, Expected Monetary Value, Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis, SWIFT Analysis, and What-if Analysis. Other techniques, instead, focus on the investigation of origins and implications of risky events in order to establish chains of causes and consequences. They include Cause and Effect Diagram or Cause Consequence Analysis, Event and Causal Factor Charting, the 5 Whys Technique, Event Tree Analysis (ETA), Fault Tree Analysis (FTA), and Human Reliability Assessment among others.
Multiple aspects may be taken into account when choosing among techniques for managing risk in a project.
A commonly used criterion looks at the nature of the information that is available. Qualitative techniques require qualitative information and present results in form of descriptions and recommendations, while quantitative techniques rely on quantitative information and numerically analyze the occurrence and effects of risks (Project Management Institute 2008). Another criterion suggests selecting techniques according to the subject of the information needed by a project (Association for Project Management 2004)
Also, the nature, size, complexity, degree of innovation, and phases of the life cycle of a project determine which techniques should be used. In particular, risk management is crucial in the planning stage of a project and its scope and depth increase as the project moves towards the execution phase, while they decrease in the termination phase (Chapman and Ward 2003).
Furthermore, every single phase of a risk management process implies a different level of information and detail, thus requiring proper techniques (Hillson 2004).
The goal of the risk analysis, for instance, monitoring economic and financial outcomes, checking quality variance, or tracking time delays, may also be a criterion for identifying appropriate risk management techniques (Kmec 2011).
Finally, techniques supporting risk management need appropriate levels of corporate maturity in order to yield the expected benefits and this may constitute a further criterion according to which they can be selected (Del Cano and De La Cruz 2002).
2.3 The risk knowledge management process
Besides the processes presented in Section 2.1, a further one is acquiring prominence in risk management, namely the knowledge management process (Botet 2012; Macgillivray et al. 2007).
Nowadays, creating, maintaining, transferring, and increasing knowledge is of paramount importance to efficiently deal with the complexity of projects (Disterer 2002). This is even more relevant when addressing risks because of the high variability and the scarce available information.
Nevertheless, managing data, information, and in general the knowledge generated during the life cycle of a project is a difficult task and an inappropriate way of doing that may be a cause of failure. In particular, projects are often organized in ways that create information disconnects, thus leading to very poor communication about risk, in the same way as it happens in many other fields (Smillie and Blissett 2010; Tah and Carr 2001; Thompson and Bloom 2000).
Several techniques exist in literature to assist in extracting information and data from multiple and heterogeneous sources and organizing them to increase risk knowledge. The most common example is given by expert judgement elicitation, where the term expert refers to those people to whom special knowledge about specific issues is attributed and from whom it is possible to obtain information that is useful for risk investigation. They are also named ‘specialists’, opposite to ‘generalists’ who collect and integrate the information from the specialists (Le Coze, Salvi and Gaston 2006). Elicitation of implicit expert knowledge is a core component of qualitative risk assessment by means for instance of Delphi or SWOT analysis, where it is used to define probability distributions for the occurrence and the impact of risky events.