On the Frontlines: Risk Management for Projects

Usually activities in the audit universe that are riskier get priority in the audit plan — and they might need to be audited more frequently. These factors can clarify why it is mandatory, as per the International Standards for the Professional Practice of Internal Auditing, to build a risk-based audit plan. As per IIA Standard 2010.A1, “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually.”

Important Risk Management Considerations

While conducting the risk assessment exercise, an in-depth understanding of residual and secondary risks, as well as common risk strategies, can be very helpful. The four common risk strategies (risk mitigation, acceptance, avoidance, and sharing/transferring) are developed and applied by the management, while internal audit’s role is to assess the effectiveness of such strategies to handle the risks.

The following risk management considerations can be helpful in any industry, especially when it includes project management activities. An emphasis has been placed on the construction industry by giving practical, illustrative examples. Proper risk management can be one of the major tools that ensures a successful project. With the huge increase in the number of construction projects around the globe, it’s becoming imperative to fully understand these concepts.

Residual and Secondary Risks

Residual Risks. Risk assessments are concerned with residual risks after considering the controls already in place. Residual risk is defined by the Project Management Institute as “The risk that remains after risk responses have been implemented.” Sometimes the controls themselves can be assessed by comparing the difference between the assessed inherent risk and the resulting residual risk after applying the controls, which can show the criticality and significance of such controls. 

Example: Project delays are an inherent risk in the construction industry. One of the controls for this is regular monitoring through weekly or monthly progress reports. Another control is having a recovery plan that involves fast-tracking by making activities concurrent or by what’s known as “crashing” — increasing the construction resources. When assessing the residual risk of project delay, the effectiveness of these controls needs to be considered.

Secondary Risks. This type of risk is usually ignored during risk assessment to avoid complicating the exercise. However, this can result in adverse outcomes. Secondary risks are defined by the Project Management Institute as “risks that arise as a direct result of implementing a risk response.”

Example: As a result of a project delay, the previously explained control of project crashing can be implemented by increasing construction resources. This can be achieved by introducing multiple shifts, adding more workers to the project, or increasing the amount of equipment, which can lead to an acceptable residual risk. However, the secondary risk of having a budget overrun will arise as a result of using this risk response to control the risk. Thus, such secondary risks need to be properly considered while conducting a risk assessment.

Risk Strategies

Risk mitigation. This type of strategy can work on either the likelihood or impact. For instance, having an effective vendor shop inspection to witness factory acceptance tests before shipping equipment to construction sites reduces the probability of delivering malfunctioning equipment. On the other hand, having backup equipment (such as electric generators) at the project site reduces the impact of having a sudden malfunction of the equipment. Both examples are risk mitigation strategies that can be applied in the construction industry.

Risk acceptance. Knowing the risk appetite/risk threshold is a must to be able to properly implement this strategy. For example, a project budget that includes a contingency reserve for the known risks and a management reserve for the unknown risks is extremely helpful to be able to decide whether to accept certain risks and apply this risk strategy.

Risk avoidance. Deciding to take on a narrower scope in a construction project instead of working on it from start to finish (through engineering, procurement and construction) can result in avoiding the risks associated with the full scope. Also, avoidance of certain scopes that might represent a special risk (such as mechanical, electrical, and pumping in construction) and deciding to have only a specific scope is considered a risk avoidance strategy. Another good example for risk avoidance is avoiding certain risks based on the type of contract. For example, a lump sum contract is risker to the contractor and less risky to the owner versus a cost-plus contract.

Risk sharing/transferring. Engaging in a joint venture with another organization in a construction project is a clear example of applying the risk sharing strategy. Each joint venture partner can have an equal share — or different percentages can be agreed upon based on capabilities. On the other hand, having subcontract agreements represents an obvious example of the risk transfer strategy. In this example, the main contractor transfers the risks associated with a certain scope to a subcontractor by having back-to-back conditions between the project prime contract and the subcontract. It should be noted, however, that such a transfer of risk doesn’t mean that the main contractor isn’t still fully accountable for this scope. Thus, a proper due diligence needs to be applied in the process of selecting a subcontractor, and an effective monitoring process needs to be in place during the execution. 

It is worth mentioning that these strategies and concepts can be applied in any project and not necessarily only construction projects. IT projects, for example, use the same risk strategies to handle project risks. These techniques will ultimately lead to maximizing opportunities and minimizing threats.