Abstract image of tiles in different positions.

A Primer in Risk Management

November 12, 2019

The Project Management Institute identifies the five phases of a project as: initiating, planning, executing, monitoring and controlling, and closing. Running through these five phases are nine specific knowledge areas of project management that encompass processes, which, when properly implemented, assist in the successful completion of a project. Some of these knowledge areas include scope, schedule, quality, communication, and risk management.[1] Risk management is specifically identified as a distinct knowledge area, but that specific identification should not be misunderstood as being a stand-alone phase of the project. Rather, it is a knowledge area that spans all five phases of a project.

The Project Management Institute further defines risk as, “An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality.”[2] Risk management must therefore be an ongoing process of monitoring and implementing solutions throughout the course of a project. Project risk can be managed with the creation and application of a tool that attempts to identify all potential risks and then provide solutions to give front-line employees a structured approach to cope with unforeseen problems and opportunities. This tool is called a risk register and should be an integral part of every phase of a project.

A risk register is a “formal document used to identify, document, monitor, manage, and close each element of risk identified by the [project] manager and other staff involved in the delivery [of a project].”[3] In order to properly populate the risk register with representative and accurate risks and mitigation strategies, a thorough and thoughtful review must be completed by the project team during the planning phase of a project. That review should include the following four-step process:

  1. Risk identification
  2. Risk analysis
  3. Risk mitigation
  4. Risk controlling and monitoring[4]

The outputs of theses reviews will be contained within the risk register and should be tracked as the project progresses.


The methodology and participants for the risk identification process can vary, from brainstorming with project team members, to soliciting views from experienced members within the organization, to engaging third-party consultants.[5] No matter what the makeup of the process, the goal is to identify all potential risks that might occur within every phase of a project. The Construction Management Association of America (CMAA) has defined five major phases of a construction project as: 1) pre-design; 2) design; 3) procurement; 4) construction; and 5) post-construction.[6] [7] The least-known and, therefore, greatest risks are present in the early phases of a construction project during the pre-design, design, and procurement processes. Special attention can be paid to the work processes contained within those phases because the ability to affect and influence a positive outcome early on will save the most resources, i.e., time and money, in the future.

A high-level technique for identifying the risks early in a construction project is to utilize the CMAA phases and examine the outputs and anticipated deliverables for each phase. For example, the pre-design phase is an owner-intensive portion of the project where the owner will have the most responsibility for deliverables to the project team. These deliverables can range from market studies to project financing to conceptual design documents. Identifying risks during this phase has the benefit of involving a project owner early in the process and ensures it review its responsibilities to the rest of the project team before more investment and expenditures occur.

The design phase shifts many deliverables to the design team and these deliverables can have serious deleterious effects on the project schedule downstream through late or incomplete design drawings. During this phase, a more integrated project approach for identifying risks can be taken as well because architectural and engineering drawing packages can focus the project team on what scopes of work construction will require.[8]

The last three phases of a construction project are probably the most intensive for the construction manager or general contractor as regards their input in identifying potential risks. The first of the three phases is procurement, during which the process of purchasing material and labor for the project occurs. Expensive and long lead items such as steel and specialty equipment should be purchased at this time and the risks associated with transportation to the site and possible subcontractor default can, and should, be identified. Also, procurement can serve as a back-check on the risks identified in the design phase to ensure an efficient transition to the final three phases.

Construction is the next phase where risks due to design changes or from unforeseen conditions can affect project time and costs. Also, items associated with worker safety and efficient sequencing and site logistics can be identified. The final phase is post-construction, which again can be owner-intensive not only to resolve financial claims of all project participants, but also executing a detailed turnover process with potential owner-initiated employee training, commissioning, and operations. The financial risks to the owner at this point of the project are great, not only through potential litigation or the attachment of liens to a newly constructed facility, but also through the inability to begin production or open to the public to begin producing revenue.[9]

If a project has a conceptual or baseline schedule, another means of identifying risk can be completed through reviewing the schedule’s work breakdown structure (WBS). By reviewing the WBS, the preliminary activity relationships will give the project team insight how the project risks associated with one specific work task, or work stream, can affect simultaneous or follow-on work.[10] This approach is more focused than the general CMAA phases, because actual work activities can be identified through a well-developed WBS. Furthermore, the WBS can also serve as a checklist to ensure that all possible scenarios and risks are identified within the planned framework of the project schedule.[11] For example, within the design scope section of the WBS for an EPC project, exploratory geotechnical tests could reveal that there are ground conditions that were unexpected and might necessitate further exploration and a redesign of the initial engineering. This could lead to a total redesign of the geotechnical design package, which would then affect the foundations design package, and cascade through structural packages, procurement of the steel, steel erection, building dry-in, finishes, and installation of equipment. By using the WBS in conjunction with the preliminary schedule’s logic ties, the downstream effect of an identified risk could lead to a more thorough mitigation strategy.

Another means of identifying project risks would be through the use of building area nomenclature or workstreams. As an example, the atrium location of a building could be identified as critical because of specialty steel and glazing procurement requirements. Any delays associated with these activities could then affect installation activities and, in turn, building dry-in. An atrium area is typically an aesthetic focal point of a building that requires a high quality of finishes and timely turnover to the owner so it can carry out its FF&E activities. By identifying risks specific to a building area, realistic mitigation plans can be more readily crafted. In a manufacturing or process-oriented project, reviewing the risks associated with individual elements and stages of a work-stream could be beneficial to understanding how risks and potential delays at the front of the manufacturing line could affect pieces at the end of the line.

No matter what framework to identify risks is ultimately used, the risks identified through the risk identification process should then be given a unique identification number, which can optionally correspond to the WBS or building area, so it can be inputted into the risk register as it is being formed.


At the completion of the risk identification process, the newly identified risks need to be analyzed for their potential impact upon the project. “All risk analysis techniques serve the same function, which is to determine the expected loss (or gain) for a particular risk.”[12] The analysis should be conducted with one or two methodologies, either qualitatively and/or quantitatively, in order to determine a risk’s impact, probability, and criticality on the project.

A qualitative assessment is conducted by assigning an identified risk a probability of occurrence. This can be accomplished through simple verbiage such as high, medium, low, or assignment of a number such as 1-5, with 1 being a low occurrence and 5 being a certainty. Once the overall probability of the risk has been allocated, a further numerical assignment for a risk’s impact can be done following a similar scale of 1-5, with 1 being very low impact to 5 being a very high impact. For example, if the construction is planned for the US mid-Atlantic states, a hurricane might be classified as a low-risk event, with a very high impact.

As part of this quantitative assessment, the project management team should identify the potentially affected project areas such as cost, schedule, quality, and/or safety. These numerical assignments can then be entered into a formula with each area weighted according to the project management team’s discretion for an overall risk score. The project management team can then make a decision to track all of the identified risks or to potentially track only the items with the highest risk score in order to maximize its resources.[13]

If the project management team requires a more detailed analysis of the identified risks, a quantitative assessment can also be conducted. A well-known example of a quantitative assessment would be the Monte Carlo simulation. In order to appropriately run a Monte Carlo simulation (as well as other quantitative methods) historical hard data is required to accurately run the models. Using data collected from prior projects, the estimated probability of the risk occurrence can be computed using these methods.[14] This historical data should be assembled through the archiving and databasing of previous risk registers (that were properly tracked and updated) from completed projects to reflect whether previously identified risks occurred or not. This historical data can also be augmented with the institutional knowledge and the experience of the project team. The numerical results of this more detailed quantitative analysis can then be entered into the risk register under an additional column heading to discern it from risks analyzed through the qualitative approach.


Once the project risks have been identified and the probability of their occurrences have been assigned, the next and most important step is to develop a mitigation strategy for each project risk. The following are just some examples of risk mitigation techniques that can be implemented on a construction project: 1) avoid the risk; 2) reduce the risk severity; 3) contractually transfer the risk; 4) payment retention;[15] and 5) purchase insurance against the risk. In order to determine into which of these categories an identified risk best fits, the project management team can ask a series of questions about a proposed solution for an identified risk:

  1. Can it be feasibly implemented?
  2. What is the expected effectiveness?
  3. Is it affordable?
  4. Is the time available to develop the strategy?
  5. What effect will there be on technical performance?[16]

The answers to these questions will assist the project management team in crafting the proper response strategy to the identified risks.

The response strategies stated above are proactive measures that the project management team can implement before an identified risk occurs. For example, if a project management team identifies a risk such as known contaminated soils on a brownfield site, it can make the decision to either look for other suitable fill materials on the property or import new fill materials from a supplier to avoid the contaminated area altogether. This response would be an example of avoidance. An example of reducing the severity of a risk that has gone from an emerging technology to being nearly industry standard is the use of building image modeling (BIM). When an owner or contractor mandates the use of an integrated BIM model on a project, they are mitigating schedule and cost impacts for poorly coordinated structural and mechanical building elements. The act of integrating the CAD drawings from the design team, vendor, and subcontractor into one construction model spreads the risk through the multiple parties, thus reducing the risk of design quality being negatively affected by any one party, who would have formerly been working in a vacuum with their own design.

The construction contract and other contractual mechanisms are instruments that can be used for the transference response. For general contractors, the very act of subcontracting trade work is an example of the contractual transfer of project risk. Further examples of contractual mechanisms for risk transfer are payment and performance bonds required by owners and general contractors. These contractual instruments transfer the risk of financial loss due to subcontractor default or non-payment over to sureties. Finally, the use of retention of monthly requisition payments is a means to incentivize project entities to complete performance of their respective scopes of work. Generally, the construction industry standard is a 10 percent retention rate on monthly requisitions. However, that 10 percent can be raised if a general contractor has concerns over the ability of a subcontractor to complete a project (leaving a pool of money to complete if default occurs or incentivizing the contractor to complete 100 percent of its scope), or adjusted down as a bargaining carrot (if a contractor has performed well on a project and in order to motivate an accelerated finish).

Once the proper mitigation strategy has been selected for each identified risk, the next step is to delegate responsibility for the mitigation process to a project team member as an “owner” of the particular strategy. This strategy of ownership delegation could be to an individual project team member or to a project entity. The risk’s owner will be responsible for any preventive measures that might be required, as well as for identification of the triggering of the risk and alerting the project team that the event occurred.[17] Finally, the risk owner will be responsible for the implementation and management of the response plan after the event occurs. An example of this risk ownership could be the delegation to the purchasing department the risk of worldwide steel price fluctuations for a megaproject with a vast quantity of structural steel. A preventive step could be the purchasing of steel commodity futures contracts, the triggering event would be a worldwide increase in the price of steel, and the response would be the execution of those option contracts and then managing the purchase and delivery of the steel to fabricators. Another example of this could be the delegation to the contracts manager of the risk of a potential default of an integral equipment specialty contractor. The preventive measures could be writing the subcontract with a requirement of a performance bond, the triggering event would be notice of subcontractor default from the project management team, and the response would be to ensure that all proper processes for notification and reservation of rights for enforcement of the performance bond are satisfied with the surety. A second preselected specialty contractor would be engaged to complete the scope.

The final piece of a risk mitigation strategy is the quantification of the identified risk in terms of schedule and cost impacts. The final two columns of the risk mitigation section of the risk register should estimate the minimum and maximum costs for the identified risk and the minimum and maximum schedule time savings or delay. These estimates should be quantified by the identified risk’s delegated owner. The values associated with the quantified impacts can be useful in the establishment of project contingency budgets and for detailed project schedule development. Also, if an identified risk is triggered during the project, the estimated cost values can be entered into project funding projections and the estimated schedule impact can be inserted into the then-current project schedule to diagnose its impact on the overall schedule as well as other interconnected identified risks. The risk mitigation section of a risk register is where the tool truly becomes useful when a triggering risk event occurs. Through the use of the mitigation section of a risk register, schedule and cost resources that would have otherwise been spent diagnosing and attempting to fix an unanticipated project issue midstream can either be retained, greatly diminished, or shifted to other areas of need for the project.


When the risk register is complete and populated, it is the responsibility of the project management team members, along with the identified risk owners, to track and update the identified risks in a timely manner. “As a result of their integrative nature, risk registers must be kept current and updated.” In order to do so, there should be regularly scheduled meetings with project stakeholders and the project management team to review the status of the risk register. Any changes to the response plan should be approved by the project team so that other identified risk owners are consulted for impacts such a change to the mediation plan may have upon their risk or mediation plan. These revised risk registers should then be updated and disseminated to the project management team. For an item to be closed on the risk register, a formal report from the identified risk owner should be submitted to the project team with the input and sign-off from all of the project team and organizational department members involved with the mediation strategy. Some of the required entities for sign-off might include quality control, contract administration, legal, accounting, or field operations.[18]

At the conclusion of the project, after all of the items of the risk register are closed, the project management team should take the risk register and enter the identified risks and associated outcomes into an organizational database. This database should be used not only for the historical data required for a quantitative analysis discussed above, it should be also be used to establish patterns in projects to see if there are operational, policy, or procedural changes that might need to be addressed as an organization. It can also be used to establish whether mitigation schedule and cost estimates proved to be correct, for use on future projects. A recently completed risk register should be the groundwork for a new register on the next project.

Risk is a component inherent to construction projects, with all of the moving parts and numerous disparate entities required to complete a project safely, on time and on budget. Risk is not something that can be simply wished away, or spent away for that matter. It must be managed. The risk register is a tool that any project team can use. It derives its strength through the institutional and personal knowledge of project team members and synthesizes that knowledge into strategies to foresee problems and have solutions ready should a deleterious event occur. A risk register should be an integral part of any construction project’s planning phase in order to establish a mindset of communication, project participant investment, and problem solving that will help in the execution of a successful construction project.

[1] A Guide to the Project Management Body of Knowledge (PMBOK Guide), 3rd Edition, Project Management Institute, 2004.
[2] A Guide to the Project Management Body of Knowledge (PMBOK Guide), 5th Edition, Project Management Institute, 2013.
[3] Krishna, R V. “Risk Management: What Contract Administrators Should Know.” Contract Management, April 2005
[4] Zack, James G., Jr., and Brian C. Fox. “Hope is Not an Effective Risk Mitigation Technique.” Navigant Construction Forum, March 2012.
[5] Kerzner, Harold. Project Management: A Systems Approach to Planning, Scheduling, and Controlling, 9th Edition, 2006, p. 722.
[6] Construction Management Standards of Practice, 2010 Edition. Construction Management Association of America, p.105.
[7] Risk assessment within each of the Project Management Institute’s aforementioned five phases of a project (i.e., initiating, planning, executing, monitoring and controlling, and closing) can be applied to CMAA’s construction phases to ensure
[8] Ibid. p. 2.
[9] Construction Management Standards of Practice, 2010 Edition. Construction Management Association of America, p.105.
[10] Milosevic, Dragan Z. Project Management ToolBox – Tools and Techniques for Practicing Project Manager, 1st Edition, 2003, p. 291.
[11] Ibid. p. 3.
[12] Zack, James G., Jr., and Brian C. Fox. “Hope is Not an Effective Risk Mitigation Technique”. Navigant Construction Forum, March 2012.
[13] Lewis, James P. The Project Manager’s Desk Reference, 3rd Edition, p. 320.
[14] Zack, James G., Jr., and Brian C. Fox. “Hope is Not an Effective Risk Mitigation Technique”. Navigant Construction Forum, March 2012.
[15] Kerzner, Harold. Project Management: A Systems Approach to Planning, Scheduling, and Controlling, 9th Edition, 2006, p. 743
[16] Zack, James G., Jr., and Brian C. Fox. “Hope is Not an Effective Risk Mitigation Technique.” Navigant Construction Forum, March 2012.
[17] Krishna, R V. “Risk Management: What Contract Administrators Should Know.” Contract Management, April 2005.
[18] Krishna, R V. “Risk Management: What Contract Administrators Should Know.” Contract Management, April 2005.