7 Risk

E
verything we do from getting out of bed in the morning to returning there at night carries
risk. Come to think of it, even lying in bed can be risky. It is not surprising that projects, which
metaphorically (and sometimes literally) break new ground, attract many risks. Project risks
can be predictable or completely unforeseeable. They might be caused by the physical elements
or they could be political, economic, commercial, technical or operational in origin. Freak events
have been known to disrupt projects, such as the unexpected discovery of important archaeological
remains or the decision by a few members of a rare protected species to establish their family home
on what should have been the site of a new project.
The potential effects of risks range from trivial inconvenience to project disaster. Project risk
management (and much of mainstream project management) is concerned with attempting to
identify all the foreseeable risks, assessing the chance and severity of those risks, and then deciding
what might be done to reduce their possible impact on the project or avoid them altogether.

INTRODUCTION TO PROJECT RISK MANAGEMENT

Risks can occur at any stage in a project. Some are associated with particular tasks and others originate
from outside the project and can manifest themselves without warning. Generally speaking, a risk
event that occurs late in a project can be more costly in terms of time and money than a similar
event nearer the start of the project. That is because as time passes there will be a greater value of
work in progress and higher sunk costs at risk of loss or damage.
Some projects, because they are small or similar to projects that the contractor has undertaken
in the past, might not need special attention to risk management other than considering some of
the insurance issues discussed later in this chapter. However, for any project that breaks new ground
or is complex and large, a risk management strategy must be developed, first to identify as many
potential risks as possible and then to decide how to deal with them.
For very large projects it might be necessary to appoint a risk manager, who can devote all or most
of his or her time to ensuring that a comprehensive risk strategy is put in place and then reviewed
from time to time throughout the project to ensure that it remains valid. If a project support office
exists (see Chapter 11) that is a logical place for the risk management function to reside.
Project risk management is a complex subject. Even the classification of risks is not straightforward
and can be approached in different ways. There are several techniques for assessing and dealing with
project risks, some of which are shared with other management disciplines (particularly with quality
management and reliability engineering). This chapter will outline a few of the methods commonly
used.
PROJECT MANAGEMENT

IDENTIFYING THE POSSIBLE RISKS

It is almost certain that some tasks will not be completed in line with their duration estimates and
budgets. Some might exceed their estimates, whilst others could be finished early and cost less than
expected. As explained in the previous chapter, statistical tools such as Monte Carlo analysis can be
used to attempt an assessment of the probability of the project finishing by its target completion
date or of the intended return on investment being realized. However, those measures deal with
uncertainty rather than with risk. Risks are unforeseen (and often unforeseeable) events that can
result in a change of project plans or even total project failure.
Risks events can occur in any kind of project and they can range from the ‘accident waiting to
happen’ variety to the most unexpected and bizarre. In a lifetime spent with projects I have known
risk events ranging in scale from a tragic underground mining disaster to an exploding hearing aid.
They can even occur late in the project life history, after the project is finished and handed over
(design modifications needed for the Millennium Bridge project in London, for example). I was
once responsible for a design error that resulted in a worldwide product recall from distributors and
customers. Management change and IT projects seem to be particularly prone to risk of failure, with
huge losses of money. With this vast breeding ground for possible risk events it is apparent that the
risk manager’s first problem is to identify the risks that might affect his or her project.
Checklists, which grow in size and value as companies gain more project experience, are a good
starting point for listing the foreseeable risks. Studying the history of similar projects can also highlight
possible problems and help the project manager to learn from the mistakes and experiences of others.
Brainstorming is an effective technique for considering many aspects of risks. A brainstorming
meeting of key staff is a particularly productive method for identifying all the possible risks along
with many of the improbable ones. Much depends on how the brainstorming session is conducted.
The leader or chairperson should encourage an atmosphere of ‘anything goes’, so that participants
feel free to propose even the most bizarre risks without fear of ridicule. All suggestions, without
exception, should be recorded for subsequent assessment and analysis.

RISK APPRAISAL AND ANALYSIS

Once identified and listed, risks can be ranked according to the probability of their occurrence and
the severity of the impact if they should occur. This process will eliminate the most improbable
risks arising from brainstorming, but it should bring to the fore those risk events that are most
likely to happen or which would have the greatest impact on the project. For this analysis it is
necessary to consider the possible causes and effects of every risk. Risk analysis can be qualitative or
quantitative.
Qualitative risk analysis involves considering each risk in a purely descriptive way, to imagine
various characteristics of the risk and the effect that it might have on the project.
Qualitative risk analysis goes at least one stage further than qualitative analysis by attempting
to quantify the outcome of a risk event or to attach a numerical score to the risk according to its
perceived claim for preventive or mitigating action.

Qualitative cause and effect analysis

Fault-trees and fishbones

Fault-tree analysis (not described here) and Ishikawa fishbone diagrams are methods commonly
used by reliability and safety engineers to analyse faults in design and construction. Figure 7.1, for
instance, shows how an Ishikawa fishbone diagram might be compiled to analyse the numerous

100
 RISK

Possible causes Effect

Mechanical failure Lubrication

Broken fan belt No oil

Damaged piston Contaminated oil
Burned out valve Wrong oil grade
Bearing failure Oil pipe leak
Sticking valve Blocked oilway
Blown gasket Oil pump failure
and so on and so on
Car engine
stops and will
not restart
Tank empty Open circuit coil
Diesel, not petrol Faulty spark
Contaminated fuel Flat battery
Blocked fuel pipe Blown fuse
Dirty filter Broken wire
Fuel pump failure Timing error
and so on and so on

Fuel Ignition

Figure 7.1 Ishikawa fishbone diagram

This cause and effect diagram examines the possible causes of a risk event. Project risk management is more often concerned
with the possible outcomes of a risk event, for which failure mode effect analysis is a more appropriate method (see Figure 7.2).

reasons why a car engine fails to start. Many items in this car engine example could be expanded
into greater detail, leading to quite a complex diagram, with many branches to the ‘fish skeleton’.
Fishbone diagrams can easily be used without adaptation to examine failures or poor performance in
organizations. The process generally starts by thinking about the effect, and then looking for the possible
causes. However, project risk management is more often conducted from the opposite viewpoint, which
means first listing all the possible causes (risks) first and then assessing their probable effects.

Failure mode and effect analysis (FMEA)

Failure mode and effect analysis has also been imported into project risk management from reliability
and quality engineering, but this method is possibly more helpful because it starts by considering
possible risk events (failure modes) and then proceeds to predict all their possible effects. Figure
7.2 shows a simple FMEA chart. Item 1 in this example is related to the car engine problem in the
fishbone diagram (Figure 7.1) but now we look beyond the simple fact of engine failure to consider
the possible consequential effects of the engine failing to start. A final column allows space for pre-
emptive actions to be recommended that might mitigate or prevent damage from the risk.
Only three items are shown in Figure 7.2 but there might be hundreds of items in a large,
complex project. Another column is sometimes added to show when in the project life cycle the risk
is most likely to occur. The chart illustrates a qualitative process because the characteristics of each
risk are considered, but there is no attempt to give each risk a priority ranking number or to quantify
the effects if the risk should occur.

Risk classification matrices

Figure 7.3 shows a risk classification matrix chart. This matrix comprises nine sections. Although
this is a simple classification method, an even simpler four-section matrix is often used, containing
the following quadrants:

• high chance – high impact

101
PROJECT MANAGEMENT

• high chance – low impact

• low chance – high impact
• low chance – low impact

As with failure mode and effect analysis, this again is a qualitative method, in which no attempt
is made to evaluate any risk numerically. Each risk item is considered for its likelihood of occurrence
(chance) and for the relative scale of the impact on the project should it occur.
Suppose, for instance, that a project is being planned to move a large company headquarters
from a central city location to a purpose-built office building on the outskirts of a country town
(let’s think of Swindon). The following are a few of the many risk events that might be visualized
and assessed:

• Some office equipment could be damaged or stolen in transit. The risk of that happening
might be high, but the impact could be considered medium because equipment is
replaceable.

Remedy:
Item Failure mode Cause of failure Effect recommended
action

1 Project Engine refuses to Poor maintenance Project manager Ensure good

manager’s car start marooned at vehicle
remote site with no maintenance and
other means of keep back-up car
transport at project site

2 Main building Building collapses Errors in floor Personal injuries Triple check key
during installation loading calculations Project delays structural
of heavy Loss of reputation calculations
machinery

3 Building collapses Floor slabs Personal injuries Ensure operatives

during installation incorrectly poured Project delays get good training
of heavy Loss of reputation and instruction.
machinery Employ competent
site engineering
manager.

Figure 7.2 Part of a failure mode and effect matrix (FMEA)

Severe impact Severe impact Severe impact

High

risk with low risk with medium risk with high

chance of chance of chance of
occurrence occurrence occurrence
Potential impact

Medium impact Medium impact Medium impact

risk with risk with risk with
low chance of medium chance high chance of
occurrence of occurrence occurrence

Low impact risk Low impact risk Low impact risk

with with with
low chance of medium chance high chance of
occurrence of occurrence occurrence
Low

Low High

Chance of occurrence

Figure 7.3 Matrix for qualitative risk classification

102
 RISK

• Some key staff might decide not to relocate with the company. That could be thought to
have a medium chance, and the effect would have a medium impact on the company’s
performance when starting up in the new location.
• The collapse of the new premises just before occupation date through an earthquake in
Swindon would be very low chance, but the impact would unquestionably be devastatingly
high.
• The chance of moving day being made thoroughly miserable for all concerned through
rain would be high, but with low practical impact.

Figure 7.4 shows a simple qualitative risk assessment matrix showing how the principles
illustrated in Figure 7.3 might be applied in practice. This exercise is not complete, because as yet no
thought has been given about what to do should any risk event occur.

Quantitative analysis
Quantitative analysis methods attempt to assign numerical values to risks and their possible effects.
They often examine the probable impact on project time and costs. Alternatively, the evaluation
process can produce a ranking number for every identified risk. Ranking numbers denote the priority
that a risk should claim for management attention and expenditure on preventative measures.
Although all quantitative methods produce actual numbers they can give a false sense of
precision. It has to be remembered that the results are based on estimates, assumptions and human
judgement. Those contributing assessments might be fundamentally flawed, mistaken or simply too
difficult for any person to make with any degree of certainty.

Failure mode effect criticality analysis (FMECA)

The qualitative failure, mode and effect analysis method illustrated in Figure 7.2 can be adapted
and extended to attempt risk quantification. The method then becomes failure mode effect and

Chance of Potential Difficulty of

Risk event Comment
happening severity detection

Action by High High Low We shall be building in

environmentalists a nature reserve.

Strikes or other Low High Low Loyal workforce with no

industrial action previous problems.

Project manager Low High Low But she is a keen

struck by lightning golfer.

Hairline cracks in Low High High Suppliers have high

structural steel quality reputation.

Software bugs Medium High High Process safety

depends on computer
controls.

Exchange rate Medium Medium Low Not difficult to detect

changes but impossible to
predict.

Materials shortages Medium Medium Low

Figure 7.4 Qualitative risk assessment matrix

103
PROJECT MANAGEMENT

criticality analysis (FMECA). Figure 7.5 shows one version. In this example three assessment columns
are provided, in each of which the risk analyst is expected to enter a number expressing the degree
of significance. Every item is ranked on a scale of one to five, with the highest numbers indicating
the greatest degree of significance. The entries might be those of the risk analyst or, preferably, the
collective opinions of a risk committee or brainstorming group. In some procedures the column
headed ‘Detection difficulty’ is replaced by one headed ‘Prediction difficulty’.
Item 2 in Figure 7.5, for example, considers the possibility and potential seriousness of a building
collapse. This is for a building created as part of the project, and the collapse in question might
happen during the installation of heavy machinery on upper level floors. If the floors have been
incorrectly designed, they might not be sufficiently strong to carry the weight of the machinery.
The assessor clearly thinks this is unlikely to happen because she has ranked ‘Chance’ at the bottom
end of the 1–5 scale. There is no doubt, however, that if this event did occur it would be extremely
serious, so ‘Severity’ has been marked as 5.
‘Detection difficulty’ means the perceived difficulty of noticing the cause of this risk (design error
in this case) in time to prevent the risk event. Here there is a considerable element of judgement, but
the assessor thinks that although the chance of a design error is very low, the difficulty of spotting
a mistake if it did occur would be higher (3 on the scale of 1–5).
The product of these three parameters, 1 × 5 × 3 gives a total ranking number of 15. Theoretically,
when this exercise has been performed on every item in the list, the list can be sorted in descending
sequence of these ranking numbers, so that risks with the highest priority for management attention
come at the top of the list.
Some assessors use weighted parameters. For example, it might be considered that the severity
of the risk should play a higher part in deciding ranking priority. So the severity column could
be marked on a higher scale, say from 1–10. Item 2 in Figure 7.5 might then be marked 9 on this
extended scale, which would increase the ranking factor for this item from 15 to 27.
Although not usual practice, a case might be argued for allowing zero scores in the ‘Chance’ and
‘Severity’ columns. That could, of course, result in a total ranking factor of zero. That would be one
way in which to dispose of some of the more outlandish risk events identified during an anything-
goes brainstorming session.

RISK REGISTER
When all the known risks have been listed, assessed and ranked it is time to consider what might
be done about them. That process requires that all potential risks be listed in a risk register (or risk

Detection Total
Item Failure mode Cause of failure Effect Chance Severity
difficulty ranking

1 Project Engine refuses to Poor maintenance Project manager

manager’s start marooned at remote 2 1 3 6
car site with no other
means of transport

2 Main building Building collapses Errors in floor Personal injuries

during installation of loading calculations Project delays 1 5 3 15
heavy machinery Loss of reputation

3 Building collapses Floor slabs Personal injuries

during installation of incorrectly poured Project delays 1 5 2 10
heavy machinery Loss of reputation

Figure 7.5 Part of a failure mode effect and criticality analysis matrix

104
 RISK

log). A fairly typical example of a risk register page is shown in Figure 7.6, and it should be apparent
that this is modelled closely upon the FMECA method demonstrated in Figure 7.5. However, the risk
register has the following noticeable additions:

• an ID number for each risk listed;

• space for writing in the proposed action that would be taken should the risk event
materialize;
• a column headed ‘Action by’ in which the name of the person or manager responsible for
taking action for each risk can be entered.

The risk register should be reviewed and updated regularly throughout the life of the project. It
is advisable to use the computer to sort the risks according to their ranking, with the highest ranked
risks placed at the top.

METHODS FOR DEALING WITH RISKS

When all the known risks have been identified, assessed, ranked and registered it is time to consider
what might be done about them. These are the decisions that must be entered in the two columns
at the right hand of the risk register. The project manager usually has a range of options:

1. Avoid the risk – The only way to avoid a risk is to abandon the possible causes, which could
even mean deciding not to undertake a project at all.
2. Take precautions to prevent or mitigate risk impact – This is a most important part of risk
management, requiring the active participation of all managers and staff. It needs high-
level risk prevention strategy combined with executive determination to ensure that

Risk Date Risk description and Probability Impact Detection Ranking Mitigating or avoiding action Action by:
ID registered consequences (severity) difficulty
P = 1-3 S = 1- 3 D = 1-3 P x S x D

Figure 7.6 Format of a risk register (or risk log)

105
PROJECT MANAGEMENT

all preventive measures are always followed throughout all parts of the organization. It
requires the creation of a risk prevention culture, covering all aspects of project tasks,
health and safety, and consideration for the environment. Here are a few examples of the
many possible practical measures, listed in random sequence:

• high security fencing to reduce the chance of gatecrashers at an open air pop
festival;
• provision of marquees at a garden party in case of rain;
• regular inspection and testing of electrical equipment to ensure safe operation;
• double-checking to detect errors in design calculations for vital project components
or structures;
• provision of back-up electrical power supplies for vital operations, essential services
and computers;
• frequent back up and secure offline storage of business data;
• avoidance of trailing electric cables in offices;
• ensuring that means of escape routes in buildings are always clear of obstructions and
that smoke screen doors are kept closed;
• regular fire drills, testing of fire alarms and emergency lighting;
• on-the-job training of back-up staff to understudy key roles in the organization;
• regular inspection and maintenance of lifts and hoists;
• provision of safety clothing and equipment to protect workers, and enforcement of
their use;
• restricted access to hazardous areas;
• provision of secure handrails to all stairways;
• choosing the time of year most likely to provide fair weather for outdoor projects;
• adequate training of all those operating potentially hazardous machinery;
• regular financial audits and the installation of procedures to identify or deter fraud;

and so on, and so on: this list could be very long.

3. Accept the risk – Rain might make the day chosen for office relocation miserable for all
concerned but the risk would have to be accepted. There are numerous small things that
can go wrong during the course of any project, and most of these risks can be accepted in
the knowledge that their effect is not likely to be serious, and that they can be overcome
by corrective measures or replanning.
4. Share the risk – If a project, or a substantial part of it, appears to carry very high risk, the
contractor might seek one or more partners to undertake the work as a joint venture.
Then the impact of any failure would be shared among the partners. Sharing a risk big
enough to ruin one company might reduce its impact to little more than a temporary
inconvenience.
5. Limit the risk – There are occasions when project risks should only be accepted with
safeguards in place to limit their potential effect. A good example is an internal project,
perhaps for pure research, that cannot be adequately defined at the outset. No one can
tell how much the project will eventually cost or what its outcome might be. Yet the
opportunities are too great to consider avoiding the risk altogether.
The usual solution to starting an ill-defined project is to limit the risk by authorizing work
step by step. It may be possible to divide the project into a number of stages for this purpose:
indeed the process is sometimes called stage gating. The stages might be determined by:

• the occurrence of significant events in the project that can easily be recognized when
they happen;

106
 RISK

• the imposition of a time limit for each stage;

• a budgetary limit for each stage; or
• a combination of any two or all of these.

Funding or authorization of expenditure on each new stage of the project would depend
on a critical review of the work carried out up to the review date, coupled with a fresh
appraisal of the value of continuing with the project. This approach has the advantage
of limiting the committed risk. Although it is not possible to define the entire project
in advance, it should be possible to look the short way ahead necessary to define each
new step. Each limited step so defined may then be amenable to the project management
procedures that cannot be used for the whole project.
In the step-by-step or stage-gated approach it always has to be borne in mind that it
might become necessary to abandon the project at any stage and write off the expenditure
already incurred.
6. Transfer the risk – Some risks, or substantial parts of them, can be transferred to another
party on payment of a fee or premium. This leads to the important subject of insurance,
which is discussed in the next section.

INSURANCE
The financial impact of many risks can be offset by insuring against them. The client pays the
insurance company a premium for this service, and the insurer might itself choose to spread the risk
by sharing it with one or more other insurance companies. Figure 7.7 shows that managers do not
enjoy complete freedom of choice when deciding which risks should be included in their insurance
portfolio.

Risk

Risks that can and Risks that can be Risks that are
must be insured insured if required difficult or impossible
to insure

Statutory Contractual Management The contractor or

requirement requirement choice the customer must
accept the risk

Examples Examples Examples Examples

• Employer’s liability • Liability for • Loss or damage to • A loss where the

for injury to damage to tools and insured would
employees customer’s equipment at the stand to benefit as
property project site a result of
• Liability to third
insurance
parties arising • Indemnifying the • Pecuniary loss
from use of motor customer against through an • Unreasonably
vehicles on public injury to persons unforeseeable high chance of the
roads cause loss occurring

Figure 7.7 Risk and insurance in project management

107
PROJECT MANAGEMENT

Since January 2005 the insurance market has been regulated by the Financial Services Authority
(FSA). This has led to some changes in the way in which insurance customers are defined, and the
information supplied to customers before making a contract of insurance. Customers are either
‘retail’ or ‘commercial’.
A retail customer is a ‘natural person’ (policyholder or potential policyholder) acting outside
their normal trade or profession. A commercial insurance customer is someone acting within their
normal profession.
An example of a retail customer would be an individual (a ‘natural person’) who is not connected
with the construction trade and who project-manages the construction of their own house on their
own plot of ground. Greater protection and more information are provided to a retail customer than
to a commercial customer because the commercial customer is deemed to have greater knowledge or
to have access to a professional insurance intermediary.
The policyholder (or potential policyholder) should be given all the necessary information
before the inception of insurance cover, to assist them to arrive at an informed decision. In addition,
the actual policy wording, terms and conditions must be available and agreed before inception to
achieve ‘contract certainty’. In plain English, that means that the intending policyholder must
know exactly what will or will not be covered by the insurance, together with details of the cost.
The FSA regulates and authorizes all insurance providers (insurance companies) and insurance
intermediaries (brokers). It is illegal for someone or a firm to deal in insurance unless they are
regulated and authorized by the FSA.

Categories of insurance
There are four main classes of insurance:

1. legal liabilities (payments to others as a result of statutory, contractual or professional

commitments, compensation awarded by the courts, legal expenses, but not fines imposed
by the courts);
2. protection against loss or damage to property, including temporary works and work in
progress, owned construction plant, hired-in plant and employees’ effects;
3. cover relating to personnel;
4. pecuniary loss.

A policy may combine cover for two or more of the above classes of risk.

Obligatory insurances
Legal requirements oblige companies to obtain adequate insurance cover against some risks. These
obligations arise either from various government laws and regulations or from conditions contained
in a binding commercial contract.

Statutory requirements

At the top of the insurance shopping list are those items which must be insured in order to comply
with laws and regulations. Third-party insurance for motor vehicles used on public roads is a familiar
example. Employers are obliged to insure their employees against injury or illness arising from their
employment (Employers’ Liability Insurance) and every employer has to display a valid certificate
on its notice boards to show that such insurance exists.
Statutory regulations of particular interest to the manager of construction and engineering
projects cover the periodic inspection and certification of lifting equipment, pressure systems and
local-exhaust ventilation plant. No project which includes the installation of such equipment should

108
 RISK

be handed over to a client without the relevant written (or other) scheme of examination and the
accompanying inspection certificates. If the correct documentation is not supplied, the client will
not legally be able to operate the equipment. In the UK these regulations form part of the Health
and Safety at Work Act 1974. Much of this legislation resulted from European Directives and similar
legislation has been enacted in other EU member countries. The principal regulations are:

• Lifting Operations and Lifting Equipment Regulations 1998 (LOLER)

• Provision and Use of Work Equipment 1998 (PUWER)
• The Management of Health and Safety at Work Regulations 1999
• The Pressure Systems Safety Regulations 2000 (PSSR)
• Control of Substances Hazardous to Health Regulations 1998 (COSHH)
• Electricity at Work Act 1988 (E@W).

Regulation of the relevant inspection services is carried out by the Health and Safety Executive
for and on behalf of the Crown. All inspection bodies must be accredited by the United Kingdom
Accreditation Society (UKAS) to in accordance with (at the time of writing) ISO/IWC 17010.
Inspection work is usually performed by engineer-surveyors employed by an engineering
insurance company. The insurance company is sometimes engaged by the contract principal, but
more usually by the main contractor. The larger of these insurance companies, with many years’
experience of such work, are able to advise on compliance with national and local legislation
covering equipment and construction materials.
The project or site manager must check that inspection certificates required by the regulations
are current and valid for plant hired for use on a construction site. This will help to protect the
project manager’s organization from any liability that might arise from the use of a plant hire fleet
that has been poorly managed by the plant hire company.
Failure to comply with these, and other, regulations may have an adverse effect on the insurance
cover. In addition, non-compliance could render the parties liable to prosecution by the Health and
Safety Executive.

Contractual requirements and other legal liabilities

In commercial and industrial projects, whether for construction or manufacturing, it is certain that some
onus will be placed upon the parties (usually the contractor) to insure against several risks. All the model
terms of contract for engineering, civil and construction contracts embody such requirements. The project
contractor will also wish to make certain that subcontractors are bound, in turn, by similar conditions.
Liability insurances are most likely to feature prominently in project contracts. The project
purchaser will want to know, for example, that the contractor has adequate cover for legal liability
in the event of personal injury, illness or death caused to anyone as a result of the project.
In summary, liability insurances may be required for:

• compensation to persons for bodily harm (employees of either party, others working on
site, visitors and members of the public
• property loss or damage, including work in progress
• financial loss
• infringement of property rights
• accidents
• product liability (arising from use of a product)
• professional negligence
• nuisance caused by the works
• environmental damage.

109
PROJECT MANAGEMENT

Every organization or professional person with project responsibility (including architects,

consultants, surveyors, designers and project management organizations) must make certain that
they have adequate professional liability insurance to cover any liability that they might incur in
the course of their work.

Other risks that can be covered by insurance

In addition to the statutory and contractual requirements, there is a range of other risks against which
a contractor might be required to insure, or for which a contractor might decide that insurance is
prudent. Some of these are listed below.

Contractors’ all risks insurance for construction and engineering projects

All risks insurance cover provides protection during the works, until the project is complete and
handed over to the customer. Thereafter, insurance becomes the customer’s responsibility.
All risks policies typically protect work-in-progress and temporary works against fire, storm
damage, theft and malicious damage but any new policy proposal should be studied with care, as
it is likely to list exceptions. In addition to work-in-progress, the cover should include loss or
damage to:

• construction plant and machinery

• hired plant
• construction materials in transit to site
• temporary buildings and site huts
• employees’ tools and effects.

In addition there will be other, minor, extensions of cover built into the policy for little or no
extra cost.
Reinstatement costs after an accident will also be covered, including the costs of removing
debris and the fees of architects, surveyors and consulting engineers. The insurer might also agree
to pay additional expenses (such as overtime costs and express carriage rates) incurred as a result of
expediting reinstatement work.
Contract all risks (CAR) policies usually apply to civil engineering and construction projects,
while the less common engineering all risks (EAR) policies are for contracts that relate specifically to
the construction and installation of machinery.
Exclusions and conditions in the policy, and in the policy schedule, should be examined carefully
and understood before the insurance is entered into.

Decennial (latent defects) insurance

Decennial insurance, which can cover a period of up to ten years, is designed to insure against
damage to premises caused specifically by an inherent defect in the design, materials or construction
of a project. In the event of a successful claim, decennial insurance removes the need for the project
owner to suffer the expense of taking legal action for recompense against the contractor.

Accident and sickness insurance

Provisions for personal accident, sickness and medical expenses insurance will need particular
consideration when employees are required to travel, whether at home or abroad. Those working on

110
 RISK

projects in foreign countries will expect to be adequately covered for the higher risks involved, and
such cover will have to be extended to spouses and children if they are also allowed to travel.

Key person insurance

Key person insurance offers various kinds of protection to an employer against expenses or loss of
profits which result when illness, injury or death prevents one or more named key persons from
performing the duties expected of them. Arrangements are flexible and policies can be tailored to
suit particular circumstances.

Pecuniary insurance

Pecuniary insurances are designed to protect a company against financial losses from a variety of
causes. Risks that can be covered include embezzlement, loss through interruption of business, and
legal expenses. Advance profits insurance may be possible in some limited circumstances to provide
cover for delay in receiving planned return on project investment caused by late completion of the
project.
Of particular interest to contractors where business with foreign customers is involved is export
credit insurance. In the UK, the Government’s Export Credits Guarantee Department (ECGD)
provides guarantees that can provide security against bank loans for large capital goods and long-
term projects. Most industrialized companies have similar schemes. The contractor will be expected
to bear some of the risk, although its proportion will usually be small. The security offered by credit
insurance can be an important factor in obtaining finance for a project.

Risks which cannot be covered by insurance

There are risks which an underwriter will either refuse to insure, or for which the premium demanded
would be prohibitive. Such cases arise in the following circumstances:

• where the chances against a loss occurring are too high or, in other words, where the risk
is seen as more of a certainty than reasonable chance. Examples are losses made through
speculative trading or because of disadvantageous changes in foreign exchange rates;
• where the insurer is not able to spread its risk over a sufficient number of similar risks;
• where the insurer does not have access to sufficient data from the past to be able quantify
the future risk;
• where the insured would stand to gain as a result of a claim. Except in some forms of
personal insurance, the principle of insurance is to attempt to reinstate the insured’s
position to that which existed before the loss event. A person cannot, for example, expect
to benefit personally from a claim for loss or damage to property not belonging to them
(property in which they have no insurable interest).

These items must, therefore, be excluded from the insurance portfolio. In some cases other
commercial remedies might exist for offsetting the risks.

Obtaining insurance
Insurance can be sought directly from an underwriter, or through a broker; preferably one with a
good reputation and experienced in the insured’s type of project activity. The insurer will need to be
supplied with sufficient information for the risk to be adequately defined, and the contractor will be
expected to inform the insurer of any change of circumstances likely to affect the risks insured. The
insurer may wish to make investigations or even follow up the project work using its own experts.
111
PROJECT MANAGEMENT

Professional advice from insurers can often be of great benefit in reducing risks, especially in the
areas of health and safety and crime prevention.
Two events in 2001 had a severe impact on insurers and will affect reinsurance and capacity
for many years to come. One of these events was the insolvency and collapse of Independent
Insurance plc, a company that insured a large number of contractors and construction trade clients
for very low premiums. This caused every insurance company and broker to conduct internal audits,
critically re-examining the risks to their own businesses. The other 2001 event was, of course, the 11
September terrorist atrocities in the US, which highlighted to insurance and reinsurance companies
the potential for such enormous claims to be repeated in the future, whether from terrorist attacks or
other causes. Insurers have since sought to limit their exposure to such risks and they have instituted
a regime of stricter underwriting controls and lower risk acceptance thresholds.
Liability insurance is becoming expensive. Employer’s liability cover, even though a legal
requirement, is becoming difficult to obtain. Some insurance companies have had to close because
they are unable to effect such insurance.
It is, therefore, now more important than ever for a project manager to involve an insurance
specialist at a very early planning stage, lest they should find that no insurance cover is available at
short notice.

PLANNING FOR A CRISIS

Some risk events can have such a potential impact on a project that special crisis management
contingency plans must be made. Such contingency plans can extend to projects that would need to
be set up specially and rapidly to deal with the sudden crisis, for example in areas that are particularly
liable to epidemic diseases, famine, flooding, hurricanes, earthquakes or other natural disasters.
Crisis contingency plans should also be put in place by process industries and other companies
that carry out operations which, if they should go wrong, could be hazardous for people and the
environment beyond the factory gates. One cannot always say when or where a disaster will strike,
but at least plans can be put in reserve to be implemented immediately when the need arises.

Organization
Once the possibility of a crisis has been established, the first step in devising a contingency plan is
to identify the key people who will take charge of the crisis management project. These people will
constitute a sleeping organization, ready to awake at a moment’s notice in case of need. The core
organization might include senior representatives of local and national government, the emergency
services, particular charities and relief organizations, and so on. Each person should have the
authority to instruct others within their home organization and the permission to identify the
relevant resources that could be made available should the crisis happen. A team leader or steering
committee must be appointed that will manage the project should it become live. This group of key
people might be called the crisis action committee.

Contingency planning
Once the key people have been elected or selected to serve on the action committee, they must meet
to design appropriate contingency plans, and then meet again at regular intervals to ensure that the
plans are kept up to date. The committee might have to arrange for emergency funds, stores and
special equipment to be stockpiled or at least located against the time when they might suddenly be
needed. Lists of secondary organizations and other helpers must be established, which although not
part of the action committee could be called upon to give urgent and immediate assistance. These

112
 RISK

secondary associations might include, for example, specialist engineering or chemical contractors,
explosives or decontamination experts, building and demolition contractors, caterers, and a wide
range of charitable organizations that could offer relief services. There might also be a need to plan
for immediate advertising in the appropriate media to make public appeals for funds.

Tabletop and other exercises

One thing that the action committee will need to do as early as possible is to assess what might
happen should the crisis arise. The committee will need to use their collective imagination to
consider and be prepared in advance for as many of the problems as possible.
A tabletop exercise can contribute to this process, where the members of the action committee
carry out a role-playing exercise to consider as exactly as possible what might happen and what they
themselves and their subordinates might do should the crisis happen.
Many crisis contingency plans can be tested by field exercises, in which some or all of the services
act out their parts as if the crisis had actually happened. Field exercises can reveal shortcomings
in the contingency plans and test vital aspects such as mobility, response speeds, and how to
communicate and coordinate the various participants under emergency conditions, when power,
water and telephones might all be out of action.
When the plans have been made and tested they must be documented, incorporating all the
lessons learned from tabletop and field exercises so that they are ready to put into action effectively
and with minimum delay. This is, in effect, creating a project handbook or project manual for a
project that might never happen. When a crisis does cross from imagination to reality, however,
contingency planning can save time and many lives.

REFERENCES AND FURTHER READING

Association for Project Management, (2004), Project Risk Analysis and Management Guide, 2nd Edition
(High Wycombe: APM Publishing).
Chapman, C.B. and Ward, S.A. (2003), Project Risk Management: Processes, Techniques and Insights, 2nd
Edition (Chichester: Wiley).
Hillson, D. and Murray-Webster, R. (2005), Understanding and Managing Risk Attitude (Aldershot:
Gower).
Kluwer’s Insurance Buyer’s Guide 2005/2006 (Kingston upon Thames: Croner); this title is updated
annually.
Ould, M. (1999), Managing Software Quality and Business Risk (Chichester: Wiley).
Sadgrove, K., (2005), The Complete Guide to Business Risk Management, 2nd Edition (Aldershot:
Gower).
Webb, A. (2003), The Project Manager’s Guide to Handling Risk (Aldershot: Gower).

113