Categorizing risks in seven large projects--what risks do the projects focus on?



There are numerous publications showing that projects often fail to meet their cost or schedule target or to give their intended benefits, and numerous solutions have been offered to correct these problems.

One of the early approaches to these problems was to focus on success factors. Pinto and Slevin (1987) were among the first to publish success factors. Their ten factors include project mission, management support, schedule/plan, client consultation and acceptance, personnel, technical aspects, monitoring, communication, and feedback. A couple of years later Duffy and Thomas (1989) published a study citing the main causes of project failure. The most important were part-time project management, inappropriate organization, inadequate definition of scope, poor planning, and change order control and risk not identified. It is interesting to note that the study by Duffy and Thomas cites risk as an important factor, whereas Pinto and Slevin do not mention it in their list. Recent thinking focuses significantly on risk. (Miller & Lessard, 2001; Moynihan, 1997;(Maytorena, Winch, Freeman, & Kiely, 2007; Simister, 2004). Risk management is considered by many to be the essence of project management.

In their study of 44 capital projects, Hetland, Sandberg, and Torsøy (2005) suggest a new understanding of project-specific uncertainties and offer a proactive communication strategy to outwit attackers’ attempts to escalate cost deviations. A recent study of mega oil sand projects in Canada (Jergeas, 2008) points in the same direction, as it highlights overly optimistic original cost estimates and schedules. Some authors have started to look at volatility as an expression of uncertainty in projects (Costa Lima & Suslick, 2006).

Today risk is considered a major factor influencing project success, and project risk management is an important activity in any capital project. Project risk management is also one of the nine knowledge areas in the Project Management Institute's A Guide to the Project Management Body of Knowledge (PMBOK® Guide)—Third edition (Project Management Institute [PMI], 2004). It is also part of most maturity models including PMI's Organizational Project Management Maturity Model (OPM3®) (2003), and a new standard from PMI on project risk management forthcoming.

Several authors have published project risk management approaches (Chapman & Ward, 2003; Gareis, 2005; Hartman, 2000; Kerzner, 2006; Morris & Pinto, 2004). The classical approach to project risk management normally contains four to six steps. The underpinning idea is to identify risk factors, to evaluate and analyze them, and, finally, to try to manage them. The analysis may be purely qualitative or a quite sophisticated quantitative.

Some authors, for example Westney and Dodson (2006), also use the term strategic risk. Focusing on negative risk, they regard strategic risk as the prospective impact on earnings or capital from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. It is beyond the control of the project team but may be controlled by the project owner or sponsor. It is a function of the compatibility of an organization's strategic goals, the business strategies developed, the resources deployed, and the quality of the implementation.

In addition to operational and strategic risk, Rolstadås and Johansen (2008) define contextual risk. This is risk connected to circumstances outside the project that may influence the scope of work and the performance of the organization. Examples are competing projects, change in ownership and management, legislation and governmental directives, media attention, extreme market conditions, accidents, and so on.

Contextual risk may be difficult to predict and may have significant impact. Taleb (2007) calls such risk “Black Swans.” The Black Swan logic makes “what you do not know” more important than “what you do know.”

It may seem trivial to state that both in the academic and practical discipline of management there has for a long time been an acceptance that uncertainty plays a major role—not all factors of importance may be regarded as well-defined or static. When speaking of project management in particular the focus has shifted—from a view of the ideal well-managed project having fixed and firm plans based on a thorough analysis of needs and detailed specs of the solution, to a greater attention to the impact of uncertainty.

Once it is accepted that uncertainty may have a substantial impact on projects and how they achieve their goals, then risk/uncertainty management becomes an important issue. And it becomes important to find out more on how the project risk management contributes to achieving the objectives. A case study has therefore been made to see how the project risk management can address the project objectives, and to see whether strategic risks are addressed or not.

This paper will be organized as follows:

First we define the research questions, discuss some of the terms in common use, and establish the terminology that will be used in this paper, and then we discuss the classification of risks.

The method is then described, and the projects that have been studied are presented.

The results of the study are then presented. They are related to some common hypotheses from the literature, and their implications are discussed.

Finally, some conclusions are drawn and necessary further work is pointed out.

Research Questions

In this paper, a simple categorization of risks/uncertainties are used, where a distinction is made between operational, short-term, and long-term strategic risks as being risks to project objectives at different levels. (More on risk categories and terms will be discussed later in this paper.) Many authors have claimed that within such a categorization the uncertainty is at its greatest in early project stages and that the strategic risks are of greater importance likewise in the earlier phases of the projects, while the operational risks are greater in the later phases (Christensen & Kreiner, 1991; Jaafari, 2001; Samset, 1998). However, Miller and Lessard have given indications (2000) that in large engineering projects that were studied, there was also typically a greater impact from strategic risks in longer periods of the later stages of the projects.

So what is the case in the projects that may be observed today? Do we find that the projects are struggling with strategic risks even in the late implementation phase, or is this only the time for operational risks? Is it possible that there are other factors influencing this than just the project phase? And how are the different risk categories handled with regard to risk reduction, closing, number of actions to them, and so on. To our knowledge, no studies have been done on how project risk management addresses these issues. Therefore, for some months an investigation was done on how the risk management was carried out in seven projects in a large oil and gas company. This study was used to find out which risks were actually handled/managed by means of their risk registers, and how these risks were assessed and treated. Also, for each of the projects, the assessments of the project owners, the project teams, and other key stakeholders of the projects were collected (through interviews), as well as their assessments of the evolving risk scenarios of the projects.

More precisely, the data collected in our study have been used to give some answers to the following questions: When risks are identified, how are they then distributed among the risk categories?

Are there any significant differences between the projects regarding this? For instance, are there differences related to project size, to which phase this project is in, or to other project characteristics?

A Brief Discussion of Terms

Risk and Uncertainty

A risk is here defined as “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives” (PMI, 2004). It must be emphasized that a risk is characterized by having both a consequence and a probability.

An uncertainty is here defined as “the difference between the amount of information required to perform the task and the amount of information already possessed by the organisation” (Galbraith, 1977).

Hence, a risk is categorized as having an impact, while an uncertainty may or may not have a known impact. An uncertainty is therefore the most comprehensive term. Both terms here do include both positive and negative possibilities.

To investigate more closely the relation between risk and uncertainty for projects, we need to look at the use of the terms risk and uncertainty as seen from two perspectives:

  1. To describe a risk/uncertainty situation
  2. To describe a specific risk/uncertainty element

1. Describing a Risk/Uncertainty Situation

This approach is based on a view of the whole situation—where it will be considered to have more or less of uncertainty. This is closely related to the concept of environmental uncertainty, as described by for instance Karlsen (2001). Karlsen's environmental uncertainty must be regarded as usually forming/making up a substantial part of (what is here defined as) the uncertainty of the given situation.

This will be a relevant approach to a situation in which there is a significant difference between the knowledge available and the knowledge needed for making necessary decisions in the actual situation.

2. Describing a Specific Risk/Uncertainty Element

With this approach—which might be considered as more pragmatic—the factors/ elements are selected that are most likely to cause risk (in our case, risk to the objectives of a project) and defines these as the main risks (to the project).

This approach will be highly relevant in situations with many possible outcomes, and where some of those outcomes will have a major impact on the project or the results of the project. In such a situation it should (in some way) be possible to make assessments of the probable impact of those outcomes.

Depending on the actual situation, the two approaches (A) and (B) may be suited more or less to prepare a basis for successful risk/uncertainty management in the given situation.

The Need for Common Terms

Logically a term will be needed that can include both risk and uncertainty management. One could either select one of the two (i.e., risk or uncertainty) to also act as a superior term, or one could try to avoid confusion by introducing a new term as the superior one. We will here choose not to introduce a new term for this, but rather use one of those that already exist. Of the two terms, “uncertainty” would—with the specific definitions given here—be the most logical choice for a term spanning the two terms. This will be because the term “risk”—with its direct link to the effects from risks—cannot include uncertainties, where the effects may be unknown. We will therefore use “uncertainty” as the common term for risks and uncertainties. Hence, when the term risk is used in this paper, it will have the meaning of a risk element that is considered to have an impact.

Risk Categories

It is possible to construct an abundance of different risk categorizations—and it has been done. The obvious, pragmatic approach is to sort the risks into “heaps” based on common features. For instance, risks are sorted by organizational areas, technical areas, or contract areas. So-called “risk breakdown structures” (Hillson, 2003; PMI, 2004) may also be used as frameworks for such classifications. Our assertion to the major number of such classifications is: the selection of categories very often seems to be based on a tradition (for instance, of the organization or professional area) of “how to organize one's world.” Or they may have a more operational purpose, for the risk reduction in a given project—as discussed by Hillson (2004, p. 130). Thereby it will, more or less, implicitly be organized according to “what in our close surroundings we regard the risk to be a risk against.” Or it will be organized according to “who or which area is the most affected.” However, for our study, this pragmatic view of risks should be replaced by a more generic view, requesting a more generic categorization.

The purpose of this study is to investigate the contribution from project risk management to the achievement of project objectives. Therefore a risk classification is needed that is based on the objectives of the project, including the higher/more superior objectives for the project organization (Hillson, 2004). Hence, the categorization proposed here will be based on the levels in a hierarchy of management objectives, as shown, for instance, by Mintzberg (1994). As stated earlier, categories should demonstrate directly which level of objectives they affect.

Establishing Operational Criteria for the Risk Categories

To relate the risk categories to the levels of project objectives, the three categories are defined as follows:

1. Operational risks

This term refers to risks related to operational objectives of the project. This means risks restricted to the direct results from the project—that is, its products.

2. Short-term strategic risks

This term refers to risks related to the short-term strategic objectives of the project.

In other words, short-term strategic risks are risks related to the objectives for project owner's use of the project results after the project has been completed. It may also mean the risk for first-order effects of the project—that is, risk for the effects that should be achieved for the target group or users.

3. Long-term strategic risks

This term refers to risks related to long-term strategic objectives of the project—in other words, risks related to the project purpose, or, the long-term objective that the project is meant to contribute to.

Operational criteria, used to evaluate whether a given risk element is long-term strategic, short-term strategic, or operational include the following:

1. The risk element is considered an operational risk when: the risk element is a risk to the project output (which should be specified in a project definition/delivery contract)—i.e., a risk to the project's ability to deliver.

2. The risk element is a short-term strategic risk when: the risk element is a risk to a functionality not clearly specified in project definition/delivery contract, but is necessary in order to achieve the effects of the project (restricted to the first-order effects for the target group/users).

3. The risk element is a long-term strategic risk when: the risk element is a risk to achieving the long-term objectives of the project, but not a risk of the two categories mentioned above (i.e., operational or short-term strategic risk).

The Study

Method and Subject of Study

For the purposes of this study, a combined approach was chosen, using both qualitative and quantitative data collection methods (Creswell, 2003; Flyvbjerg, 2006). An introductory interview in each project gave a first insight into their differences and similarities. Data were collected from the risk registers in the projects over a period of 6 months. Follow-up interviews were made with persons selected in order to give better insight into certain aspects brought to light through the data analysis.

The main data source for this article has been the reports with data extracted from the project risk registers. This has been supplemented (to some extent) with information from the interviews. The projects studied may all be characterized as engineering and construction projects, and they are all large projects (i.e., projects with total costs of €100 million or more).

The projects studied are in different project phases—varying from one that has not yet made all decisions on conceptual choices to one that is close to takeover and start-up of production. The other projects are at different stages that fall between these two stages.

For the purposes of this study, all identified risks were categorized according to their possible impact to the project's (or the organization's) objective levels: operational, short-term strategic, long-term strategic. And there had been established a set of criteria, making it possible to categorize the risks based on the information in the risk register.


The study has been based on an extract of all the seven projects’ risk elements—both open and closed—as they occurred in their risk registers at the end of September 2008. The risk elements were categorized based on the descriptions given in these registers and the criteria for the categories given in previous sections of this paper. A summary of the results is presented in Table 1.

      Type of risk    
  Project Operational Short-term
  A 81 % 19 % 0 %  
  B 98 % 2 % 0 %  
  C 89 % 9 % 2 %  
  D 96 % 4 % 0 %  
  E 86 % 14 % 0 %  
  F 88 % 11 % 1 %  
  G 97 % 3 % 0 %  
  Sum 90 % 10 % 0 %  

Table 1: Distribution of the 1313 risks between risk categories.

The table is based on a total of 1,313 risk elements registered in the seven projects from April 2005 until September 2008. In all projects, the operational risks make up the majority of the total risks. In Projects B, D, and G this is particularly true (96%–98%). In all projects, the long-term strategic risks make up a negligible fraction (0%–2%, overall <0.5%).


There are a number of possible explanations as to why so few strategic risks (and in some projects almost none) are identified:

  • Strategic risks do not occur at this stage
  • Long-term strategic risks are not the projects’ responsibility
  • Strategic risks are mainly the asset owner's responsibility

Strategic Risks Do Not Occur at This Stage

Many issues have been resolved at earlier project stages. Most of the strategic decisions have already been made, and because many of the projects are developed as quickly as possible, these decisions have been made quite recently. Or it may be because the project context may simply have a low complexity.

The results seem well-suited to the assumption that “strategic risks are basically identified and dealt with at earlier stages of the project.” If this assumption is true, then there will mainly be operational risks left for the project to handle at later stages.

Long-Term Strategic Risks Are Not Projects’ Responsibility

Strategic risks may not have been perceived as the project's responsibility. This may either have been communicated, more or less explicitly, by the project management (and/or RM Function), or it may have been a “generally accepted view” in the project. Projects may, for instance, regard that ensuring project efficiency, not effectiveness, is their main responsibility (Samset, 2003). This is a question of the focus of the project team.

But if such risks should occur, they should be identified as part of the project's risk management process. This should be done, even if it will not eventually be the project team's responsibility to take all actions necessary to close the risk.

Strategic Risks Are Mainly the Responsibility of the Asset Owner

Strategic risks are considered by many to be mainly a management concern (Mintzberg, 1994) and it is therefore felt that the project team should not be responsible for managing or handling such risks. However, the project team's unique position and usually deep involvement in the project development process will often enable them to identify strategic risks earlier and more reliably than most other actors.

More on the Time Aspect of Risk Identification/Management of the Projects

Time has not yet allowed any deeper studies of the time aspect of risk identification/management—that is, to study more in detail risks of different categories versus the project phase when they are identified. For instance, it should be studied whether more strategic risks really are identified earlier in the projects. This will be studied in further detail later on in this study, and will be the main theme of a later article.

Strategic Risks May Have Serious Impact on the Project

There has been much experience—and many examples—indicating that strategic risks may have a significant impact on the success of projects ((Miller & Lessard, 2000; Rolstadås & Johansen, 2008; Westney & Dodson, 2006). Strategic risks may mean important changes to or introduce new project assumptions, or they may introduce new or changed conditions.

The results indicate that projects should emphasize identifying more short- and long-term strategic risks at all project stages. It may be assumed that further handling/management of some or all strategic risks should not be the responsibility of the project team (Cooke-Davies, 2002). If so, the project must have efficient procedures for identifying and forwarding these risk elements to the appropriate entity. This also implies that identifying these risks may be more important to project success than the identification of many operational risks.


For the purposes of this study, all identified risks were categorized according to their possible impact on the project's objectives. To achieve this, an operational set of criteria was established, making it possible to categorize the risks based on the information in the risk register.

In a study of 1,313 risk elements identified in seven large projects, operational risks made up the majority of the total number (90%). Some possible reasons for this were discussed in this paper, and will be further explored in forthcoming studies. Although strategic risks are not commonly regarded as the responsibility of the project team to manage, it is in the asset owner's interest that projects contribute in identifying strategic risks. This is motivated by the fact that such risks may present major threats or opportunities to the project success.

Further Work

Further studies based on the data gathered in this study should be focused on how risks of different categories are handled in the different projects studied and at different stages of the projects.

Further studies will also be made regarding the involvement of actors outside the project team—in particular, representatives from the project owner (and company management).

Other investigations should be made on the relation to project (budget) size; a “number of risks per million spent” factor may give some insight into the risk management in the different projects. Number and type of risks identified should also be related to the duration of the projects.

All projects in the organization studied here are performed according to a structured decision process model. In this model, the projects are at certain well-defined “decision points” evaluated to decide whether they should be further developed—or whether all further development should be stopped. A study focusing on the number and type of risks identified and relating this to the project's “decision points” is also a candidate for further exploration.

Chapman, C. B., & Ward, S. (2003). Project risk management: processes, techniques and insights. Chichester: Wiley.

Christensen, S., & Kreiner, K. (1991). Prosjektledelse under usikkerhet (“Project management under uncertainty”, In Norwegian). Oslo: Universitetsforlaget.

Cooke-Davies, T. (2002). The “real” success factors on projects. International Journal of Project Management, 20(3), 185–190.

Costa Lima, G. A., & Suslick, S. B. (2006). Estimation of volatility of selected oil production projects. Journal of Petroleum Science and Engineering, 54(3-4), 129–139.

Creswell, J. W. (2003). Research design: Qualitative, quantitative, and mixed methods approaches. Thousand Oaks, CA: Sage Publications.

Duffy, P. J., & Thomas, R. D. (1989). Project performance auditing. International Journal of Project Management, 7(2), 101–104.

Flyvbjerg, B. (2006). Five misunderstandings about case-study research. Qualitative Inquiry, 12(2), 219–245.

Galbraith, J. R. (1977). Organization design. Reading, MA: Addison-Wesley.

Gareis, R. (2005). Happy Projects! Wien: Manz Verlag.

Hartman, F. T. (2000). Don't park your brain outside: A practical guide to improving shareholder value with SMART management. Newtown Square, PA: Project Management Institute.

Hetland, P. W., Sandberg, F. H., & Torsøy, T. (2005). Communicating uncertainties in major projects-a struggle for existence to CEOS and presidents. Paper presented at the Offshore Technology Conference from

Hillson, D. (2003). Using a risk breakdown structure in project management. Journal of facilities management, 2(1), 85–97.

Hillson, D. (2004). Effective opportunity management for projects: Exploiting positive risk. New York: Marcel Dekker.

Jergeas, G. F. (Pending). Why cost and schedule overruns on mega oil sand projects? Project Management Journal, (Approved for Publication).

Jaafari, A. (2001). Management of risks, uncertainties and opportunities on projects: Time for a fundamental shift. International Journal of Project Management, 19(2), 89–101.

Karlsen, J. T. (2001). Håndtering av prosjektets interessenter: En studie av hvilke utfordringer og problemer prosjekter møter : praktisk rapport (“Handling of project stakeholders; a study of the challenges and problems that projects meet” - in Norwegian) Trondheim: Norsk senter for prosjektledelse.

Kerzner, H. (2006). Project management: A systems approach to planning, scheduling, and controlling. Hoboken, NJ: Wiley.

Maytorena, E., Winch, G. M., Freeman, J., & Kiely, T. (2007). The influence of experience and information search styles on project risk identification performance. IEEE Transactions on Engineering Management, 54(2), 315–326.

Miller, R., & Lessard, D. R. (2000). The strategic management of large engineering projects: Shaping institutions, risks, and governance. Cambridge, MA: MIT Press.

Miller, R., & Lessard, D. (2001). Understanding and managing risks in large engineering projects. International Journal of Project Management, 19(8), 437–443.

Mintzberg, H. (1994). The rise and fall of strategic planning. New York: Prentice Hall.

Morris, P. W. G., & Pinto, J. K. (2004). The Wiley guide to managing projects. Hoboken, N.J.: Wiley.

Moynihan, T. (1997). How experienced project managers assess risk. IEEE Software, 14(3), 35–41.

Pinto, J. K., & Slevin, D. P. (1987). Critical factors in successful project implementation. IEEE Transactions on Engineering Management, 34(1), 22–27.

Project Management Institute. (2003). Organizational project management maturity model: OPM3 knowledge foundation. Newtown Square, PA: Author.

Project Management Institute. (2004). A guide to the project management body of knowledge: (PMBOK® guide). Newtown Square, PA.: Author.

Rolstadås, A., & Johansen, A. (2008, May). From protective to offensive project management Paper presented at the PMI Global Congress 2008–EMEA.

Samset, K. (1998). Project management in a high-uncertainty situation: Understanding risk and project management in international development projects. Trondheim: Norwegian University of Science and Technology (NTNU).

Samset, K. (2003). Project evaluation: Making investments succeed. Trondheim: Tapir Academic Press.

Simister, S. J. (2004). Qualitative and Quantitative Risk Management. In P. W. G. Morris & J. K. Pinto (Eds.), The Wiley guide to managing projects (pp. 30-47). Hoboken, N.J.: Wiley.

Taleb, N. N. (2007). The black swan: The impact of the highly improbable. London: Allen Lane.

Westney, R. E., & Dodson, K. (2006). CAPEX VaR: Key to Improving Predictability [Electronic Version]. World Energy Magazine, 9, 8, from

© 2008, Hans Petter Krane
Originally published as a part of PMI Global Congress Proceedings -…. (TBD)



Related Content

  • Project Management Journal

    The Three Secrets of Megaproject Success member content locked

    By Shenhar, Aaron | Holzmann, Vered Past studies have often voiced concern that important megaprojects have repeatedly failed due to extensive overruns, misunderstanding of expectations, or both. In this article, we contend that this…

  • PM Network

    Tapping Out member content open

    By Greengard, Samuel Offshore oil rigs are going offline. Depressed prices, rising operating costs, aging equipment and, most importantly, tapped out wells have all contributed to a perfect storm: the need to…

  • Project Management Journal

    The Successful Delivery of Megaprojects member content locked

    By Locatelli, Giorgio | Mikic, Miljan | Kovacevic, Milos | Brookes, Naomi J. | Ivanisevic, Nenad Megaprojects are often associated with poor delivery performance and poor benefits realization. This article provides a method of identifying, in a quantitative and rigorous manner, the…

  • Project Management Journal

    Innovation Resilience Behavior and Critical Incidents member content locked

    By Oeij, Peter | Dhondt, Steven | Gaspersz, Jeff | Vuuren, Tinka van Project teams carrying out innovation projects are investigated during critical incidents. Earlier, a Team Innovation Resilience Behavior (IRB)-scale was successfully applied to quantitative survey…

  • PM Network

    Worth the Risk member content open

    By Jones, Tegan Every project faces risks that could push it off track. But not all risks are created equal. This year's PMI Project of the Year finalists navigated hurdles that threatened to disrupt entire…