From protective to offensive project management

Abstract

Project risk management focuses on risk analysis at the front end loading. This is a protective strategy leading to higher cost estimates than necessary. An offensive strategy focusing on both opportunities and threats can be obtained by considering simultaneously the three dimensions of project risk (level of detail, time, and type of risk). Seven challenges in going from a protective to an offensive strategy are developed and discussed in relation to two cases. This shows a difference between current practice and literature findings. There are research opportunities in further studying the influence and the management of the strategic and contextual risks.

Introduction

Large and complex projects often draw attention in the mass media. Unfortunately, this is less focused on technical achievements, but on cost or schedule overruns. This public attention creates a pressure to exactly forecast the cost of a project.

The cost of a project is a figure carrying uncertainty. No one can exactly predict what is going to happen in a project. Any project carries a risk. This is inherent in the dynamic nature of a project. Wysocki (1995) related this to the cost-time-resources triangle and talked about scope, hope, effort and feature creep.

Fortunately, there are numerous techniques available for assessing, analysing, and managing risk, and project risk management is one of the nine key knowledge areas defined by the Project Management Institute in its standards (PMI, 2004).

Risk management is included in every large and complex project, but at different levels and with different scope and ambitions. The project owner or sponsor wants to avoid a financial loss or deviation and thus depends on adequate risk analysis. The project manager is using risk management approaches to create awareness about uncertainty and risk, and in this way, control the project performance.

Managing risk should be part of any project planning and execution. However, it is mainly applied in development and construction projects and mainly for large projects (which can be seen from a study under development amongst a number of Norwegian projects). For smaller projects the consequences of unforeseen events and project development is smaller and easier to accept. However, in a professional project management world all projects should include project risk management.

Several authors have published risk management approaches (Chapman & Ward, 2003; Gareis, 2005; Hartman, 2000; Kerzner, 2002; Morris & Pinto, 2004). The classical approach to project risk management normally contains four to six steps. PMI defined an approach using 6 processes (PMI, 2004, p. 237): Risk Management Planning; Risk Identification; Qualitative Risk Analysis; Quantitative Risk Analysis; Risk Response Planning; Risk Monitoring and Control. The underpinning idea is to identify risk factors, evaluate and analyse them, and finally, try to manage them. The analysis may be purely qualitative or quite sophisticated and quantitative.

The classic approach focuses on predicting as accurately as possible what is going to happen and tries to establish a kind of bandwidth within which one can expect project deviations. In this world, front end engineering becomes important, and sophisticated tools for assessing and analysing risk are frequently applied. The focus on front end loading for assessing risk is supported by several authors (Hilson, 2004; Samset, 2001). We will refer to such an approach as “protective.” The purpose is to protect the owner from a financial loss by trying to predict the future. Recently there has been a stronger trend to consider opportunities arising from uncertainty in projects (Hilson, 2004). One has started to distinguish between negative and positive risk. Hartman (2000) developed a 2x2 matrix with risk and complexity on the two axes. He claimed that traditional risk management deals with small risk and small complexity. If complexity is increased, there will be stronger focus on structure. If risk is increased, there will be stronger focus on flexibility. He also argued that the future project will be high-risk and high-complexity and that this will require an approach that he called SMART (Strategically Managed, Aligned, Regenerative work environment, Transitional management). In our opinion, such projects will benefit from an offensive project management approach.

Seeking opportunities means that one may be moving away from the protective approach and taking a step toward a more “offensive” project management. This moves decisions points from the front end toward the back end. For example a decision on some process equipment may be made quite late in the project, allowing the project to take advantage of technology development that might (or might not) happen during the project life. Freezing the decision on equipment at the front end stage gives predictability, but misses the opportunity of the upside created by the technological development. Some authors refer to such an approach as agile project management (Highsmith, 2004).

We will discuss how improved risk management can contribute to a more offensive approach to managing projects. We will discuss applications in light of three dimensions of project risk management, and we will define seven challenges in moving from protective to offensive approaches. They will be discussed related to two cases that we have chosen.

Definitions

Although uncertainty and risk are two different terms, there exists a great deal of confusion concerning them. There are conflicting definitions found in different literature.

In this paper, uncertainty is defined as “a state of having limited knowledge where it is impossible to exactly describe existing state or future outcome” (Wikipedia, 2008). There are other definitions focusing on more than one possible outcome or the gap between needed and available information (Torp & Karlsen, 2007). Uncertainty is connected to an event. It may be a desired or a non-desired outcome of the event. Uncertainty can be expressed by the probability of the outcome (discrete) or as a probability density function (continuous).

Risk is defined by PMI as “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives’” (PMI, 2004, p. 373). Risk is usually calculated as the probability of a desired outcome multiplied by the consequences if that outcome should occur. According to PMI's definition, risk can be both positive and negative. Often, positive risk is referred to as “opportunity.” Risk can mean negative risk, but it can also mean both positive and negative risk (according to the PMI definition). This is confusing, and the authors will in this paper use risk as a term covering both negative and positive risk. Positive risk is referred to as “opportunity” and negative risk as “threat.” Risk is thus a term covering both opportunities and threats.

The Three Dimensions of Project Risk Management

Uncertainty, and consequently risk, follow the project throughout the life cycle. The uncertainty may vary over the timespan of the project. Many authors claim that the uncertainty is largest at the front end, and then is gradually reduced toward the end of the project (Samset, 2001). The main point is, however, that uncertainty and risk may vary over time.

Risk analyses may be made at different levels of detail. In some cases, it is sufficient to identify the major risk factors at an aggregate level and assess their impact. In other cases, it is necessary to break the project down to small work packages and perhaps do a Monte Carlo simulation to assess the risk.

Normally, when we talk about risk, we think about the operational risk. Operational risk is connected to internal circumstances in the project and can be controlled by the project team. This may be resource variations, productivity, coordination, team spirit and culture, and so forth. Some authors also refer to this as tactical risk (Westney & Dodson, 2008). These authors also introduce the term strategic risk. Strategic risk is the prospective impact on earnings or capital from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. It is beyond the control of the project team, but may be controlled by the project owner or sponsor. It is a function of the compatibility of an organisation's strategic goals, the business strategies developed, the resources deployed, and the quality of the implementation.

In addition to operational and strategic risk, there is contextual risk. This is risk connected to circumstances outside the project that may influence the scope of work and the performance of the organisation. Examples are competing projects, change in ownership and management, legislation and governmental directives, media attention, extreme market conditions, accidents, and so forth. Contextual risk also includes black swans. A black swan meets three criteria: it is an outlier, it carries extreme impact, and human nature makes us concoct explanations for its occurrence after the fact, making it seem explainable and predictable (Taleb, 2007).

Exhibit 1 – The Three Dimensions of Project Risk

The time, the level of detail, and the type of risk constitute what the authors refer to as “the three dimensions of project risk.” This is illustrated in Exhibit 1. The authors will claim that most projects have a major focus on only one of the dimensions: the level of detail. Risk analysis is usually executed during the pre-study or the planning phase (front end loading), but often is not maintained and managed over time. Most risk analysis is directed toward managing the operational risk. The contextual risk is often neglected. Offensive project management takes all three dimensions into account.

It is well accepted that risk varies over time. Most authors discuss operational risk and paint a picture where it is gradually reduced to zero as indicated by the blue area in Exhibit 2. We have also indicated the strategic and contextual risks. It is important to note that the strategic and contextual risks will have a residual value at the project end. This residual value can not be eliminated by a protective risk management strategy trying to predict the future.

Exhibit 2 – Risk Development over Project Life

In addition to the three dimensions, there are two different perspectives for risk in a project: the owner perspective and the contractor perspective. The owner has the overall responsibility for the project charter and for approval (at a high level) of design, approach, and plans (Andersen, 2005). The contractor is responsible for the execution of the project and the delivery of the project results. The relationship between the owner and the contractor is regulated through a contract comprising a contract format and a pricing format (Rolstadås, 2006).

The owner and the contractor may carry different risks in a project. For example, the reliability and performance of the contractor may be a risk for the owner, and the feasibility of the fabrication technology may be a risk for the contractor. The owner and contractor may also share risk in a project. This is typical for handling and compensation of variations dependant on the contract and the pricing format. Finally, a risk for the owner may turn out to be an opportunity for the contractor. This is the case if for some reason, the owner must make substantial changes to the work scope, or if there are errors in the design provided to the contractor as part of the contract. In both cases, the contractor is in a strong position to negotiate time and cost compensation.

Seven Challenges in Moving from Protective to Offensive Risk Management

The discussion above shows that there is a major incompleteness in the way risk is managed. The typical strategy is protective trying to develop a robust plan and minimize risk exposure and sensitivity at the front end. To move from a protective to an offensive management strategy, seven challenges can be defined:

1. Include all three types of risk. In addition to operational risk, both strategic and contextual risk should be taken into account in identifying and analysing risks and opportunities. Failing to do so will probably result in underestimation such as described by Flyvbjerg (2003).
2. Manage risk throughout the project life. Risk analysis made during front end loading should be maintained and updated at all decision gates. Focusing on operational risk at the front end will tend to give estimates that are too high.
3. Go beyond the project perspective. Risk analysis is most often made for the execution of the project and seen from the project manager's point of view. However, the owner also carries a risk, which may part of the same risk the contractor carries, but also may be different. A risk for a contractor may be an opportunity for the owner, and vice versa. This is also true for other stakeholders in the project than the owner and the project organisation.
4. Use risk management to capitalise on opportunities. Often risk analysis is focused only on negative risk. Empirical evidence for this has been published by Olsson (2007). Moving to offensive risk management strategies involves focusing on the opportunities and using their uncertainty to improve project delivery.
5. Avoid risk-averse strategies from the project organisation. Whereas the project may be established for a complex task, one may find that the project organisation may try to maximize its benefits by focusing on closeout in order to reduce risk and succeed.
6. Place decision points as late as possible. Late decisions create opportunities for benefiting from development during project execution. It may increase risk, and it requires that the project team members have the necessary trust. The tight control regime has to be broken.
7. Develop project risk maturity in the organisation. There has been much focus on organisational project maturity (PMI, 2003, Shenhar & Stefanovic, 2006). Risk management is of course included in such models. The authors will, however, argue that risk needs additional attention, and that it should be supported by special competence development programs.

These challenges correspond to a set of six dilemmas published by Langlo, Johansen, and Olsson (2007):

1. Some uncertainties can be treated as a risk by a project organisation, while the same uncertainties can be treated as opportunities by the project owner. (This dilemma corresponds to challenge 3.)
2. While a line organisation often initiates a project master in a more complex environment or situation than normal, the project organisation itself often uses a closeout strategy to minimise risk. (This dilemma corresponds to challenge 5.)
3. Tangible project uncertainty is prone to underestimation. (This dilemma corresponds to challenge 1.)
4. In order to maximise chances to be perceived as successful, it will in the early phase often actively work to widen its financial frames and to obscure its goals. (This dilemma corresponds to challenge 4.)
5. In order to maximise benefit or return on investment in a life cycle perspective, you need to understand the project and its complexity in both totality and detail. (This dilemma corresponds to challenge 2.)
6. When intervening in a project uncertainty management, there is a potential danger for a project owner to take over the responsibility of the project manager. (This dilemma corresponds to challenge 3.)

Case Descriptions

Two cases have been selected to verify these seven challenges. We now describe these two cases. In the next section, we will discuss how they relate to the challenges.

The first case is the construction of a new university hospital in Trondheim, Norway (St. Olavs Hospital). Plans for this were made in 1991 and approved by the Norwegian Parliament in 1993. In 2002 the parliament decided to build the hospital at its current location. The first phase, consisting of four centres (90,000 m²), was completed in 2006. Phase 2, consisting of six centres is scheduled for completion in 2013/2014.

Early on, the project organisation understood the complexity of the project. One could not construct a futureoriented agglomeration of buildings on the location of an existing hospital without influencing the operation and effectiveness of the old hospital. It was in fact at least three separate projects: construction of the ten centres, implementation of the ICT systems, and integration of the ten centres. The risk management had to reflect this complexity.

An iterative approach was decided, splitting the project into two phases with smaller contracts rather than larger EPC contracts. An interaction-based contract model was implemented. In phase 1, the contracts were successively awarded building on experience from previous contracts. Uncertainty analyses were carried out for each contract, and control limits and schedule/cost contingencies defined at contract, project, and management levels. These limits and contingencies allowed each organisational level to use opportunities and handle threats as they emerged. Phase 2 was run as an interaction for the five centres using a contractor/operator model. Risk management training has been given throughout the planning and construction phases.

This approach has allowed the project to use time as a flexible cost saving variable. The contract model has enabled successive planning of each contract, drawing on experience and updated information. Had EPC contracts been used, the opportunities to make adjustments as the project evolved would have been reduced. The model allows flexibility, but also carries higher risk.

The second case is the construction of a new building block for the Norwegian government in Oslo, Norway. The government is extending its office area, and has decided to erect three new buildings for new offices for two ministries. One building will be demolished and replaced, one has antiquarian value and will be renovated, and the third is to be partially renovated. The construction area is situated in a sensitive agglomeration of buildings, thus involving a number of stakeholders with strong interests to negative consequences of the new building and the reconstruction. The project started its preparations in 2006. The Directorate of Public Construction and Property (Statsbygg) is responsible for execution of the project. Total cost is estimated at 870 million NOK.

Risk management for this project started different from traditional projects at Statsbygg since it is very complex and challenging. Political influence is strong, as the government has an interest in co-locating the two ministries. The colocation is vulnerable to changes in government, and completion of the building is therefore politically important. The project decided to bring in all stakeholders as early as possible in the process of defining needs, goals and specifications. First, all stakeholders contributed in creating a stakeholder map and defining their requirements and expectations. Then they developed a layer to the map showing the influence of each stakeholder at different phases and milestones along the timeline. In this manner each stakeholder obtained an understanding of the other stakeholders' requirements. In this way the project created ownership and a positive attitude within and between the stakeholders. They learned to see the opportunities that the project will open. So far, this has proved to be a solid foundation for further progress.

A process for managing risk has been developed. This includes weekly monitoring of the operational risk and biannually evaluating the strategic and contextual risks. The cost and schedule uncertainty is reassessed every year. The tools for managing risk include an uncertainty log (an intranet-based bulletin board where goals, opportunities and threats are updated continuously) and monthly risk reports at the same level as schedule and cost reports.

Discussion and Conclusions

In the listing below, we have shown how the seven challenges have been addressed in the two cases. Exhibit 3 shows to which degree they have been successfully managed. We have used a scale from 1 to 5 where 1 represents “not at all” and 5 represents “very well.”

1. Include all three types of risk.
   • St. Olavs Hospital. There was a strong focus on operational risk in the monthly progress reports. Strategic and contextual risks were discussed in the biannual reports and in connection with the annual budget updates.
   • Government building block. The operational and contextual risk was focused on in front end risk analysis. Strategic risk has been handled by the internal owner in Statsbygg.
2. Manage risk throughout the project life. Risk has been actively addressed throughout the project life for both projects.
3. Go beyond the project perspective.
   • St. Olavs Hospital. LCC analysis has been used to decide on effective operational solutions.
   • Government building block. Stakeholder management and risk management have been integrated into one system. This has promoted cooperation strategies and enabled forms for managing risk.
4. Use risk management to capitalise on opportunities.
   • St. Olavs Hospital. A number of seminars focused on opportunities and coordination throughout phase 1. An experience transfer seminar has been held in going from phase 1 to phase 2.
   • Government building block. Opportunities have been focused on from day 1.
5. Avoid risk aversive strategies from the project organisation.
   • St. Olavs Hospital. The organisation tried to lock the project to one location. This created problems when the Government later decided to explore alternative locations.
   • Government building block. The project has decided to communicate a 35/65 probability estimate and at the same time focused an open process toward the owner. This has prevented risk-averse strategies.
6. Place decision points as late as possible.
   • St. Olavs Hospital. This has been obtained through the successive construction program.
   • Government building block. The Norwegian Quality Regime, focusing on detailed risk analysis at the front end, has partly prohibited this.
7. Develop project risk maturity in the organisation.
   • St. Olavs Hospital. There has been extensive training and risk management has been implemented at all levels.
   • Government building block. The project is a pilot in a risk management development project.

Exhibit 3 – Degree of Success in Managing Challenges (1=Low, 5=High)

The discussion above shows that current industrial practice deviates somewhat from what is published in project risk management literature. Current practice shows that many of the challenges found from studying the literature have been partly met in real life. Of course, it is premature to draw reliable conclusions based on two cases. However, they serve well as indications. Only the challenge of avoiding risk aversive strategies has not been well met.

Based on this, we see research opportunities in further studying the influence and management of strategic and contextual risks, and in developing guidelines for setting the reference frame and capitalizing on opportunities.