Interactions-based risk network simulation for project risk prioritization

Franck Marle, Associate Professor, Laboratoire Genie Industriel, Ecole Centrale Paris, France


As projects have higher stakes and are more than ever exposed and averse to risk, project risk management becomes crucial and indispensable. The investigation of current methodologies demonstrates their limits for managing complexly interacted risks in project. This paper presents the method of modeling an interactions-based project risk network, which includes identification of risk interactions through design structure matrix and expertise, evaluation of risk interactions through analytic hierarchy process and experience, and modeling in the simulation environment of Arena software. Experiments are designed to simulate propagation behaviors in the risk network; and risks are prioritized according to different simulated indicators, namely risk frequency, consequences of risk and risk criticality.

The risk prioritization results in simulation are analyzed and compared with those in classical methods. We find that the occurrence probability and the impact of some risks are underestimated in classical methods because they do not take into account risk interactions and risk propagation in the project risk network. The prioritization results vary according to different indicators. The shift of risk prioritization provides alternative understanding of risks and changes the planning of mitigation actions for risk management. Sensitivity analysis is performed to reduce the uncertainty of evaluated input parameters of the simulation model and to discuss the reliability of risk prioritization results. A case study in the entertainment industry is implemented to illustrate the steps and results of this method.

Keywords: risk interaction, complex network, simulation, risk propagation, risk prioritization


Introduction of Project Risk Management

A project is a temporary and unique endeavor undertaken to deliver a result. This result is always a change in the organization, whatever it is in its processes, performance, products, or services. This transformation consists then in a gap between a start and a final state. The final expected state is better than the initial, but the uncertainty of the future makes it risky. Each project is unique because there is always at least one of the following parameters that change: targets, resources, management, methods, tools, and context. Unicity thus makes it difficult to learn from past projects and increases risk.

For several decades, projects have become more and more present in organizations, and they deal with bigger and bigger amounts at stake and face a growing complexity (of both their structure and context). Consequently, risks associated with these projects have become higher in terms of number and global impact, which are sometimes non-detectable. It then becomes impossible to let projects live without a specific and rigorous methodology, for project management as a whole and notably for project risk management.

From the birth of project management, the notion of risk has grown within the field of project management, even if there are still a lot of theoretical problems and implementation lacks. For all practical purposes, the growing interest in risk management is often pushed by law and regulation evolutions. The society is more risk averse, and stakeholders are asking more for risk management, in order to cover themselves against financial or juridical consequences. People can be accountable during or after the project for safety, security, environmental, commercial, or financial issues. Everybody has to manage their own responsibility and own risks. That is why it has become more and more important to manage effectively and efficiently project risks, in order to give more success warranty and comfort to project stakeholders, or at least to warn them against possible problems or disasters.

Classical Steps of Project Risk Management (adapted from the benchmark study [Marle, 2008])

According to (Raz & Hillson, 2005), “the origins of operational risk management can be traced to the discipline of safety engineering” (p. 53). Modern risk management has evolved from this concern with physical harm that may occur as a result of improper equipment or operator performance. Lots of risk management methodologies and associated tools have been developed, with qualitative and/or quantitative approaches, often based on the two concepts of probability and impact (or gravity) of the risky event. As for that, the Project Management Institute (PMI), in its worldwide standard A Guide to the Project Management Body of Knowledge (PMBOK® Guide)—Third Edition (PMI, 2004), describes project risk management objectives as “to increase the probability and impact of positive events, and decrease the probability and impact of events adverse to the project” (p. 237). Other processes aim at increasing the success probability. As a consequence, various risk management methodologies have been developed: Some standards have indeed developed risk management methodologies, which are specific or nonspecific to project context (Association française de Normalisation [AFNOR], 1997, 1999; Association for Project Management [APM], 1996; British Standards Institution [BSI], 2002; International Electrotechnical Commission [IEC], 1995; Institute of Electrical and Electronic Engineers [IEEE], 2001; International Project Management Association [IPMA], 2006; PMI, 2004).

The classical project risk management process is usually divided into four major phases: risk identification, risk analysis, risk response planning, risk monitoring, and control.

Risk identification. Risk identification is the process of determining events which, may they occur, could affect project objectives positively or negatively. Risk identification methods are classified into two different families:

  1. Direct risk identification: The most classical tools and techniques are diagnosis and creativity-based methods, for assessment of present or future situation.
  2. Indirect risk identification: The other way to identify risks is to collect data about problems that occurred during previous projects since problems of the past may be risks of the future.

This step normally generates a list of risks. The number of risks in this list may vary from some decades to some hundreds of risks, according to the scale and dimension of the project.

Risk analysis. Risk analysis is the process of evaluating and prioritizing risks, essentially according to their characteristics like probability and impact. Criticality is another characteristic with which risks are prioritized. It is generally a combination of probability and impact, or is simply defined as the product of them. As shown in Table 1, it enables us to classify risks into three categories: high risk, moderate risk, and low risk.

Table 1. Definition of Probability, Impact, and Criticality Reference Scales

Definition of Probability, Impact, and Criticality Reference Scales

There are two main types of risk analysis, which are discussed hereafter: qualitative and quantitative analysis.

Qualitative analysis. It is the process of assessing by qualitative means the probability and impact of each risk. It assists in risk comparison and prioritization. It is applied when parameters are difficult to calculate, using qualitative scales, like in table 1: from very low to very high, or from 1 to 5 for instance.

Quantitative analysis. The main difference with qualitative analysis is the possibility to give a quantitative value to a risk, regarding its probability and/or its gravity. For instance, the probability to get a “1” with a 6-faces dice is 1/6. The probability of a risk may sometimes be calculated by capitalization of previous data, as long as the size of data sample is statistically significant. Risk probability and impact are then assessed on a quantitative scale: €23,500, 3 weeks delay, 92% of occurrence, etc. Quantitative analysis principally consists of data gathering and data treatment. It is often conducted after a qualitative analysis, in order to refine or to validate some assumptions, because it has a higher cost.

Risk response planning. The process of risk response planning aims to choose actions in order to reduce global risk exposure with least cost. It addresses project risks by priority, defining actions and resources, associated with time and cost parameters. Almost every method mentions the same possible treatment strategies, including the following:

  • Avoidance,
  • Probability or impact reduction (mitigation), including contingency planning,
  • Transfer, including subcontracting and insurance buying, and
  • Acceptance.

In the cases when the method includes the opportunity concept, the same strategies exist, but with opposite names: exploitation, probability or impact enhancement, and risk sharing. The method of acceptance does not change.

Risk monitoring and control. Risk monitoring and control is, according to PMB0K Guide—Third Edition (PMI, 2004), the ongoing process of “identifying, analyzing and planning for newly arising risks, keeping track of the identified risks and those on the watch list, reanalyzing existing risks, monitoring trigger conditions for contingency plans, monitoring residual risks, and reviewing the execution of risk responses as well as evaluating their effectiveness” (PMI, 2004, p. 264).

Current Methodologies on Risk Interactions

Project risk management is important than ever to the success of project. With lots of methodologies and experience developed by researchers and project managers in their endeavors, some risks could currently be identified and managed (Chapman & Ward, 2003).

In the field of project risk management, many current methodologies independently evaluate risk's characteristics and focus on individual analysis of risks. Risks are listed and ranked upon one or more parameters in these methods and tools (Baccarini & Archer, 2001; Ebrahimnejad, Mousavi, & Seyrafianpour, 2010). For example, as shown in Table 2, a typical project risk list can exhibit each individual risk and its category or nature.

Table 2. Typical Project Risk List in Classical Methods

No. Risk Title Category
R1 Low budget Cost and time
R2 Law and regulations infractions Contracts
R3 Low communication and advertising User/customer
R4 Unsuitable cast Organization
R5 Unsuitable ticket price setting Strategy
R6 Unsuitable rehearsal management Controlling
R7 Cancellation or delay of the first performance Cost and time
R8 Poor reputation User/customer

A two-dimensional diagram, as shown in Figure 1, can visibly demonstrate characteristics of risks. Generally, these methods do not take into account the subsequent influence of risk and could not represent the interactions between risks.

Diagram of Risk Probability and Impact

Figure 1. Diagram of Risk Probability and Impact

Some methods comprise cause-effect links, but are still focused on a single risk (Carr & Tah, 2001; Heal & Kunreuther, 2007). The result is often with a tree structure. To understand a risk, it is helpful to identify its causes as well as its effects. A number of methods include this principle, but they focus on a single risk with multiple causes and multiple consequences in order to simplify the problem. As the tree structure shows in Figure 2, causes and effects of one particular risk could be displayed, it is still single-risk oriented and unable to model the complex risk interactions completely. For example, several scenarios like “loop” could not be represented.

Tree Structure Model Could Not Manage Complex Interactions

Figure 2. Tree Structure Model Could Not Manage Complex Interactions

Few specific methods model relationships in network structure. Several papers about Bayesian belief network (BBN) have appeared in recent years in the field of project risk management (Fan & Yu, 2004; Lee, Park, & Shin, 2008), which could model risk interrelations, from multiple inputs to multiple outputs, as shown in Figure 3. Nevertheless, BBN is not competent for large risk network as conditional probability distribution of each node is complex to acquire, requiring a large amount of data to train parameters. More importantly, Bayesian network requires oriented links and is inherent acyclic so that it could not model loop while it does exist in project management and could be a disaster in realistic situations. It means that these methods are not practical and in some cases, fail to reflect the real complexity of relationships among risks.

A Bayesian Belief Network for Large-Scale Shipbuilding Companies (Lee, Park, & Shin, 2008)

Figure 3. A Bayesian Belief Network for Large-Scale Shipbuilding Companies (Lee, Park, & Shin, 2008)

Research Problem and Objectives

With existing methodologies, individual risks can be identified and analyzed independently. However, projects are at present facing a growing complexity, of both their structure and context. Besides organizational and technical complexity, project managers have to consider increasing parameters both inside and outside the project. The growing complexity of projects induces the complexly interacted risk network, as Figure 4 illustrates (Marle, 2008). For instance, there might be propagation from one “upstream” risk to numerous “downstream” risks; on the other side, a downstream risk may arise from the occurrence of several upstream risks, which are perhaps in different categories. The extreme of this phenomenon is the famous “domino effect.” Another phenomenon is the existence of chain reaction or loop. An example of loop is that one original risk—delay of time—may have an impact on a cost overrun risk, which will influence a technical risk, then propagate and amplify the original risk of schedule delay. Figure 5 demonstrates a typical loop situation. Amplifying chain reaction in loops is a great danger during projects, and it is even more complicated to understand since the nature of risks within the loop is likely to be different.

From what has been discussed previously, we can conclude that project risks are interacted complexly in a network context. As a result, classical methods of project risk management have limitations for the increasing complexity of project.

Complexity of Project and Project Risks (Marle, 2008)

Figure 4. Complexity of Project and Project Risks (Marle, 2008)

An Example of Loop Phenomenon of Risk Interactions

Figure 5. An Example of Loop Phenomenon of Risk Interactions

To manage a project with complexly interrelated risks, it is important to integrate the multiple dimensions of risks, including classical characteristics like probability, impact, and nature, and also to bring risk interactions into project risk management. Risk interactions must be taken into account and be analyzed in order to make decisions that are more reliable.

The first step is to identify potential interactions between risks. This is a binary identification of a potential cause and effect relationship between two events. This is done using a risk-risk matrix, called risk structure matrix (RSM).

The second step is to assess the strength of each interaction identified in step 1.

The third step is to model the network based on risk interactions in the simulation context with the software Arena.

The fourth step is to design simulation experiments that will be run in order to test different parameters and to anticipate different propagation scenarios.

The fifth step is to analyze simulation results for the sake of mitigation plan (or response plan), that is to say, where are the changes in terms of risk assessment or risk ranking, and where are the mitigation possibilities in terms of actions.

Two innovations exist in step 5: (1) the classical mitigation actions, but applied on risks with different values (simulated values may be different from initial values); and (2) the non-classical mitigation actions, which consist of mitigating propagation links, instead of mitigating risk occurrence.

A sensitivity analysis is run in order to estimate the propagation of assessment errors in our simulation model. This research aims to provide project managers with behavior anticipation in risk network and risk prioritization for mitigation action planning.

The “Interactions-Based Project Risk Network” section presents the methods of building project risk network, including steps 1 and 2, and the section titled “Simulation Model and Experiment Design” presents step 3 and 4. “Analysis of Simulation Results” compares the results of simulation with classical methods in project risk management, and analyzes the risk prioritization results (step 5). Finally, we conclude and discuss the implication and perspectives of this research.

Interactions-Based Project Risk Network

Introduction of the Case Study

The classical steps of risk identification and risk analysis are the inputs of our work. Different methods exist in the literature and industry, but it is not within our scope to work on them. We apply our risk management process by using their results, like the list of risks with their values. Classical methods in project risk management are conducted to research on individual project risks. Project risks are identified and evaluated qualitatively through expertise and previous experience.

A case study in the entertainment industry is implemented. The chosen project is a classical musical play in Paris, France. The original project risk list of this project has been acquired and is shown in Table 3. This list comprises 20 potential risks in this musical play project, and displays their characteristics including nature, estimated probability, and gravity scale of risks, as well as criticality.

This case will be studied throughout this paper to illustrate each step of risk management process.

Table 3. Original Project Risk List with Characteristic Values of the Case Study

ID Risk Name Nature Criticality Probability Gravity P*I
R01 Low budget Cost and time Unacceptable 8 7 56
R02 Law and regulations infractions Contracts Unacceptable 7 5 35
R03 Low communication and advertising for the show User/customer Unacceptable 8 9 72
R04 Unsuitable cast Organization Unacceptable 5 9 45
R05 Unsuitable ticket price setting Strategy Unacceptable 7 6 42
R06 Unsuitable rehearsal management Controlling Acceptable 3 8 24
R07 Cancellation or delay of the first performance Cost and time Unacceptable 5 8 40
R08 Poor reputation User/customer Acceptable 3 7 21
R09 Lack of production teams Organization Organization Acceptable 4 6 24
R10 Low team communication Organization Acceptable 3 6 18
R11 Bad scenic, lightning and sound design Technical performance Negligible 2 7 14
R12 Bad costume design Technical performance Acceptable 3 8 24
R13 Low complicity between cast members Technical performance Acceptable 3 7 21
R14 Too ambitious artistic demands compared to project means Requirements Acceptable 7 2 14
R15 Few spectators / Lukewarm reception of the show User/customer Acceptable 2 9 18
R16 Technical problems during a performance Technical performance Acceptable 4 5 20
R17 Low cast motivation Organization Negligible 2 4 8
R18 Childish direction (unsuitable for family audiences) Strategy Negligible 2 5 10
R19 Low creative team leadership Controlling Unacceptable 3 10 30
R20 Low creative team reactivity Controlling Negligible 2 2 4

Identification of Risk Interactions

Identification is the first step to determine and establish the cause-effect relationship between risks. Exploring other tools of project management assists in identifying risk interactions. The design structure matrix (DSM) method was introduced by Steward (1981) with tasks and was initially used essentially for planning issues (Eppinger, Whitney, & Gebala, 1992). Ever since then, it has been widely used with other objects, like product components, projects, and people (Browning, 2001; Danilovic & Browning, 2007; Eppinger & Salminen, 2001; Sosa, 2008; Sosa, Eppinger, & Rowles, 2004). As for our research, we propose to use the concept of DSM for other objects, which are risks, in the context of project management. The interrelation matrix of project objects, such as tasks, actors and other different components in project, can facilitate identifying the interrelations of risks related to these objects.

Figure 6 displays the formation of DSM. It is used to relate entities of one kind to each other, for example, the tasks that constitute a complete project, and it can be used to identify appropriate teams, work groups, and an ideal sequence of how the tasks can be arranged (DSM-Community, 2009). In a similar way, domain mapping matrices (DMM) introduced by Danilovic and Browning (2007) and multiple-domain matrix (MDM) introduced by Biedermann and Lindemann (2008) are helpful to identify risk interactions across different domains of project.

Illustration of DSM (DSM-Community, 2009)

Figure 6. Illustration of DSM (DSM-Community, 2009)

In our research, we define risk interaction as the existence of a possible precedence relationship between two risks Ri and Rj. We define the binary risk structure matrix (RSM) as the square matrix with RSMij = 1 when there is an interaction from Rj to Ri. It does not address issues about probability or impact assessment of this interaction. The RSM can get exhaustive and consistent information about interactions between risks, as we put a sanity check between Ri and Rj. If Ri declared Rj as a cause, but Rj did not declare Ri as a consequence, then there is a mismatch. Each mismatch is studied and solved, like analogous works by Sosa about interactions between actors (Sosa, Eppinger, & Rowles, 2004).

Based on the classical project risk list in Table 3, with the help of DSM method along with expertise, risk structure matrix of the case study is built and shown in Figure 7, which represents the identified risk interactions.

Risk Structure Matrix of the Case Study

Figure 7. Risk Structure Matrix of the Case Study

There are three types of relationship between each pair of risks. These types could be recognized clearly in a re-ordered RSM through some partitioning process (Steward, 1981).

  • Dependent: risks are engaged in a potential precedence relationship.
  • Interdependent: risks are engaged in mutually dependent relation, directly or within a bigger loop.
  • Independent: risks are basically non-related.

The nature of interactions can also be classified into several categories. Research on this subject has appeared in some papers, for example, ALOE model developed by Vidal and Marle (2008) defined different kinds of relationship of links between risks.

  • Hierarchical link,
  • Contribution link,
  • Sequential link,
  • Influence link, and
  • Exchange link.

Several links with different natures might exist between two risks. They are all expressed with potential causal relation.

Evaluation of Risk Interactions

Evaluation is the process of measuring or estimating the interrelation between risks. An analytic hierarchy process-based assessment of risk interactions is developed to get numerical values, and to measure the strength of these risk interactions. The analytic hierarchy process (AHP) developed by Thomas Saaty (1997, 1980, 2000, 2003) is a multi-criteria decision-making method based both on mathematics and human psychology. It notably permits the relative assessment and prioritization of alternatives. The AHP is based on the use of pair wise comparisons, which lead to the elaboration of a ratio scale.

The presence of “1” in the binary RSM expresses the existence of a possible precedence relationship between risks Ri and Rj. RSMij= 1 implies two different possible ways to address the situation as this can be seen either as a possible risk input of Ri coming from Rj, or as a possible risk output from Rj reaching Ri. Similarly as in (Chen & Lin, 2003) for design tasks, we argue that these two visions should be combined, considering both the causes (inputs) and the effects (outputs). That is why we argue for a two-way comparison methodology to achieve the pair wise comparisons of project risks. First, the risks are evaluated regarding their contribution to any Rk in terms of risk input (comparison on rows). In other words, for every pair of risks which are compared, the user should assess which one is more important to risk Rk in terms of probability of being a risk input (i.e., a cause) for risk Rk. Numerical values are obtained thanks to the use of traditional Saaty scales. Then, the same process is used for risk outputs (comparison on columns). The combination of eigenvectors permits to build up two square matrices we name NEM (numerical effect matrix) and NCM (numerical cause matrix). Indeed, for each risk Ri, we calculate the eigenvectors of the two AHP matrices corresponding to this risk, in terms of inputs and outputs. The eigenvectors which are associated to the maximum eigenvalues correspond to the i-th row of the NEM and the i-th column of the NCM. We define the risk numerical matrix (RNM) by the global weighting operation given by following equation:


This calculation permits an overall estimation of the (i,j)-th term since it aggregates (at the same level of influence) the two approaches of causes and effects.

Figure 8 displays the numerical results in the risk numerical matrix. As the figure shows, RNM is a square matrix with identical row and column labels. An off-diagonal value signifies the evaluated causal conditional probability of one risk on another. The risks in column are causes while the ones in row are effects. For example, in the crossing point of row 7 and column 11, the value 0.327 indicates that the evaluated causal probability of the link from risk 11 to risk 7 is 32.7%.

Risk Numerical Matrix of the Case Study

Figure 8. Risk Numerical Matrix of the Case Study

Representation of Risk Interactions with Complex Network Structure

With the outputs of identification and evaluation, risk interactions can be represented in network structure. As shown in Figure 9, all the risks are complexly interacted: one risk could cause multiple, subsequent risks and can be triggered by multiple risks; there different paths exist from one node to another, either direct or via multiple steps. In addition, specific phenomena like “loops” exist and need to be considered.

Interactions-based Risk Network of the Case Study

Figure 9. Interactions-based Risk Network of the Case Study

Simulation Model and Experiment Design

Simulating Risk Network by Arena

It is difficult to calculate the propagation behavior in the risk network, especially with complex phenomena like loops. Furthermore, unlike scientific research in some disciplines like chemistry or biology, in the context of project management, it is difficult, costly, and impractical to carry out physical studies on the project itself. Namely, continuously repeating projects as experiments in reality is unfeasible. These days, simulation is more popular and powerful than ever since computer and software technologies have significantly developed. Therefore, in our research on project risk management, we model and analyze risk network through simulation.

To conduct simulation analysis in the case study, we modeled the risk interaction network in the environment of Arena, which is a powerful and widely used simulation tool in industry. It is suitable for modeling complicated system and simulating discrete events. Besides the network structure, parameters of the simulation model include spontaneous probability of each risk node and transition probability of each interaction link.

Transition probability. In the simulation model, evaluated causal conditional probability can also be interpreted as transition probability between two risks. In the network with n risk nodes, transition probabilities are in a square matrix with n × n elements of probability. For example, if the transition probability from risk i to risk j is 0.30, it means that the occurrence possibility of risk j originating from risk i is 30% under the condition that risk i is activated. We assess transition probabilities with the values of risk numerical matrix shown in Figure 8.

Spontaneous probability. In project risk network, sometimes certain risks may be caused by particular external event or some risk not identified. In another explanation, they may also occur spontaneously due to some unknown or undefined reason outside the system. Spontaneous probability can be interpreted as the evaluated likelihood of a risk, which is not the effect from other activated risks.

During simulation process, spontaneous probability is the starting condition of network propagation. Quantitative value of it can be converted from classical qualitative evaluation of risk probability. The discrete scale (for example, measured from 0 to 10) is converted to the real number of percentage with the projection function img, where p indicates the percentage probability, s indicates qualitative scale, with parameters α > 0, β> 0. This function is not with linear relationship, whereas it is more likely to be a concave curve.

Design of Experiments

In simulation experiments, 10,000 iterations are conducted in each replicate of simulation process. Occurrence of every risk is recorded during the simulation thanks to statistical accumulators deployed in the model. Here we interpret the recorded occurrence as simulated risk frequency instead of probability, although they seem to have similar formation and meaning. In fact, during one replicate of project simulation, a risk could occur more than one time. That does accord with the situation in reality.

Risk prioritization. Risk network propagation is simulated to get different indicator bases for risk prioritization, such as refined risk frequency, anticipation of risk consequences and simulated risk criticality.

First, we acquire the input spontaneous probability of each risk converted from the qualitative probability evaluated by classical method. The values are displayed in Table 4 as most likely spontaneous probabilities. After simulation, the simulated frequency of each risk is obtained and compared with original spontaneous probability.

To anticipate the consequences of one identified risk, we can activate this risk by giving its spontaneous probability with the value 100%, while the spontaneous probability of all the other risks is 0%. Then after simulation, we can observe all the potential consequences of this risk.

As discussed the Introduction, risks are usually prioritized by the characteristic of criticality, which is generally a combination of probability and gravity, or simply defined as the product of them. Similar to risk frequency, we can refine risk criticality by incorporating all the consequences of the risk in network. Giving the spontaneous probability of Ri with the most likely value in Table 4, while all the other risks with 0% spontaneous probability, we can calculate the simulated criticality of Ri by equation:


Where SC[i] indicates the simulated criticality of Ri, RF[j] and RG[j] indicate the simulated frequency and the evaluated gravity of Rj respectively.

Sensitivity analysis. In order to mitigate the uncertainty of estimated input data in simulation and acquire more reliable results, spontaneous probability of each risk is assessed by expertise with three-level values: optimistic, most likely, and pessimistic (Table 4). Different scenarios with variant inputs are simulated to perform sensitivity analysis on risks.

Table 4. Input Data of Simulation Experiments

Risk ID Evaluated Evaluated Spontaneous Probability
Probability Gravity Optimistic Most Likely Pessimistic
R01 8 7 0.450 0.500 0.950
R02 7 5 0.100 0.360 0.600
R03 8 9 0.350 0.500 0.650
R04 5 9 0.010 0.126 0.200
R05 7 6 0.250 0.360 0.700
R06 3 8 0.005 0.011 0.200
R07 5 8 0.010 0.126 0.150
R08 3 7 0.010 0.011 0.100
R09 4 6 0.010 0.050 0.200
R10 3 6 0.010 0.011 0.050
R11 2 7 0.001 0.001 0.020
R12 3 8 0.005 0.011 0.020
R13 3 7 0.005 0.011 0.100
R14 7 2 0.100 0.360 0.900
R15 2 9 0.000 0.001 0.100
R16 4 5 0.045 0.050 0.070
R17 2 4 0.000 0.001 0.050
R18 2 5 0.000 0.001 0.002
R19 3 10 0.005 0.011 0.012
R20 2 2 0.000 0.001 0.002

Analysis of Simulation Results

Simulation and Risk Prioritization Results

Table 5 consolidates the results of risk network simulation and compares them with the analytical results of classical method in project risk management.

Table 5. Comparison of Simulation Results with Classical Method

Comparison of Simulation Results with Classical Method

Based on the simulation results in Table 5, we prioritize risks by different indicator basis. According to different indicators, the prioritization has different results (Table 6).

Table 6. Risk Prioritization Results by Different Indicators

Risk Prioritization Results by Different Indicators

Analysis of Changes in Risk Prioritization

Simulated risk frequency. We contrast the simulated frequency with evaluated spontaneous probability of project risks in Tables 5 and 6. After simulated in the network context, the occurrence frequency of some risks has notably increased. For example, R11, R15, and R17 in Table 5 were considered improbably occur by classical method, while their raising ratios of frequency are quite significant. This kind of risks has little possibility to happen spontaneously, but some other events may lead to it.

Some risks were moderately anticipated, but they were still to some extent underestimated. After considering interaction effects, these risks escalate into higher levels, such as R04, R07, and R10 (Table 5).

As a whole, a number of risks have increased occurrence frequency with varying degrees, which reflects their intensity of interactions in the network.

Consequences of risk. We anticipate the consequences of a risk in simulation because the risk and its effects propagate through the network. In Table 5, some risks like R01 and R03 were considered with moderate gravity or impact themselves. However, after simulation, they have significant consequences since they can cause more other risks or certain of the risks with high gravity to occur. For instance, R02 was evaluated with lower gravity than R03 in classical method, whereas the simulated consequences of R02 turn to be higher than that of R03.

Simulated risk criticality. The risk prioritization results change after simulation. For example, in classical method, R03 was evaluated with highest criticality, but the one with highest simulated criticality in network is R01. Several risks like R14 have great lifting in prioritization, while several risks have degraded.

The gap of prioritization results between risks has also changed after simulation. For example, R04 and R05 were evaluated with similar criticality. After taking into account the propagation in the network, R05 has much higher simulated criticality than R04, and the gap between them has enlarged.

Sensitivity Analysis

We simulate different scenarios with varying spontaneous probability of risks. According to three-level (optimistic, most likely, and pessimistic) input values, simulated criticality of each risk is calculated. Figure 9 displays the distribution of each risk.

Sensitivity Analysis of Project Risks

Figure 9. Sensitivity Analysis of Project Risks

Each risk has varying range of simulated criticality. For example, R02 and R03 have similar most likely values of criticality, but R02 has larger potential range and thus it could be more unstable in project.

With regard to risk prioritization, in all situations, R01 has higher simulated criticality than R02. Prioritized by most likely value, R01 is superior to R05; nevertheless, under certain circumstance, R05 will lead to higher consequences and be more critical than R01.


We introduced the project risk management process and its classical steps. Based on the investigation of current methodologies and their limits for the complexity of project risks, we bring in this paper interactions into project risk management. New applications of existing techniques like DSM in project management are developed to identify risk interactions. After evaluating interactions through the AHP method along with expertise and experience, the simulation model of project risk network is established. It enables us to simulate different scenarios in order to analyze propagation in the risk network. The simulation results are compared with those in classical methods, and risks are prioritized according to different indicators.

From the comparison, we find that the occurrence probability of many risks was underestimated. The reason is that estimated probability in classical methods does not take into account risk interactions with propagation in the network.

Managers and experts are always evaluating the status and possibility of project success, which is also a great concern to stakeholders. Simulating the propagation behavior of a risk helps to anticipate its consequences and overall impact on the project. The integration of a risk with its interactions in complex environment may dramatically change its potential importance in the project.

Risk prioritization is relied on to apply mitigation or other risk control actions. The simulated results according to different indicators provide innovative understanding of risks and evaluation of their relative severity and potential impact on the project. The shift of risk prioritization also changes the planning of mitigation actions.

It must be admitted that uncertainties exist in the step of parameters evaluation in the risk network. With the results of sensitivity analysis, we also argue that the reliability of prioritization results should be considered.

In the next work, mitigation actions will be proposed and tested in the simulation model. These actions will include both classical actions on risks and innovative actions on risk interactions. In addition, more parameters such as time, resource, and cost of risks will be incorporated and calculated. We have begun to apply this research into a larger case study of infrastructure construction project with decades of risks in the complex network.


Association for Project Management. (1996). Project risk analysis & management (PRAM) guide (2nd ed.). High Wycombe, UK: Association for Project Management.

Association française de Normalisation. (1997). ISO 10006. Management de la qualité: lignes directrices pour la qualité en management de projet: Editions AFNOR.

Association française de Normalisation. (1999). RG AERO 000 40, dans NF X50 410. Recommandation générale pour la spécification du management de programme: Editions AFNOR.

Baccarini, D., & Archer, R. (2001). The risk ranking of projects: A methodology. International Journal of Project Management, 19(3), 139-145.

Biedermann, W., & Lindemann, U. (2008, November). Cycles in the multiple-domain matrix -Interpretation and applications. Paper presented at the 10th International DSM Conference, Stockholm, Sweden.

Browning, T. (2001). Applying the design structure matrix to system decomposition and integration problems: a review and new directions. IEEE Transactions in Engineering Management, 48(3), 292–306.

British Standards Institution. (2002). ISO/IEC Guide 73:2002. Risk management – vocabulary –Guidelines for use in standards. London: British Standard Institute.

Carr, V., & Tah, J. H. M. (2001). A fuzzy approach to construction project risk assessment and analysis: Construction project risk management system. Advances in Engineering Software, 32(10–11), 847–857.

Chapman, C. B., & Ward, S. C. (2003). Project risk management – Processes, techniques and insights. Chichester, UK: John Wiley & Sons.

Chen, S., & Lin, L. (2003). Decomposition of interdependent task group for concurrent engineering. Computers and Industrial Engineering, 44(3), 435–459.

Danilovic, M., & Browning, T. (2007). Managing complex product development projects with design structure matrices and domain mapping matrices. International Journal of Project Management, 25(3), 300–314.

DSM Community. (2009). DSM tutorial. Retrieved in November 2009, from

Ebrahimnejad, S., Mousavi, S. M., & Seyrafianpour, H. (2010). Risk identification and assessment for build-operate-transfer projects: A fuzzy multi attribute decision making model. Expert Systems with Applications, 37(1), 575–586.

Eppinger, S., & Salminen, V. (2001, August). Patterns of product development interactions. Paper presented at the International Conference on Engineering Design, Glasgow, Scotland.

Eppinger, S., Whitney, D. E., & Gebala, D. A. (1992, January). Organizing the tasks in complex design projects: development of tools to represent design procedures. Paper presented at the NSF Design and Manufacturing Systems Conference, Atlanta, GA.

Fan, C., & Yu, Y. (2004). BBN-based software project risk management. Journal of Systems and Software, 73(2), 193–203.

Heal, G., & Kunreuther, H. (2007). Modeling interdependent risks. Risk Analysis, 27(3), 621–634.

Institute of Electrical and Electronic Engineers. (2001). IEEE Standard 1540-2001: standard for software life cycle processes – risk management. New York: Institute of Electrical and Electronic Engineers.

International Electrotechnical Commission. (1995). CEI/IEC 300-3-9:1995 Risk Management: Part 3 –guide to risk analysis of technological systems. Geneva: International Electrotechnical Commission.

International Project Management Association. (2006). IPMA competence baseline (ICB), version 3.0. Nijkerk, The Netherlands: International Project Management Association.

Lee, E., Park, Y., & Shin, J. (2008). Large engineering project risk management using a Bayesian Belief Network. Expert Systems with Applications, 36(3), 5880–5887.

Marle, F. (2008). Analysis of current project risk management methodologies and required improvements (Working Paper). Paris: Ecole Centrale Paris.

Project Management Institute. (2004). A guide to the project management body of knowledge (PMBOK® Guide) (3rd ed.). Newtown Square, PA: Project Management Institute.

Raz, T., & Hillson, D. (2005). A comparative review of risk management standards. Risk Management: An International Journal, 7(4), 53–66.

Saaty, T. (1977). A scaling method for priorities in hierarchical structures. Journal of Mathematical Psychology, 15(3), 234–281.

Saaty, T. (1980). The analytic hierarchy process: Planning, priority setting, resource allocation. New York: McGraw-Hill.

Saaty, T. (2000). Fundamentals of the analytic hierarchy process. Pittsburgh, PA: RWS Publications.

Saaty, T. (2003). Decision-making with the AHP: Why is the principal eigenvector necessary. European Journal of Operational Research, 145(1), 85–91.

Sosa, M. (2008). A structured approach to predicting and managing technical interactions in software development. Research in Engineering Design, 19(1), 47–70.

Sosa, M., Eppinger, S., & Rowles, C. (2004). The misalignment of product architecture and organizational structure in complex product development. Management Science, 50(12), 1674–1689.

Steward, D. (1981). The design structure matrix: A method for managing the design of complex systems. IEEE Transactions in Engineering Management, 28(3), 71–74.

Vidal, L., & Marle, F. (2008). Understanding project complexity: implications on project management. Kybernetes, the International Journal of Systems, Cybernetics and Management Science, 37(8), 1094–1110.

© 2010 Project Management Institute



Related Content

  • Project Management Journal

    Narratives of Project Risk Management member content locked

    By Green, Stuart D. | Dikmen, Irem The dominant narrative of project risk management pays homage to scientific rationality while conceptualizing risk as objective fact.

  • Project Management Journal

    Identifying Subjective Perspectives on Managing Underground Risks at Schiphol Airport member content locked

    By Biersteker, Erwin | van Marrewijk, Alfons | Koppenjan, Joop Drawing on Renn’s model and following a Q methodology, we identify four risk management approaches among asset managers and project managers working at the Dutch Schiphol Airport.

  • Project Management Journal

    Collective Mindfulness member content locked

    By Wang, Linzhuo | Müller, Ralf | Zhu, Fangwei | Yang, Xiaotian We investigated the mechanisms of collective mindfulness for megaproject organizational resilience prior to, during, and after recovery from crises.

  • PMI Case Study

    Saudi Aramco member content open

    This in-depth case study outlines a project to increase productivity with Saudi Arabian public petroleum and natural gas company, Saudi Aramco.

  • PM Network

    A certeza da incerteza member content open

    By Fewell, Jesse Por mais que ansiamos por um retorno pré-pandêmico, é ingênuo pensar que as velhas formas de trabalho um dia voltarão - mesmo para o ágil.