Valuing project risks using options theory
Risk management is defined as the “systematic process of identifying, analyzing and responding to project risks.” During the risk management process, various risk factors are analyzed to better understand the probability and impact of the risk. The steps include risk planning, identification, qualitative analysis, quantitative analysis, response planning and monitoring/control (see PMBOK® Guide, 2000). Based on the perceived impact, appropriate responses like avoiding, transferring, mitigating or accepting the risk can be considered.
The risk quantification process uses empirical and mathematical techniques such as probabilistic sampling, Delphi methods, or qualitative assessment to measure the impact of the risk. The idea behind quantifying the risk is to ensure that the reward from the response planned is commensurate with the risk. Some of the established models that value risky financial investments imbed knowledge that could help a project manager get a good handle on the risk in a project and rewards of a response. Such models help us get a better understanding of the nature of the risk and the appropriate costs for the kind of response planned for an identified risk.
Risk management is a routine process within the framework of project management and requires continuous assessment of all identified risks throughout the duration of the project. These assessments are based on factors such as the probability of a risk event and its impact severity. Additional factors such as the time when a response decision is made, duration of risk coverage required and the uncertainty about the risk factors also play an important role.
The triggers and symptoms of an identified risk are dynamic because the risk environment within which the project operates changes with time. So, it is not feasible to correctly estimate the value of risk and the required response costs. However, responses are commitments made at a certain time during the project, and may be hard to revert. This may lead a project manager make erroneous decision, in terms of over or under estimating the nature of the risk.
Hence, the time at which a response decision is made has a very large bearing on the type of response. The duration for which protection from an identified risk is required is another factor in selecting an appropriate response. Consider a risk that has a medium probability of occurrence and moderate impact. If the imminent impact time horizon is only a week from now, its impact severity will not be the same as if we forecast it to occur anytime in the next three months. In three months, the project environment may vary so significantly that the medium probability has risen to a high probability or the moderate impact was downgraded to a low impact.
Any action taken to handle risk implicitly incorporate the estimated time within which it can materially impact the project.
In addition, at any time during the risk management process, the project manager has the option to postpone the risk handling response. This carries a value because, as some risk parameters become clearer the project manager is positioned in a better shape to handle the risk at a later time.
Traditional theories based on empirical evidence suggests a set of actions based upon the following guidelines:
• If it is a low risk and low probability of occurrence, then assume the risk.
• If it is a medium impact and/or medium probability then consider mitigation strategies and monitor the risk.
• If it is a high impact and/or high probability either develop detailed contingency plans or plan to transfer the risk or abandon the project.
As we identity various risk factors and understand the risk better, we can see it as having additional dimensions, which will be positively correlated to each other and create a compounded effect.
Using Financial Options
Investment finance deals mostly with future, and its associated uncertainty. Options are kind of financial instruments that could provide a hedge protection, at a cost, against future identified financial risks. Such risks, which occur in a continuum, are similar to project risks such as schedule slippage, cost overruns etc. The operational project risks can be equated to the market risks—the movement of prices based on external factors.
Traditionally financial analysts use three techniques for valuing an option:
• Historic Simulation
• Monte Carlo simulation
• Quantitative techniques.
Here is the time to draw parallels from financial risk management principles. Historical simulation has been the technique of choice in many project risk management situations. Most of the risk analysis processes use historically identified causes and weights. This has worked reasonably well with many projects, and has been effectively understood by several project managers. This is one reason, why experience (either firsthand or derived) counts in several risk handling tasks.
Monte Carlo simulation is another widely used method, particularly in computer aided project management situations. In this technique a large number of possible paths are visualized based upon a predefined probability distribution. The result is a distribution of outcomes, based upon which a project manager can take an informed decision.
Thus far, the usage of pure quantitative techniques has been minimal in several core project management areas (except scheduling project tasks). This is mainly because of the intense mathematical requirements and the nonavailability of usable data for the ensuing formulas. However, such knowledge could make a difference in the effectiveness of a project manager while dealing with future and uncertainty.
While none of the above three techniques is infallible, together they provide a good insight into the future. Each of the technique could be adapted for certain situations, with its own pros and cons.
Assigning a dollar value to the risk is, of course, a common way to effectively compare risk responses. We saw, while ago, that the value of the risk is a variable, and factors that might affect its value include its probability distribution and the time frame. The expected value of the risk, at any time, is the mean value of the impact of the risk, estimated based on the risk factors, their probability of occurrence and their associated impact.
The expected value of the risk can change over time, with the arrival of new information and better understanding of its root causes. These are random events that have unpredictable impact on the value of the risk. This uncertainty has to be modeled by assigning a probability distribution to the impact of the risk. However, unlike a financial market where trading activities affect prices, project risks are impacted mostly by the underlying causes that are beyond the control of the PM.
Again, drawing parallels from the financial options, the following parameters help estimate the appropriate cost of obtaining coverage for a risky asset (in our case the project).
• Current value of the asset, which is a variable (Asset price)
• Value at which we would like to acquire the asset (Strike price)
• Time period within which we have the right for the protection (Time)
• Opportunity cost of money—rate at which any capital can be effectively utilized (Cost of capital)
• Volatility of the asset value within the environment context. (Volatility).
The current value of the project is the budgeted cost plus the expected value of the identified risk. Since the value of the risk could vary over time, the cost of the project that assumes or accepts the risk is not fixed. This is the independent or the market variable, and depends upon the expected value of the risk. There is no prior knowledge of the exact value of the risk.
The estimate to completion of the project as computed today is the exercise or strike price. This is the cost that has been budgeted for the project and this is the cost at which the project manager would like to complete the project.
In the absence of a risk mitigation strategy, the project cost could vary and is estimated as the budgeted cost plus today's estimate of the value of the risk. When a project manager mitigates or transfers a risk, effectively he or she buys an option, which will ensure that the costs will be fixed instead of being variable. The cost of the risk response should be the premium expected to get a fixed cost instead of a variable and uncertain project cost. Now the total cost of the project is the budgeted cost plus the premium paid for the response. This premium would be different for each risk response, and hence is a useful measure to compare them.
Risk Value Components
The best way familiarize with a risk and to estimate its cost, is to analyze it into components and understand them in detail. Here too, we can borrow ideas from options theory to look at a project risk as having several components.
The expected value of the risk is the mean estimated impact cost of the risk. This has to be estimated, using some qualitative or quantitative techniques. The value of the risky project is analogous to the price of a financial asset, which has the uncertainty in its future value. The planned cost of work scheduled is the exercise or strike price. This is the cost that has been budgeted for the project and this is the cost at which the project should complete. The cost of the project assuming risk is a variable, and depends upon the expected value of the risk.
An assumption we make corroborated by most real-life examples is that project risk factors are temporal and dynamic. This implies that any value placed on a risk is correct only at the time it was estimated. As additional information is available, the risk factors change and the estimated value of the risk changes. This creates an uncertainty or volatility. The volatility factor explains why two people view similar risks differently. They attach different volatility to the value of the risk.
The volatility imbeds the variability in the estimate of the risk value. If the event has a high degree of unpredictability, its variance will be high. On the contrary, if it can be estimated quite accurately, the variance will be low and the actual value of the risk converges toward the expected risk value.
So how can we capture the impact of volatility while we value the risk and make some concrete decisions based on the information available today? One way is to analyze each risk trigger, its variance and correlation with other risk factors. Another way is to use historic empirical information.
We also assume that the longer time frames for the risk event to occur, the higher its volatility will be. The volatility as measured during a timeframe can be extended to a larger time frame, proportionate to the square root of the time frame, as per the formula
There have been several ideas on fitting a distribution to the risk probability densities. Various distribution possibilities exist, such as uniform, triangular, normal, lognormal, beta, etc. Most of these distributions can be defined with two parameters, the mean and the standard deviation. The mean of a fitted distribution is the expected value of the impact of the risk and its standard deviation is defined by the volatility.
Log normal distribution is a reasonable approximation that models the impact of a risk event. It is not a perfect bell shaped as a normal distribution as it assumes that there are no negative costs, and has a larger tail to the right. This distribution is applicable to most project risk management situations, as the probability of zero cost is zero (otherwise it would not have been identified as a risk) and the probability of a very large impact is also close to zero. Lognormal distribution is defined by means of a mean and a variance.
The time frame is the duration within which the impact of a potential risk will be felt by the project. Most often time frames equal the remaining duration of the project, as several risk elements are generic and may have a chance of happening till the end of the project. However, certain risk events are valid only during a specific phase of the project. They vanish once a milestone is reached. For example the risk of losing a key designer may vanish once the product design is complete. After this event, the designer is rolled off from the project, and his or her subsequent exit does not have a material impact on the project.
The value attached to a risk depends upon the time frame within which the risk has validity. A good way to understand the impact of time frame on the risk value is to conduct periodic risk assessment sessions. During each session, similar risks will have different probability of occurrence and impacts.
Cost of Money
Comparing costs over the project duration has to consider the time value of money and the opportunity cost of capital employed to finance the risk response. Most project initiation activities use net present value method to compare the returns from a project to its costs. A good measure of the rate of return for the project funds that is not spent in combating the risk is the weighted average cost of capital for the firm.
What is a mathematically fair value of assuming the risk? According to the Expectations Theory, the cost of the response to the risk event should be equal to the expected value of the risk.
How much is a planned response worth? Alternatively, if the risk event were only a figment of imagination, how much would have been overspent in responding to an event that would not have happened? This response value depends on the project manager or the firm's aversion for risk. Higher the level of risk aversion, higher will be the worth of the response.
Let's look at the various risk handling strategies and compare them based upon the protection they provide. For an example of various risk response strategies, assume that a software project has a key system architect whose participation is planned till the system implementation phase is complete. An identified risk is that the key system architect may leave the project.
Multiple alternatives are available to respond to this risk.
1. Risk assumption: Go with the risk and not do anything. Additional costs may be incurred to search for a replacement and possible schedule slippage. These are funded from the contingency funds.
2. Risk avoidance: Have a backup person for key architect positions.
3. Risk mitigation: Increase the project end bonus to entice the team member stay till the end of the project phase.
4. Risk transfer: Subcontracted system architect, costing more, who would be substituted at short notice.
The risk becomes one of the project tasks, and costs associated with the risk are absorbed into the project. Since it is still classified as a risk, it has a probability of occurrence. This is similar to selling a put option. If the price of the stock goes up, then there is no impact. Similarly if the risk event does not materialize, then there is no impact. However there is a downside, which potentially could be very high—if the risk event occurs. The cost of the put option can be considered to be the cost of assuming the risk.
Risk Avoidance and Mitigation
Risk avoidance and mitigation responses involve additional tasks that will help reduce the likelihood of the risk event and mitigate its impact. This strategy attempts to eliminate the root causes of the risk event, which may be replaced with a lower risk event. This means that while the downside associated with a risk is reduced, its upside will be maintained—i.e., the situation when the original risk did not occur. Such responses include avoiding a low cost but unfamiliar contractor, allocating more time for project tasks and building teams with backups for key persons.
The result of risk mitigation response is a change in the probability distribution of the risk. Effectively, the risk with a higher uncertainty and a higher expected value is replaced by a different risk of lower uncertainty and lower expected value. The total cost of risk avoidance is the sum of:
1. Opportunity cost lost or the additional costs incurred due to avoiding the risk.
2. Cost of assuming a lower risk.
Risk transfer strategies reallocate the risk to a different party. This enables the project manager to retain the upside and avoid the downside. Invariably, transferring risk would involve an additional cost as the other party that assumes the risk is willing to take the downside and expects to be compensated for it. The value of the risk is the cost that is agreeable to both the parties. This strategy is similar to buying a call option, wherein the upside is maintained, while the downside is avoided. The cost of the risk is the value of the call option price.
There is an additional value in getting a cover, when the circumstances indicate that normal risk events occur, as that is when the risk premium will be the highest. In instances where the risk factors have a very low or very high probability of occurrence, assuming the risk may be the cost effective alternative, as the required risk premiums might be lesser.
Issues and Problems
A major problem in using options based model requires the estimation of several parameters. Some of the assumptions made in the development of the model cannot be realistic. Sometimes, the mathematical complexity may overweigh the practical usage of such models, as more variables that are difficult to comprehend or estimate are required for the model.
Some very common risk mitigation strategies model as compound options and valuing them based on available data becomes very difficult. Sometimes, established models like Black and Sc-holes would not fit—no matter how hard you try to squeeze in.
The best way to deal with risk is to get familiarized with all its components. Financial engineering concepts provide additional insights into risk. This knowledge enables a project manager to more intelligently quantify the impact of an uncertain event variable and understand the cost of providing a risk response. They help compare the cover provided by response actions, taking into account several factors which value the inherent uncertainty.
Drawing parallels from financial risk methods and applying them in project risk scenarios help the project manager understand and act upon the risk better. Once a possible set actions is identified, the next step in a risk management procedure will be to quantify the expected effectiveness of each of the identified option and the cost implication of the chosen action. Looking at a project as an asset and the risk response strategies as options that provide protection from the uncertainty help compare the individual response actions.
It should be noted that, basing a response decision based on cost alone is neither realistic nor practical. Other impacts such as the project artifact quality, technical feasibility, schedule implications and human resource should also be considered—and not all these can always be quantified in cost terms.
Current operational project management processes view risk as having an adverse impact on the project performance. The impact of the risk is seen as negative, and at best having no impact. But risk can also present itself as an opportunity. Techniques such as real options evaluate the cost of a strategy that protects against the downside and retains the upside, if it materializes. These are becoming more prominent in capital budgeting decisions.
Datta, Sumit, & S.K. Mukherjee. 2001, June. Developing a Risk Management Matrix for Effective Project Planning—An Empirical Study. Project Management Journal, 32 (2), pp. 45–55.
Dixit, A.K., & R.S. Pindyck. 1994. Investment under Uncertainty. Princeton, NJ: Princeton University Press.
Hull, John C. 2000. Options, Futures and Other Derivatives. Prentice Hall, ISBN 0130224448.
Leach, Lawrence P. 2001, March. Putting Quality in Project Risk Management—Part 2, Dealing with Variation. PM Network, 15 (3), pp. 47–52.
Project Management Institute (PMI). 2000. A Guide to the Project Management Body of Knowledge (PMBOK® Guide) - 2000 Edition. Newtown Square, PA: Project Management Institute.
Proceedings of the Project Management Institute Annual Seminars & Symposium
October 3–10, 2002 • San Antonio, Texas, USA