# What is Project Risk Analysis?

Cost/schedule risk analysis is based on the simple premise of accounting for the uncertainty and discrete risk events that have not yet been taken into account in the base (deterministic) project plan. The goal of the project risk analysis is to provide insight into the potential impact uncertainty and risk events will have during execution.

Traditional planning assumes finite durations and costs. These finite values are unrealistic when forecasting a completion date or cost several years in the future. Rates, quantities, scope, and manpower are all examples of variables that can impact the realism of even the best-laid plan. Add to the mix, the potential presence of risk events (threats or opportunities) and you start to wonder why so much emphasis is given in generating a CPM schedule that inevitably turns out to be wrong! By capturing these uncertainties and risk events through simulation (such as Monte Carlo) we are able to better predict ranges of project costs and durations as well as gain confidence in the likelihood of achieving the established plan.

In simplified terms, a Monte Carlo simulation is nothing more than CPM analysis conducted hundreds and hundreds of times while taking into account the impact of different combinations of uncertainty and risk events. The results, if interpreted properly, actually provide impressive insight not possible through traditional CPM scheduling alone.

The true key to a successful project risk analysis is not the cleverness of the risk model, but the accurate interpretation of the results.

## How Can I Interpret the Results When I Don't Even Understand the Inputs?

Before we examine the various reporting techniques, it is worth touching on one of the horrors of risk analysis—the accurate capture of uncertainty and risk inputs. Using inaccurate or incomplete information at this step will render a risk model useless.

There are three moving parts to a project risk model that need to be established:

### Cost/Schedule Basis

The best risk model in the world is arguably worthless if the underlying schedule is not structurally sound. A sound schedule must have free-flowing logic, relevant level of detail, and realistic completion dates not driven by management or political considerations. A CPM schedule should reflect what is possible based upon established work durations and sequences of work. This realism can push dates out of alignment with project goals, but risk analysis can help get a project on track (see schedule acceleration).

### Uncertainties

Uncertainties are often driven by scope or work complexity, e.g., missing vendor estimates or projects new to the company. Historically, cost and schedule uncertainty has been modeled using 3-point estimates such as triangular, uniform, trigen, beta-pert and other weird and wonderful distribution types. These distributions are important, but a project team is never truly going to be able to differentiate between such distribution types when trying to estimate uncertainties. Based on hundreds of successful risk workshops, the solution is this: keep it real and keep it simple when interviewing a project team capturing uncertainty ranges. Certainly take advantage of the distribution types, but only when and where relevant.

Uncertainty should be treated as a measure of team buy-in into the cost estimate or schedule. Simple reports such as a pie chart showing activities the team has rated as being realistic, aggressive, or conservative is a very effective means of understanding the team's confidence and consensus.

**Figure 1 - Schedule Uncertainty**

### Risk Events

Risk events are often captured by a project team, but less often truly integrated into a risk model. Ironically, risk events have a bigger impact on risk results than uncertainty and schedule basis combined.

The importance of accurately capturing inputs cannot be overstated. About 80% of model development should be focused on this process. A risk model is only as sound as its inputs.

## Risk Reporting

Today there are numerous types of risk reports: risk histograms, risk tornadoes, scatter charts, sensitivity diagrams, fish-bone diagrams, and many more.

Continuing the idea of 'keeping it real', risk reports can be categorized into two camps:

- The 'What' report: What is my risk exposure? What is my confidence level? What is my range of outcomes?
- The 'Why' report: What are the risk drivers? Why is the confidence level high or low? What is the plan going forward and why is that the best option?

### Risk Histogram

Risk histograms show a distribution of results from a Monte Carlo simulation. Run 1,000 iterations and, in theory, a risk histogram will show 1,000 different bars—one bar for each of the different results. Increase the increment of the bar widths to say weeks or months and the risk histogram starts to take a more common form of 10-20 weekly/monthly bars showing a non-cumulative distribution of results. Overlay on top of this the cumulative set of results (in an ordered list) and you can then report P-dates and P-costs – dates and costs against any given confidence level. These P values are based on an ordered set of results from the risk analysis.

Figure 2 shows an example of a risk histogram reporting. The P0 (12/4/2013) result is the best-case scenario. The P100 (2/11/2014) is the worst-case scenario.

**Figure 2 - Risk Histogram**

The histogram can also be used to report confidence level, or the probability of achieving a given date. Figure 2 shows that the confidence level for the current schedule finish date is only 5%. So is this a risky schedule?

The truth is, from this single metric, there is no way to know. Confidence level reporting is a widely misused and skewed metric for reporting risk. In our example, the confidence level of 5% would suggest we only have a 5% chance of finishing on time and a 95% chance of being late. While this interpretation is indeed correct, what this does not answer is how late are the 95% instances? Looking at the difference between the worse case (P100) and the deterministic date, the worst overrun is actually only 56 days later than the schedule date.

Compare this with the remaining duration of the project (655 days) and the 56 days of uncertainty indicates a relatively low degree of risk exposure.

#### The Risk Range Factor™

The risk range factor is a metric showing the degree of uncertainty relative to the amount of remaining duration. In our example, the total risk range (P100 - P0) is 69 days. Compare that to the remaining duration (655 days) and the Risk Range Factor™ is 11% meaning the remaining variability in completion date represents only 11% of the total remaining duration of the project.

The Risk Range Factor™ is a more meaningful way to measure risk exposure than the traditional confidence level as shown in the example above. In fact, the confidence level measurement is actually more a reflection of logic complexity than it is a measurement of risk exposure.

Still in disbelief? Take a simple two-activities-in-parallel schedule and apply a +/- 5-day uncertainty spread to both activities (each having 20-day deterministic durations) and run a simple Monte Carlo simulation. You might expect the confidence level to be 50%, but its not even close! The chance of both activities finishing on time is actually 50%*50% = 25%. Extrapolate this out across tens of activities with multiple paths and the confidence level quickly diminishes to single digits.

#### Contingency

Contingency is defined as the difference between a deterministic value and a given P value. Figure 2 shows that in order to be 50% confident, adding 16 days of contingency to the project is necessary. Contingency is not the best way to manage risk, it is simply moving the goal posts in order to lower expectations knowing the project will slip by 16 days. Instead, contingency should be used as the basis for a schedule acceleration or compression in order to increase the chances of achieving the goal date.

In summary, risk histograms are excellent tools for reporting risk exposure, but need to be used appropriately. Focus on the likes of risk range, contingency (within the context of a given confidence level), and the Risk Range Factor™, which give a meaningful context as to the size of the risk exposure relative to how much work is left in the project. Be very wary of using confidence level as a primary means of reporting risk

### Risk Tornado

The risk tornado chart is used to report key risk drivers. Historically focus has been given to metrics such as criticality, which reports how many times an activity falls on the critical path. The idea is that the more times the activity falls on the critical path, the more often it is going to be a risk driver. The drawback of looking at just criticality is that while it reports frequency of being on the critical path, it does not give any indication of the size or degree of impact on the critical path or finish date of the project. An activity can have a high criticality but only have a couple of days' impact on the project. This is not as concerning as an activity that only falls on the critical path 30% of the time, but when it does has a six-month impact on the project finish date.

This problem led to the development of one of the most misunderstood risk metrics—Schedule Sensitivity Index. Schedule sensitivity is a combined measure of how often and how big an impact an activity has on a given date. It is represented as a percentage and is calculated as:

SSI = (Criticality Index x Task Standard Deviation) / Project Standard Deviation

In layman's terms, it is the correlation between the amount of uncertainty of an activity and that of the project completion. All very well in theory, but try explaining this percentage-based metric to a project manager or worse, a project sanction board looking to invest millions of dollars in a project. Often the percentage is thought to be how often the activity is the biggest driver, or perhaps how much the activity contributes to a schedule overrun. Neither are correct. Attempt to defend its usefulness in terms of correlation to overall schedule delay and the audience is lost. Time and time again, SSI proves to be an unrelatable statistic for a project team that only wants to know the average impact Activity X has on the schedule.

A better approach is to use a metric called Schedule Contribution Factor™. This meaningful risk metric reports risk drivers in true cost and schedule terms and differentiates between uncertainty and risk events in terms of contribution.

Schedule Contribution reports the biggest risk drivers in a schedule and reports contribution to risk in terms of duration. Further, it separates contribution from uncertainty and contribution from risk events in order to clarify whether it is the activity scope/certainty or indeed a risk event impacting the activity that causes it to become a key risk driver.

Figure 3 shows an example where the overall P50 risk exposure is 88 days and the top five drivers are listed in rank order. Site clearance is, on average, having a 28 day contribution to this 88 day risk exposure. Interestingly, only one of the 28 days is actually due to schedule uncertainty with the remainder coming from a risk event associated with hiring sufficient labor. In other words, while site clearance is the largest risk contributor, sharpening our pencil on the accuracy of the duration estimate will not fix the problem; in reality, the issue lies in not being able to hire sufficient labor (Risk #42).

In a similar manner, the second two biggest risk-driving activities are both largely impacted by the same risk, fabrication yard constraints (risk #9).

**Figure 3 - Schedule Contribution Factor™ in the Tornado Chart**

Having this type of direct insight into the true risk drivers as well as being able to understand the root cause of these drivers is a huge step forward in risk reporting.

Tornado charts are an excellent means of reporting where cost and schedule risk hot spots are, but require special care in choosing the metrics used in the charts. Criticality is a useful measure for understanding how stable the critical path is, but does little to report the degree of impact on the project. Traditional measures such as Duration and Schedule Sensitivity Index make matters more complex without giving better insight. Instead, consider more meaningful metrics such as the Schedule Contribution Factor™, which not only reports in actual duration/cost terms, but also differentiates between contribution from uncertainty and risk events.

# Conclusions

Project risk analysis is indisputably valuable as long as the information generated helps the project team understand the risk exposure and helps them to pinpoint and reduce the key drivers. Using the likes of risk histograms for reporting context-based metrics such as Risk Range Factor™ helps give a project team a true sense of exposure. Combine this with metrics such as the Schedule Contribution Factor™ and for the first time, you can then also understand not only what activities and risks are causing the risk exposure, but also how much of an impact they are having. Risk models do not need to be complicated to be meaningful.