This case study outlines a risk management activity that was conducted jointly by a project sponsor and a contractor, shortly after contract signature. The aim was to generate better project outcomes and reduce risk exposures for all the parties involved. There were significant benefits in terms of a deeper understanding and appreciation of each other’s perspectives, as well as a cooperative approach to risk management in the project.
Objectives and background
The objective of the exercise described here was to identify and set priorities for addressing the risks associated with the development of an aircraft electronic system and variants for different kinds of aircraft. The primary purpose was to derive benefits for the project in terms of better project outcomes and reduced risk exposures for all parties involved.
The details of the electronic system are not relevant for this case study, except to note some of the important characteristics that made the project challenging:
- The project involved high-technology systems development, including research components, so it was inherently ‘risky’
- The system and its variants had to be designed in a way that would allow them to be mounted in different airframes
- The systems had to be integrated with aircraft systems, including navigation systems, without disrupting the operation of those systems.
A formal contract between the sponsor and the contractor had been agreed and signed a few weeks before the work described here.
Risk management process
The approach to risk management followed the international standard ISO 31000 Risk management – Principles and guidance (Figure 1). Context setting was completed first, followed by a two-day assessment workshop and then additional work on treatment planning.
Participants in the context setting and the risk assessment workshop were drawn from:
- The contractor
- The project sponsor
- System users, including operators and maintainers.
Establishing the context
Establishing the context began with a review of documents relating to the project. From the review, detailed structures and a timetable for the risk assessment workshop were developed, including spreadsheet templates for recording risks. This also involved a short workshop to identify key stakeholders, objectives and the criteria to be used to assess impacts of risks in the workshops to follow.
There were several groups of stakeholders:
- The users of the systems, primarily the operational squadrons where the systems would be fitted and their maintenance and logistic support teams
- The contractor that would be developing, installing and testing the systems
- The defence agency sponsoring the project
- Defence industry, including sub-contractors to the main contractor and other contractors involved in maintenance and support.
The objectives of the stakeholders were reviewed and condensed to a set of criteria for the project:
- Operational performance of the systems on the aircraft
- Logistic support, including reliability, availability and maintainability, and the availability of local support
- Operational support, including the flexibility of the software and the ability to reprogram the systems locally
- Equipment flexibility and commonality
- Contractual compliance
- Cost, including through-life costs
- Delivery time
- Satisfaction of users with the delivered systems.
These criteria were used to develop scales for rating the impacts of risks.
The contract work breakdown structure (CWBS) was reviewed and adjusted into a risk breakdown structure (RBS) that focussed on the main issues to be addressed in the risk assessment. The RBS provided the key elements used for structuring the workshop (Figure 2). There were 22 elements, an appropriate number for a two-day workshop.
The steps in the workshop involved:
- Structured brainstorming to identify risks for each RBS element
- Analysis of the impact of each risk in terms of the criteria, and the likelihood of that level of impact arising
- Derivation of an initial level of risk from the impact and likelihood ratings
- Review and confirmation of the initial levels of risk
- Allocation of risks to risk owners
- Allocation of risks to specific system variants.
The workshop identified and analysed 371 risks. They included a wide range of generic risks related to the engineering development of the system, applicable to the primary system as well as specific variants.
The terms of the contract set out the broad allocation of risk between the contractor and the sponsor. This meant that ownership of specific risks was generally quite clear. Of the 371 risks identified in the risk assessment, 291 were allocated to the contractor, 70 to the sponsor and ten were owned jointly.
To be able to meet contractual obligations, and to enable the contract to proceed smoothly, each party needed to understand what it could do to assist the other party to manage the risks it owned. For example:
- The contractor had many obligations, but some of them required information, detailed specifications or other support from the sponsor
- In turn, the sponsor’s systems required requests to be in particular forms and to meet specific security protocols
- The workshop provided a forum in which some of these matters could be discussed, within the risk-allocation framework set by the contract, in a cooperative environment in which it was clear that all parties were striving for a common set of project outcomes.
The ten risks that were owned jointly concerned matters outside the strict ambit of the contract. They included risks associated with potential changes in scope or schedule that might be mandated by the sponsor for operational reasons, or that might arise as a result of interactions with other projects. These risks were jointly owned as they would need to be negotiated and would be likely to involve amendments to the contract.
Responsibilities for risk treatment were allocated to individuals for the highest-priority risks, just over 20% of the total. Detailed treatment plans were required for these risks.
Monitoring and review
Monitoring and review was addressed in a detailed Risk Management Plan that was included later in the Project Master Plan. The Risk Management Plan established processes and procedures for the continuing monitoring, review, reporting and management of risk through the life of the project, to ensure that major risks ‘stayed managed’ and that new risks were recognised, analysed and treated appropriately and in a timely fashion.
In particular, the Risk Management Plan provided for:
- ‘Continuous’ monitoring, with a focus on the maintenance of watch lists and reviews at regular project meetings (Figure 3)
- Major reviews of risks at key project milestones.
Risks had been allocated in the contract between the sponsor and the contractor, and this allocation was known and understood by both parties. Nevertheless, it was in the interests of everyone that risks be managed well through the life of the project. The joint approach to risk management described here had many benefits:
- The parties assessed a comprehensive set of risks, so they both had the same detailed understanding of the main areas of uncertainty in the project and who was responsible for them contractually
- They developed a deeper appreciation of each other’s perspectives and priorities
- The need for a collegial, cooperative approach was recognised, within the clear boundaries set by the contract and without any shifting of responsibilities between the parties, and this was fostered by the risk assessment process
- The basis for a sound, professional relationship was established for what was recognised as a challenging project.
We have found that joint risk assessments are an excellent way for developing understanding between parties who have not had much previous contact.
- In this case the parties were from different organisations; we have encountered other cases, including alliances and mergers, where similar benefits have emerged
- Frequently we see similar benefits arise within project teams and their specialist advisers and sub-contractors, where the risk assessment process itself has a strong team building function, quite apart from the risks it generates.