Risk is a risky subject. The term itself carries an abstract meaning and ambiguity for those trying to manage it. The definitions of risk, which all relate to probability and uncertainty, converge to what CFMs might call “lack of control of the projected outcome.” In construction, every CEO, CFO, and executive VP all the way down to project managers (PMs) and field personnel in a construction company manage risk at their own level.

At the end of the day, however, risk shows up as a financial mishap or, in the best-case scenario, the inability to project.

To recognize, measure, manage, predict, and prevent any phenomenon, object, behavior, or outcome such as “risk” (and its behavior), these aspects need to be quantifiable, have an isomorphic grouping, and have a unit of measurement.

This article will review a reliable process of risk management in the construction industry¹ and help you build a system to measure, correct, and project to reduce the risk of unknown outcomes.

Risk Preventers vs. Heroes

Construction tends to spotlight (and sometimes even reward) “heroes” — the PMs who swoop in and take over a fledgling project or the superintendents who seem to be everywhere all the time, chasing one fire after another. These “heroic” acts attempt to mitigate risk after it is present, but they don’t do much to prevent the risk.

Risk “preventers,” at each vantage point, take certain actions and look for certain data and behaviors to reduce risk. Their work goes unseen or unnoticed because the results are smooth sailing in terms of profitability, predictability, satisfied customers, and a safe and healthy crew or workforce. These preventers can be at any level of the company, and to avoid risk in the first place, they work very hard on planning, thinking, monitoring, and communicating, as presented pragmatically in Exhibit 1.

Categorizing Risk

Risk preventers at all levels prevent and monitor risk, reducing the chances of unknown or uncertain project outcomes. Three types of risk exist in construction — business, technical, and integration (Exhibit 2).² These types of risk should be identified by preventers in the project startup process, following a thorough contract review and work breakdown structure (WBS).

Each type of risk requires different prevention and may be quantified and measured differently. However, the three categories of risk are isomorphic; they are independent of the type of work, the size of the project or company, and can be treated in a consistent way. In the case of service or repetitive operations, managers need to identify the risk categories on a regular basis (ideally quarterly). In the case of construction project operations, the types of risk should be identified at the startup of each project and in the project audit process (which will be explained later).

However, managing the risk categories to prevent them transcends any one area of the construction operation. For example, a business risk is present when you work for a new customer for the first time, which is a situation that can happen on any job or operation. Quantifying, measuring, and managing that situation and risk can be done consistently by the organization with a structured approach.

Without risk categorization, each unique circumstance may be identified as “risky,” and a one-off solution attempted by the project team — which requires a lot more energy than necessary — may not guarantee prevention.

Quantifying & Measuring Risk

Risk management requires risk identification, analysis, and evaluation. Risk can be quantified using the Failure Mode Effect Analysis (FMEA) — a system and tool that was developed in the 1940s by the U.S. military (later adopted by the automotive and other industries) — to reduce the risk of product development, production, and usage. The process includes the following steps:

1. Identify all components or steps and their potential failure modes
2. Recognize the potential effects and causes of the identified failure modes
3. Assign a score between 1-10 for severity, frequency of occurrence, and detectability to each failure mode
4. Calculate the risk priority number (RPN) by multiplying the three scores
5. Prioritize the failure modes based on the calculated RPN number
6. Develop a plan to reduce the risk of potential failures

To support FMEA step 3, a multi-layered risk management model can be used to assess the likelihood of occurrence and detectability of risk and potential failures like the Error Trapping — Swiss Cheese Analogy shown in Exhibit 3. This multi-layer risk management model has been proven successful in aviation as a model for building a solid plan for accident and incident prevention for decades.³

Exhibit 3 shows how such a model can help with measuring/quantifying detectability of risks, as it provides a structured thought process to identify:

• What company policies, processes, procedures, and technologies are in place to capture and detect the potential failures or risks;
• How likely it is to be detected; and
• What measurement can be used for quantification.

Detectability comes from correct measurement to allow for anticipation of the risk and its effects. For example, financial risk in a job or division could be made visible by measuring profitability. However, using a job’s burn rate of the hours or cost (sometimes called “earned and burned” reporting) will most likely lead to a wrong conclusion or a delay in detectability of financial risk while the job is in progress; with this, the profitability stays hidden until the end of the job.

Two real examples and applications of risk management are described in the Case Studies of Risk Management sidebar, where the company was being exposed to risk by “holes in the slices of cheese” as depicted in Exhibit 3. By quantifying and measuring the risk and root causes, followed by Kaizen events (from the Japanese word for continuous improvement or change for the better) for identifying and testing solutions, the holes were filled in.