Manage Project Risk Right

Successful project management requires identifying and planning for events that can impede the undertaking. Each event poses different potential consequences. Some risks can impact cost, others can affect schedule, and still others can alter the facility's operating parameters. While you can easily identify some risk events such as delays in equipment fabrication, others aren't obvious without the benefit of hindsight.

So, use of a formal risk-management tool and process is essential during project planning to avoid project failure due to anticipated or unanticipated events. Failure Mode Effect Analysis (FMEA), a flexible yet powerful tool, is a good option where risks are diverse.

FMEA Basics
Originally developed for the military aerospace program in the 1940s, FMEA has spread to other industries and areas as a risk management tool. It often serves as an integral part of formal quality systems such as QS-9000. While specialized software programs are available for conducting and documenting results of a FMEA, you needn't use them. Indeed, a simple spreadsheet program can suffice for conducting a FMEA.

A FMEA-based risk management process consists of two phases: completion of a FMEA matrix and then integration of the FMEA matrix results into the project execution and control plan.

The first phase has three steps; each involves completing various columns in the FEMA matrix (Table 1).

The first step is failure mode identification. In the project management context, failure modes are equivalent to project risk events. During this step, you list all possible failure modes in the FMEA table and assign each a severity rating that reflects its impact on project success.

In the second step, you estimate probability of occurrence of each risk. This involves identifying its causes and their probability.

The final step is to determine how to detect occurrence of risks. It's critical to ensure that early detection is possible.

Once you've completed the analysis, you can begin the second phase of the FMEA process. Here, you calculate a risk priority number (RPN) for each risk and document mitigation actions. RPNs enable sorting risks in terms of impact and thus allow the project risk management team to focus on highest impact risks first.

Avoid Common Errors

Six miscues often undermine the value of using FMEA for project risk management:

Confusing cause with risk. The most common trap teams fall into while developing the FMEA matrix is confusing causes with risks. Always keep risks separate from causes. The FMEA should document risks, not causes. For example, lack of engineering resources is a cause that can create several risks. It can result in delayed schedules or rework due to poor quality or incomplete data. Treating lack of engineering resources as a risk instead of a cause can lead to missed action plans and invalid risk assessment and visibility.

Not distinguishing multiple causes for one risk. When developing the risk and cause list, make sure to separately identify and document all causes for the same risk. Assuming that a particular risk has only one cause can decrease the FMEA effectiveness; some risks have multiple causes that must be managed differently.

Not periodically reviewing the FMEA matrix. FMEA-based risk management shouldn't be a one-time effort. Periodically review the matrix. Don't just verify applicability of risks but also reassess impact, probability and ability-to-detect scores. In most cases, a risk's RPN will change as the project progresses. Conducted properly, periodic review can ensure that the project team is focused on managing the right risks at the given time.

Using too small a team to develop the FMEA. While it's more time effective to have a small core team initiate the FMEA, have a broader group look over the initial matrix. In fact, having completely independent outsiders review the FMEA can ensure that no significant risks have been missed.

Not distinguishing between project-specific risks and general project-management risks. Risks identified using the FMEA process should relate specifically to the project and reflect its unique scope and success criteria. All projects face some common risks; identifying only them could lead to a shallow risk list. Don't use another project's completed FMEA matrix as a starting point. Start with a blank matrix. Once you finish your matrix, then it's worthwhile to look over other matrices from other projects to stimulate identification of further risks.

Failing to incorporate FMEA results in the project execution plan. The FMEA matrix is a tool to facilitate project risk management. Conducting the analysis and completing the matrix doesn't constitute risk management. You must incorporate the action plans and detection methods identified in the matrix into the project execution plan. You must modify the necessary communication procedures, work processes and other execution elements to reflect the project-specific FMEA.

Getting ReadyBefore conducting a FMEA, you must address two crucial preliminaries. Creating the FMEA team. You must assemble a small team of key stakeholders. Team members typically include the project manager, the process engineer and the construction manager. This core team should complete the initial FMEA matrix and then send it to people in support functions such as procurement, permitting and process safety for input. You can conduct the FMEA in one working session. You may save time by asking team members first to individually complete the FMEA table and then focusing the working session on consolidating their tables. Assembling necessary documents.Running a FMEA too early after project initiation could lead to missed risks and inadequate risk characterization. So, you should conduct the FMEA as part of the project execution planning process during the later part of front-end design. The recommended minimum documents needed are: • preliminary process and instrumentation diagrams;• major equipment list;• roster of applicable permits and critical process safety requirements;• current contracting strategy for detail design and construction; and• cost and schedule estimates.Depending on the particular project's scope, you also may need other documents such as equipment arrangement drawings, control system architecture and equipment supplier lists. Conducting the FMEAThe first and most crucial step in an effective FMEA is identification of project risks. During this step, you should pinpoint all potential risks along with their causes. The risk identification step should address key project aspects such as material procurement, technology selection, resources' availability and contracting strategy. To illustrate what's involved, let's consider some major project categories and risks they commonly face. Schedule. Risks can come from lack of engineering resources, contractor availability as well as late decisions. Missing key stage gates or not completing design documents on time can impact the project schedule. The FMEA team should list all risks to the schedule. Cost. These risks can stem from external or internal factors. Grouping risks as external and internal can provide clarity. Price escalations of materials and engineering labor are examples of external factors. Internal factors to consider include: missed scope, poor or inadequate definition of equipment specifications as well as changes in project objectives such as capacity. Regulations and permitting. Unanticipated delays in obtaining permits or permit-driven scope changes can impact schedule and cost. This category is especially important for projects in countries without well-developed permit regulations and experience. Procurement. Common risks include lack of vendor shop availability, poor quality equipment and fabrication delays. It's useful to categorize each risk as internal or external. Technology selection. If your project uses new or unproven technology, consider various sources of uncertainty in technology design. Try to make risks as specific as possible. This may require reviewing the project scope item by item to identify those with the most technical uncertainty. For each risk in each category, identify and document causes in the FMEA matrix. For risks with multiple causes, list each cause separately so it can be properly managed. Finally, indicate any controls currently in place to detect and mitigate risks. After this initial risk-identification exercise, circulate the list to project team members and key stakeholders for comment. In most cases review by people outside the FMEA team uncovers additional risks. Risk CharacterizationAfter completing risk identification, the FMEA team should characterize three aspects of each identified risk: 1. severity of its impact;2. probability of its occurrence; and3. the project team's ability to detect the event.Assign each of these risk aspects a value of either 1, 3 or 9. For example, a high negative impact should get a 9, a moderate one a 3, and a minimal one a 1. Risks with a high likelihood of occurrence should receive a 9, ones with a moderate likelihood a 3, and those with remote possibility of happening a 1. A FMEA should show most risks as 3 on the occurrence aspect, with some scored as either 1 or 9. If instead most are 9 or 1 the FMEA is considered unbalanced. Too many 9s can lead the team to ignore other significant risks. On the other hand, most having 1s could indicate that serious risks have yet to be identified. An unbalanced FMEA should spur the team to verify that it didn't miss any risks.

Sample FMEA table

Table 1. Reactor fabrication clearly poses higher risk to project success.After estimating probability of occurrence, the team should assess prospects for spotting each risk-and-cause combination. If it's easy to detect occurrence of the risk event, it should get a value of 1, while if the occurrence can't be detected early and easily, it should get a 9. The final step in FMEA is finding the RPN for each specific combination of risk and cause. You calculate RPN by multiplying the three values assigned earlier: severity of impact, probability of occurrence and ease of detection. Sort results in order of descending RPN. Risks with the highest RPN have a high negative impact, are very likely to occur and will be difficult to detect. The team then should move on to developing a risk mitigation and management plan using the matrix. Starting with highest RPN risks, consider additional actions needed beyond any controls already in place. For example, if you identify use of new suppliers for major equipment as a cause for schedule impact due to rework and repair, consult your procurement group to review options for increasing supplier quality assurance. A Potent ToolFMEA can help teams identify, mitigate and manage risk events that can impair project success. It's a simple but powerful tool that should be an integral part of any project manager's toolkit. Use it first late in the conceptual design stage — but revisit the FEMA matrix on a regular basis to ensure that new risks are identified while obsolete risks are eliminated from project risk-management activities.

Adnan Siddiqui, P.E., is principal of ConcepSys Solutions LLC, Houston. E-mail him at [email protected].