There are many good research reports out there regarding risk management. Each report includes a section called literature review, where latest literature is reviewed and put into system according to the intention of the study.

This first research report has the title "How to conduct successful EPC projects".


2.1 The benefits of risk management

As the word risk often is associated with negative impacts on a business, the main benefit from risk is often considered to be the avoidance of losses.
However, the intention of this thesis is to prove that risk management can be beneficial in many ways. This is supported by Hopkin (2010) “The outputs from risk management activities can benefit organizations in three timescales and ensure that the organization achieves efficacious strategy, effective processes and projects and efficient operations”.
The ISO 31000 standard describes the benefits in even more details, listing among others (ISO 3100:2009):

• Increasing the likelihood of achieving objectives

• Improve stakeholder confidence and trust

• Improve loss prevention and incident management

• Establish a reliable basis for decision making

• Improve operational effectiveness

• Improve organizational learning

2.2 History of risk management

Risk management evolved from the ancient concepts of gambling and trading of options (Vesper 2006). Insurance – a financial tool that reduces risk for a party by “sharing” potential financial burdens – has roots back to 1800 BC, when it was used to help finance voyages by ships. The world’s first insurance company, Lloyds of London, was founded in a coffee shop at London harbor in 1687.
Vesper writes further about how the industrial revolution, and in particular the dangers of exploding steam engines, changed the governments attitude towards social and environmental risks. Since then, the hazardous agents has grown both larger (megastructures) and smaller (pesticides and atomic articles).
Thompson (2003) describes in her article how the 1960’s saw a change from insurance management to risk management, and through the last 50 years, risk management has become a management science. A broad range of techniques and methods has been developed in this period.

2.3 Risk and offshore megaprojects

The research of Flyvbjerg, Bruzelius and Rothengatter (2003) shows that megaprojects (airports, oil platforms, underwater tunnels etc) are extremely exposed to risk. The same picture is drawn for the construction industry by Tah and Carr (2000). In 9 out of 10 transport infrastructure projects, costs are underestimated, resulting in cost overrun. (Flyvbjerg, Bruzelius and Rothengatter 2003) For all project types, actual costs are, on the average, 28% higher than estimated costs. The phenomenon has been constant for the last 70 years and seems to be a global issue.
Successful megaprojects are shaped with risk resolution in mind. (Lessard and Miller, 2001). According to Lessard and Miller (2001), oil platforms projects are among the most technically difficult, second to nuclear power plants only. An EPC-contract for such a project is awarded after a series of feasibility studies, concept selections and other pre-projects. The bid for construction is invited with detailed drawings, bill of quantities and other information, (Yescombe 2002), enabling the EPC contractor to establish a risk picture in the front-end of the project. Hopkin (2010) states 5 stages at which the project will particularly benefit from risk analysis and management:

* Feasibility study phase – at this level the project can be modified at low cost
* Sanction phase – at which point the project can be stopped by the client
* Tender phase – at which point the contractor can ensure that all risks have been identified
* Post-tender. at which point the client selects the contractor, ensuring that all risks are met
During implementation of the project.

Hopkin and Lessard&Miller are thus agreeing that a front-end approach to risk is essential to succeed with risk in large projects. Their view is shared with Walewski and Gibson (2003), saying: “Identifying, allocating, and managing risks at the front end of the project planning process can improve project performance.”


2.4 Risk as a part of the project finance system

One of the main features of project finance is that risks are allocated equitably between all parties involved in the transaction, with the intention of assigning the risks to the contractual counterparties best able to control them. (Gatti 2008).
The sponsor of the project will seek to transfer as much risk as possible to the counterparties, typically the Engineering, Procurement and Construction (EPC) contractor (who builds the structure) and the Operation Contractor, who operates the project when it is completed. The contract formats are different, as EPC contracts tend to be fixed price contracts, and Operation contracts tend to be on a “cost-plus” basis. (Yescombe 2002).
An EPC contractor is a company that wins the tender for the design and construction of a given plant on the basis of an EPC contract. (Gatti 2008) The contractor is responsible for damages resulting from delays, but may also receive an early completion bonus. In addition, the contractor is required to pay penalty fees (liquidated damages) if the plant does not pass performance tests on certain key variables at guaranteed levels.
Payment of the contract price is normally made in stages, relating to items such as completing a major stage. (Yescombe 2002).
A successful project financing initiative is based on a careful analysis of all the risks the project will bear during its economic life. (Gatti 2008). Risk is a crucial factor in project finance since it is responsible for unexpected changes in the ability of the project to repay costs. We can say, like Yescombe (2002), that risk is in the heart of project finance.

2.5 Risk categories and identification

Some literature categorizes risks into categories describing the characteristics of the risks, such as Hopkin (2010):

* Hazard risks – real threats that must be treated
* Uncertainty risks – risks that cannot be predicted accurately
* Speculative risks – opportunities

Dias and Iannou (1995) conclude that there are two types of risks. 1) pure risk
when there is the possibility of financial loss but no possibility of financial gain, and 2)
speculative risk that involves the possibility of both gains and losses.
Hopkins (2010) states further that a risk classification system is necessary to identify all the risks facing an organization. Examples on such classification systems are COSO, IRM, BS31100, FIRM and PESTLE. (Hopkins 2010).
The most comprehensive risk identification model established for international projects is the International Project Risk Assessment (IPRA) model. (Walewski 2005).
Enterprises must therefore survey available techniques to find a technique that can help them distinguish significant risks from lesser significant risks. (Mathiassen, Saarinen, Tuunanen and Rossi, 2004)
What we see in Risk Management literature is that the organization must enter into a risk identification process without preconceptions (Walewski and Gibson 2003). As no projects are alike, the identification must be systematic and involve a broad part of the project with a shared understanding of what risk management is. (Hopkin 2010). The most common method is a workshop involving brainstorming, but other methods such as interviews, round table discussions, SWOT analysis (Strength, Weakness, Opportunities, Threats) and FMEA (Failure Mode and Effect Analysis) exist.

2.6 Responding to hazard risks

Hazard risks represent actual threats against the achievement of objectives. The responses to hazard risks can be summarized as the four T’s of risk management:

* Tolerate
* Treat
* Transfer
* Terminate

Walewski and Hopkin (2003) describe similar categories. According to them, 4 mitigation strategies are commonly used:

* Avoidance – when several risk choices are available
* Retention – when conscious decisions is made to accept the consequences
* Control – when monitoring and correcting is used to minimize the risk
* Transfer – when the risk is transferred or shared with other

2.7 Responding to project uncertainty and variables

Depending on the project, there are several variables that will have an impact on the project cash flow. Uncertainty is related to variables in the project, but also to the residual risk after putting controls on hazard risks.
To allow for uncertainty and variables, a contingency fund must be established, as well as contingency time built into the project plan. (Hopkin 2010). As a rule of thumb, approximately 10% of the EPC contract value, may be needed as contingency. (Yescombe 2002). However, there are methods of simulating the cash flow of the project based on a best case vs worst case scenario. (Gatti 2008).

2.8 Responding to project opportunities

To take advantage of the opportunities in the project is not to overrule the risk management process when there is a large profit to be made, such as the scenario described by Bird (2009). It is a structured method to identify where there is a potential of achieving greater benefits from taking the risk than any benefit that had resulted from not taking it. (Hopkin 2010).

2.9 Risk register

An updated, well-constructed and dynamic risk register is at the heart of a successful risk management initiative. The risk register functions as an action plan that records the status on the critical controls (actions) defined for each risk element. (Hopkin 2010).
The information in the risk register must be very precisely written, attach the real problem and not give way for personal interpretations.
When project finance literature (Gatti 2008)/(Yescombe 2003) describe a risk register, the term risk matrix is used. The risk matrix is established to identify the inherent risks of the project, in order to estimate the cash flow throughout the project.
The principle in risk management within project finance is that risks should be borne by those who are best able to control or manage them. The assignment of responsibilities must be an important part of a risk register.
Gatti (2008) describes the risk matrix as a combination between the Risk Breakdown Structure (RBS), a risk identification and classification tool such as the IPRA model (Walewski 2005), and the Project Breakdown Structure (PBS), a structural listing of all variables that are key drivers of the project’s performance and cash flow. (Archibald 2003). This combination, also called the project’s risk package (Gatti 2003), identifies all project variables and how they are affected by each of the identified risks. According to Gatti (2003), this is the starting point for any financial analysis of the project.

2.10 Risk ownership and involvement

In order to achieve the benefits of risk management, all stakeholders must work together. (Hopkin 2010). In this literature we have identified several stakeholders in the risk management process, such as the top management, risk management professionals, financial experts, purchasing departments, engineering management, health and safety professionals, construction management and planning department.
If the risk management system does not allow for these stakeholders to work together, several sub-processes will be established by the stakeholders, such as by the top management. (Walewski and Gibson 2003) In particular, this may happen when there is a large profit to be made (Bird 2009). When winning a contract or accepting changes in the project or to the project scope, this is of particular importance (Archibald 2003).

2.11 Risk culture

According to Bird (2009), the root of the problem in many organizations is the lack of risk culture. Hopkin (2010) calls it risk-aware culture, and says this is important because it determines how individuals will behave in certain circumstances.
Risk culture can be defined as a presence of the components leadership, involvement, learning, accountability and communication (Hopkin 2010). Risk culture can be measured by looking at the maturity of the organization, from naive to natural, when it comes to risk management. The corporate risk strategy or policy will give indications of the existing culture, as will the description of the external, internal and risk context of a project such as described by the ISO31000 standard of risk management.