Guidebook for Risk Assessment in Public Private Partnerships

December 2013
Table of Contents



« PreviousNext »

3 Risk Identification

Figure 3-1 . Risk Identification

Figure 3-1 . Risk Assessment Identification

3.1 Risk identification is the foundation of risk assessment

Risk identification is not a goal itself; rather it is a step that directly serves the other elements of risk assessment: risk valuation, risk management, and risk allocation. The level of detail of the identification can vary depending on the nature of the analysis. For the purpose of risk valuation, it is important to be complete. Risk management requires the identification of the most important risks, including those present during the development phase as shown in Figure 3-1. Risk management does not require practitioners to identify every single risk, but only the biggest ones.

The emergence of P3s has revealed explicit risks that practitioners were unaware of, prompting changes to the methodology for addressing risks when using innovative delivery methods. In most conventional contracts, risks are explicitly transferred to the private party while all other unidentified risks essentially remain with the public agency. In a P3 contract, the risk transfer is the other way around. The contractor becomes responsible for the project and all of the risks attached, except for the ones explicitly retained by the public agency.

This change can create confusion because it is often not entirely clear, or easy to identify, which risks the public agency retains in a conventional delivery method and which ones are transferred to the private sector in a P3 procurement. Given that under the P3 delivery scenario these previously unidentified risks are now transferred and priced, the P3 option may appear extremely expensive. This may be true when comparing a private bid to a Public Sector Comparator (PSC) in situations where these risks are not valued, but that is akin to comparing "apples to oranges."

Whereas the risk identification method and process may vary depending on the goal of the risk assessment (as discussed in 2.2), the overall purpose of risk identification is fourfold:

  • Identifying the risks of a project (section 3.2.2) within the scope of the risk assessment (3.2.1);
  • Verifying that project stakeholders have a common understanding of the risks (3.2.3);
  • Prioritizing and identifying the most important risks (3.2.4); and,
  • Structuring the risk register and assessing the overall risk profile (3.2.5).

3.2 Conducting an excellent risk identification requires proper scoping, completeness checks, detailed descriptions, and prioritization

3.2.1 Defining the scope is the starting point of risk assessment

An often forgotten but very important step is determining the overall scope of the risk assessment. It may seem like an unnecessary step, but identifying the scope of the risk assessment is important because it can vary significantly depending on the purpose and intended use of the risk assessment. See Figure 3-2 for the Risk Assessment Scope Definitions.

I-13: Scope and purpose of the risk assessment

Mr. Regan (risk manager of the I-13 Project) intends to use risk assessment at multiple stages in the project and for different purposes. This leads to different scopes for the risk assessment:

  • The scope of a risk assessment that is used for project management in the early development phase focuses on all of the risks threatening the project, up to and including contracting and financial close.
  • The scope for developing a shadow bid (an indication of the expected bid that is used to compare delivery methods in a VfM assessment) is defined by the risks that are being transferred to the private sector in the P3 agreement, after contracting and financial close.
  • The scope for a VfM analysis can be as broad as the full project for the duration of the P3 agreement being considered-and maybe even beyond-but can also focus on the risks for which we expect a difference to be found between the P3 and conventional approach.

Currently, the question of concern to Ms. Brown and Mr. Regan is: "Which delivery method is most attractive for this project from the PDOT perspective?" A VfM comparison between the contracting forms "Design-Bid-Build," "P3 toll," and "P3 availability payment" will help answer this question, and a thorough risk assessment is essential for the VfM assessment. For the purpose of valuing the risks of a project to provide financial inputs for the VfM comparison, it is important for Ms. Brown and Mr. Regan to first decide if they want to identify all of the risks in their analysis, or if they should focus only on the risks that differ between the three contracting forms.

To avoid overlooking important risks, they decide to start with the full identification of all risks. Then, they will identify the risks that differ between the three contracting forms, proceeding with those in the risk valuation step.

Figure 3-2 . Risk Assessment Scope Definitions

Figure 3-2 . Risk Assessment Scope Definitions

3.2.2 The next step is to identify all risks and avoid any "blind spots"

During the initial risk identification, one of the major challenges is avoiding blind spots. These blind spots can occur when areas are overlooked, either because of negligence or from paying too much attention to certain risks but not to others.

To avoid having to create a new process, several approaches for developing a complete risk identification process are described below:

  • Have all relevant expertise perspectives involved and present in the risk workshops. Staff members and experts with knowledge and experience in all of the fields listed in Checklist #1 (below) should be involved in the process.
  • Use existing risk assessments for inspiration. This should not be a simple "cut and paste" exercise; instead, it is tailored to the specific project, while simultaneously utilizing information from previous projects as guidance.
  • Use standard categories and checklists to facilitate completeness. The most relevant checklists are the following:

Figure 3-3 . Risk Identification Workshop Checklists

Checklist #1: Issues: Checklist #2 Project phases: Checklist #3 P3 agreement:
  • Financial and economic
  • Legal
  • Engineering
  • Permitting
  • Social and societal
  • Technical and technological
  • Organizational
  • Spatial and geographical
  • Demographical
  • Environmental and ecological
  • Political
  • Public safety
  • Project development
  • Design
  • Engineering
  • Construction
  • Operation
  • Maintenance
  • Major maintenance
  • Handback
  • Compensation event
  • Delay event
  • Force majeure

The checklists identified in Figure 3-3 should be used after a project-specific brainstorm to check for completeness rather than as a starting point, because that can lead to tunnel vision and reduce the session's creativity.

I-13: A workshop is organized to identify all risks

Mr. Regan organizes a risk identification workshop. In addition to cost estimation experts, he invites technical and legal experts as well as representatives of stakeholder groups, such as county and city representatives, and the property owners who live close to the highway. After a brainstorming session in which all participants contribute to the list of risks, the group uses the checklists to make sure nothing is overlooked.

Mr. Regan then realizes that he forgot to invite a permitting expert, which is why risks in this area have been overlooked. After consulting two permitting experts that are familiar with the project, additional risks are added to the risk register.

Furthermore, Mr. Regan concludes that there was a great deal of attention paid to construction risks, but less focus on maintenance. This happened because maintenance occurs after completion, and therefore, fell through the cracks because the group was not paying close enough attention to all phases of the project. With the help of the checklist, the risk register is completed.

A list of randomly chosen risks excerpted from the preliminary risk register is provided below:

14 Toll authorization procedure delayed.
15 Governor decides to change scope because of local interests.
16 Cost increase because of rising oil prices.
17 A concrete truck hits a construction worker.
18 Vandalism during operations period.
19 Leakage in excavation for tunnel during construction.
20 Decision makers unavailable during election period.
21 Uncertainty in cost estimates due to preliminary stage of design.
3.2.3 Describing different aspects of the risks generates a better overall understanding

A meaningful subordinated step in the identification phase is to create a joint and clear understanding of risks. This can help in avoiding the potential for project stakeholders to miscommunicate and "talk past each other."

I-13: The importance of understanding the cause and impact of the risks

One of the participants in the risk identification workshop mentions that there is a risk of unknown ground conditions. The other participants mistakenly thought the discussion was about underground streams. It was only after Ms. Brown asked for further clarification about the causes of this risk that most participants fully grasped that the main risk is the potential of finding explosives buried near a decommissioned military base. Likewise, Ms. Brown asks about the impact, which results in the conclusion that this risk would not only lead to unexpected additional costs, but also to significant delays.

It is important to emphasize that people will understand each other better if they elaborate on both the cause and the impact of potential risks as accurately as possible. To this end, it is helpful to convey a clear understanding by describing the cause of the risk and the consequences of a risk occurring in the easily understood terms of time, money, and quality.

This step not only creates a better common understanding of the risks, but also helps determine whether or not a defined risk belongs within the scope of the risk assessment. Moreover, it assists in optimizing risk allocation and defining risk management measures.

3.2.4 Risk prioritization is a vital element for risk management purposes

The objective of risk prioritization is to preselect significant risks in order to separate them from insignificant risks. This step can save a great deal of time in the long run, because it prevents undue attention being given to the management of risks that, in actuality, matter very little. The FHWA Primer on Risk Assessment for P3s defines this step as a qualitative risk assessment and describes a commonly used approach for prioritization. The qualitative risk assessment determines two factors: the likelihood of a risk occurring, and the consequences of it occurring. These factors are assigned the qualitative values of very high, high, medium, low, or very low. These judgments are then entered into a risk impact matrix to determine the risk rating. See Figure 3-4 below for a sample risk analysis guidance chart.

Figure 3-4 . Sample Risk Analysis Guidance Chart

Figure 3-4 . Sample Risk Analysis Guidance Chart

This prioritization is used to determine whether a risk is negligible, extremely important, or lies somewhere in between. This decision is, of course, variable and the criterion for what passes as "negligible" and what is "extremely important" must be defined on a project-specific basis.

The extent to which a prioritization is relevant depends on the objective of the risk assessment. If the objective is to value risks as part of the development of a financial feasibility analysis or a VfM assessment, prioritization is less relevant. The reasoning for this is that prioritization reduces the number of risks accounted for, but in a VfM analysis and financial feasibility analysis the goal is to value the full risk profile, not just a selection of individual risks. However, if the main objective is to manage risks, prioritization can be extremely relevant because it focuses the risk manager's efforts in the proper direction.

The prioritization method also indicates the value of a risk and is therefore referred to as a semi - quantitative assessment. In cases where no detailed pricing information is available, this semi-quantitative assessment can even be used for determining the value of the risks, to be further discussed in chapter 6.

3.2.5 Creating structure in the risk overview

Most projects will have a high number of identified risks, and finding order within this list can be extremely challenging. This difficulty is overcome by structuring the risk register in a way that indicates the relationships between the identified risks.

Unfortunately, some traditional listings of risks have no hierarchy or structure whatsoever - just one list with potentially hundreds of risks annotated on it. These lists do not create any useful insights aside from listing the risks but create the potential for double counting, listing redundant risks, and listing risks that occupy different "levels of abstraction."  

As mentioned, some traditional lists may have limited use because the important interrelationships between the risks are not visible to practitioners unless they look very carefully to discover the connections, a task that can be challenging or almost impossible when there are hundreds of risks present.

Applying order to this chaos increases the overall understanding of the risk profile of a project and provides the practitioner with better leveraging opportunities for control and measurement. A good way to do this is to establish a risk relation map (RRM). In the RRM, risks are presented with cause-and-effect relationships diagrammed between them, clearly demonstrating their linkages and hierarchy. An RRM allows the structuring of risks based on the project management goals, and defines the top risks as threats to these overall project goals. This step not only creates a better common understanding of the risk profile, but also assists the practitioner in recognizing blind spots. See Figure 3-5 for a sample RRM.

I-13: Levels of abstraction of risks

One major risk in the I-13 Project is cost overruns. As Mr. Regan wanted to better understand the underlying risks and causes, he decided to develop a risk relation map (RRM) indicating the causes and effects of all of the underlying risks leading to cost overruns. This RRM clearly shows the multiple layers of risk residing beneath the same top risk-in this case cost overruns.

Figure 3-5 . Sample Risk Relation Map (RRM)

Figure 3-5 . Sample Risk Relation Map (RRM)

I-13: Structuring risks top-down to understand linkages and hierarchy

The most important threats to the I-13 Project are delays in completion, budget overruns, poor road quality, and safety issues. Similar to the cost overrun RRM, Mr. Regan suggests structuring RRMs for the other top threats.

3.3 Process, timing, information, and expertise needed

Risk identification is most effective when the team conducts multiple risk identification workshops. These workshops should ideally include all of the key participants in order to yield the best results when identifying risks.

Purpose of the workshop: The identification of risks is not just a goal in itself. The initiator of a risk identification workshop will ideally define the purpose of the risk identification. Typically, the initiator of the risk assessment is the project manager, the risk manager, or the financial controller of a project. The person executing the risk assessment should be knowledgeable about risk management and workshop facilitation.

Timing:  Risk assessment should be continuous. The first risk assessment is carried out in the early stages of a project and is then repeated on a regular basis to continually update risk identification. As the project moves closer to procurement, the risk assessment becomes extensive.

Information: A simple risk identification workshop can be carried out with nothing more than paper and pencils. The facilitator asks all of the participants to write down the risks they have identified, focusing on each member's area of expertise. It is important to conduct this exercise before starting a group brainstorming session to avoid the potential problems of tunnel vision and "group think." The facilitator then collects and structures the risks. This process can be repeated, adding new areas on which to focus each time, and concentrating on different project phases or risk categories. After the workshop is completed, the risks are transferred into the risk register.

Supporting material for conducting workshops is available on various State websites. 3 It is also possible to use various software tools during the risk identification workshop. These tools are suitable for the more elaborate risk identification utilized in large and/or highly complex projects. The tools come in either standardized versions, or may be customized for the project upon request of the customer.

The software tools enable participants to add to a web-based list during a round of brainstorming, obviating the need to convene the meeting in person. This makes it possible to include a wider range of participants. Workshops held in this manner can also concentrate on discussing specific risks to enhance common understanding and add risks for identified blind spots. The risk identification tools also automatically produce a risk register.

Expertise: As discussed before, it is important to strive for completeness of information. This requires different lines of expertise to be harnessed for the risk identification process. Typically, technical expertise is primarily involved during the early stages of a project. One of the challenges during this phase is to be sure to include financial and legal expertise.

A dynamic risk assessment - with repeated risk identification workshops - will progressively reveal which type of expertise is needed. For instance, if there is revenue risk, it is useful to include a toll specialist to provide more depth to the risk assessment concerning toll revenues. Other examples include tunnel safety experts, geologists for specific ground conditions, environmental experts, and local experts when appropriate.

3.4 Output: The identification process produces a risk register

The development of the risk register - in spreadsheet or database - is the ultimate outcome of the initial risk identification process. The items in the risk register should be mutually exclusive and exhaustive; there should be no overlaps and/or gaps remaining. Risks can be pooled or categorized related to the goal of the risk assessment (allocation, management, or valuation). The risk register may serve as a checklist for P3 contracts to make sure that all risks are allocated.

After the risk register is created, continual updates should be made throughout the risk management process as the project progresses. When updating the risk register, the practitioner should include: the cause, description, and effect of the risk; the timing of the risk based on project phase; and any information that makes it possible to check for completeness, such as risk category or perspective.

I-13: Risk register

Mr. Regan decides to build a risk register in Excel, which he and his team are going to use throughout the project development process. He decides to start with the following fields for all risks:

  1. Risk ID number
  2. Risk name
  3. Risk category
  4. Risk description
  5. Impact phase
  6. Cause(s)
  7. Impact(s)
  8. Probability level (1-5)
  9. Impact level (1-5)
  10. Risk management measures
  11. Risk allocation
  12. Risk valuation method
  13. Risk value


3. See for example,

« PreviousNext »

back to top
back to top