Cost Management – Risk Management

2 months ago
Ashley
14 minutes

Post 6 of the Built Environment Series | For Quantity Surveyors, Project Managers, Construction Professionals & Students

Every construction project is an exercise in managed uncertainty. From the moment a client decides to build, they are committing resources to an outcome that cannot be fully known in advance. Ground conditions may differ from expectations. Material prices may rise. Key subcontractors may fail. Design changes may cascade through the programme. Weather may be exceptional. Any of these events — and dozens more — can threaten a project’s cost, time, and quality objectives.

Risk management is the discipline that makes this uncertainty visible, quantifiable, and — to the greatest possible extent — controllable. It is not about eliminating risk, which is impossible, but about understanding it clearly enough to make informed decisions about how much to accept, how much to mitigate, and how much to transfer.

What Is Risk in a Construction Context?

In construction, risk is conventionally defined as an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives. This definition has two important implications.

First, risk is about uncertainty. An event that is certain to occur is not a risk — it is a fact that should be reflected directly in the cost plan or programme. A risk is something that might happen. This is why the treatment of risk requires probabilistic thinking rather than simple worst-case assumption.

Second, risk can be positive as well as negative. In construction, the term is most commonly used to refer to threats — events that would increase cost or delay the programme. But opportunities also exist: a contractor who performs more efficiently than planned, a material price that falls below budget, a design that proves more buildable than expected. A mature risk management framework captures both.

The relationship between risk and uncertainty changes through the project lifecycle. At the earliest stages — when the scope is loosely defined and the design is conceptual — uncertainty is at its maximum. As design develops, site investigation is completed, contractors are appointed, and construction progresses, uncertainty reduces. This is why risk and contingency allowances should be highest at the beginning of a project and should reduce (in a controlled, documented way) as the project matures.

The Risk Management Process

Risk management is a cyclical process, not a one-off exercise. It comprises five stages that are repeated throughout the project lifecycle.

1. Risk Identification

The first step is to identify, as comprehensively as possible, all the risks that could affect the project. This is typically done through a structured workshop involving key members of the project team — client, design team, QS, project manager, and (if appointed) contractor.

Identification techniques include brainstorming sessions; structured checklists based on project type and sector; lessons learned from previous similar projects; review of the site investigation report, ground model, and geotechnical data; review of the programme for interfaces, dependencies, and critical path items; and consideration of the external environment — planning regime, utilities infrastructure, traffic management, community relations.

The output of risk identification is a comprehensive list of potential events, each described in terms of its cause, the risk event itself, and its potential effect. A well-described risk follows the format: “Due to [cause], there is a risk that [event], which would result in [effect on project objectives].” This structure forces clarity about what exactly the risk is and why it matters.

2. Risk Assessment

Once risks have been identified, each must be assessed in terms of its probability of occurrence and the magnitude of its potential impact. This assessment is typically recorded in a risk register — a live document that forms the backbone of the risk management process.

Assessment can be qualitative or quantitative:

Qualitative assessment assigns descriptive ratings — High, Medium, or Low — to both probability and impact, and plots the result on a risk matrix (sometimes called a heat map). This is simple, fast, and accessible to non-technical stakeholders, but it lacks the precision needed for financial quantification.

Quantitative assessment assigns numerical probabilities and financial values to risks, enabling the total risk exposure to be calculated and incorporated into the cost plan. This is more rigorous but requires better data and more analytical effort.

The standard quantitative approach assigns each risk a probability (expressed as a percentage likelihood of occurrence) and an impact range (a minimum, most likely, and maximum cost impact). The expected value of a risk is then calculated as probability multiplied by the most likely impact — so a risk with a 30% probability of occurring and a most likely cost impact of £100,000 has an expected value of £30,000.

3. Risk Response Planning

For each identified risk, the project team must decide what to do about it. There are four principal response strategies:

Avoid — eliminate the risk entirely by changing the project scope, design, or approach. For example, redesigning a foundation to avoid known contamination rather than treating it. Avoidance is the most effective response but is not always feasible.

Mitigate — take action to reduce the probability of the risk occurring, or to reduce its impact if it does occur. For example, carrying out additional ground investigation to reduce uncertainty about ground conditions; or designing a more robust drainage system to reduce the impact of heavy rainfall events.

Transfer — pass the financial consequence of the risk to another party, typically through the contract (e.g., requiring the contractor to carry the risk of ground conditions above a specified baseline) or through insurance. It is important to understand that transferring a risk does not make it disappear — it simply changes who pays if the risk materialises. And as noted in Post 2, risks transferred to parties who cannot manage them tend to resurface as claims and disputes.

Accept — acknowledge that the risk exists and make a financial provision for it, without taking specific action to avoid, mitigate, or transfer it. Acceptance is appropriate for risks where the cost of mitigation exceeds the expected value of the risk, or where no practical mitigation is available. Accepted risks should be included in the project contingency.

4. Risk Monitoring and Control

Risk management is not a one-off exercise carried out at the beginning of the project. The risk register must be reviewed and updated regularly — at least monthly during construction — to reflect the current status of each risk. Risks that have materialised should be closed and their actual cost recorded. New risks that have been identified should be added. Risks that have passed without occurring should be closed and their provision released.

The regular risk review meeting — attended by the key members of the project team — is the forum for this ongoing management. It should be a standing item on the project’s meeting schedule, not an occasional exercise triggered by a crisis.

5. Risk Reporting

The outputs of the risk management process must be communicated clearly to the client and the project board. The risk report — typically presented as part of the monthly cost report — should show the current top risks by probability and impact, the total quantified risk exposure, the status of agreed mitigation actions, and the remaining contingency against the outstanding risk exposure.

Clients who understand the risk picture are better placed to make informed decisions — about whether to proceed, how to adjust the scope, and how much contingency to retain. Clients who are shielded from the risk picture make decisions in the dark, and they tend to be angry when risks materialise without warning.

The Risk Register

The risk register is the central document of the risk management process. It is a live, structured record of all identified risks, their assessment, their agreed response, and their current status. A well-maintained risk register typically captures the following information for each risk:

  • A unique reference number
  • A description of the risk (cause, event, effect)
  • The category of risk (design, ground, programme, commercial, external, and so on)
  • The risk owner — the person responsible for managing the risk and implementing the agreed response
  • The probability of occurrence (pre-mitigation and post-mitigation)
  • The impact range — minimum, most likely, maximum — in cost and time
  • The expected value (probability × most likely impact)
  • The agreed response strategy (avoid, mitigate, transfer, accept)
  • The specific mitigation actions, with the responsible person and target date
  • The current status of the risk (open, closed, occurred)
  • If occurred: the actual cost impact

The risk register is a live document — not a report produced once at the start of the project and filed away. It should be updated continuously and reviewed formally at regular intervals.

Quantifying Risk: From Register to Cost Plan

The risk register feeds directly into the cost plan. The total financial provision for risk and contingency in the cost plan should be grounded in the quantified assessment in the register — not simply a percentage applied without analysis.

Expected Value Method

The simplest approach is to sum the expected values of all open risks in the register and include that total as the risk provision in the cost plan. This is straightforward to calculate and easy to explain to clients, but it has a significant limitation: the expected value represents the statistical average outcome across all possible scenarios, not any specific scenario. On any individual project, the outturn cost will not equal the expected value — it will be higher or lower, depending on which risks actually materialise.

Monte Carlo Simulation

A more rigorous approach uses Monte Carlo simulation — a computational technique that models the full range of possible outcomes by running thousands of iterations of the project, each time drawing random values for each risk from its probability distribution. The result is not a single number but a probability distribution of possible outturn costs, showing — for example — that there is a 50% probability that the project will cost less than £X (the P50), an 80% probability that it will cost less than £Y (the P80), and a 90% probability that it will cost less than £Z (the P90).

Monte Carlo simulation is particularly valuable for communicating risk to clients, because it replaces the false precision of a single-point estimate with an honest representation of the range of possible outcomes. A client who understands that there is a 20% probability of the project costing more than £Y is in a much better position to make informed decisions about contingency and risk appetite than one who has simply been given a single figure.

Monte Carlo tools are readily available — from specialist risk software such as @RISK and Oracle Primavera Risk Analysis to built-in functionality in some cost management platforms. The technique is increasingly expected on major public sector projects and is standard practice on NEC and FIDIC contracts.

Categories of Construction Risk

Construction risks can be grouped into broad categories, each of which requires specific management attention.

Ground and subsurface risks are among the most significant on many construction projects. Unexpected ground conditions — contamination, made ground, groundwater, unexploded ordnance, buried services, archaeological remains — can have a major impact on both cost and programme. Mitigation involves thorough site investigation before design is fixed, realistic geotechnical risk assessment, appropriate ground risk allocation in the contract, and early contractor involvement where ground conditions are complex.

Design risks include incomplete or late design information, design changes, coordination failures between disciplines, and design that proves unbuildable or more complex to construct than anticipated. Mitigation involves rigorous design management, clear information release schedules, and BIM coordination to identify clashes before they reach site.

Programme risks include delays to critical path activities, interface failures between packages, late procurement of long-lead items, and weather events. Mitigation involves realistic programming, proactive procurement of long-lead items, float management, and early warning of programme threats.

Commercial and supply chain risks include contractor insolvency, subcontractor failure, material price escalation, and labour shortages. Mitigation involves financial due diligence on the supply chain, appropriate contract terms (including pain/gain mechanisms and open-book arrangements on target cost contracts), and robust subcontract management.

Planning and regulatory risks include delays to planning approval, conditions attached to consent, changes to building regulations, and challenges from third parties. Mitigation involves early engagement with the local planning authority, pre-application consultation, and realistic programming of the planning process.

External and force majeure risks include extreme weather events, pandemics, geopolitical events, and utility failures. These risks are generally accepted rather than mitigated, with appropriate contractual provisions and insurance cover.

Risk Allocation in the Contract

One of the most important risk management decisions on any project is how risk is allocated between the employer and the contractor in the contract. As discussed in Post 2, risk should be allocated to the party best placed to manage it — but this principle is frequently honoured in the breach.

The NEC4 contract is particularly sophisticated in its approach to risk allocation. The contract data requires the employer to specify which risks they are retaining (the Employer’s Risk Register) and the contract provides a clear mechanism (Compensation Events) for dealing with those risks when they materialise. The contractor carries all other risks within their contract price.

Under JCT, the allocation of risk is less explicit but equally important. The QS advising on contract terms must consider carefully which risks the employer is retaining (through the bills of quantities, the specification, or specific contract provisions) and ensure that the risk allowance in the budget is commensurate with the risks being retained.

A common and costly mistake is to transfer risk to the contractor through the contract but not reduce the employer’s contingency to reflect the transfer. The employer ends up holding contingency for risks that the contractor is bearing — an inefficient use of the client’s budget.

Optimism Bias

No discussion of construction risk is complete without addressing optimism bias — the well-documented human tendency to underestimate costs, overestimate benefits, and underestimate the time required to complete projects.

Research by the UK Treasury and the Infrastructure and Projects Authority (IPA) has consistently shown that construction projects — particularly large public sector infrastructure schemes — systematically underestimate their outturn costs at the point of business case approval. The Flyvbjerg studies of major infrastructure projects worldwide found average cost overruns of 44% for road projects, 45% for rail projects, and 20% for building projects.

To address this, HM Treasury’s Green Book guidance requires public sector clients to apply an Optimism Bias (OB) uplift to project cost estimates at the business case stage. The OB uplift is derived from empirical data on cost overruns for comparable project types and is intended to adjust the estimate to a more realistic expected outturn cost. Standard OB uplifts range from around 4% for well-defined standard building projects to over 50% for large, novel infrastructure schemes.

For private sector projects, OB is not a regulatory requirement, but the underlying phenomenon is equally real. QSs advising private sector clients should be alive to the risk of systematic underestimation and should scrutinise early-stage estimates accordingly.

Summary

Risk management is not a bureaucratic exercise in filling in spreadsheets — it is a fundamental commercial discipline that determines whether a project can be delivered within its approved budget. A project team that understands its risks, has planned its responses, and is monitoring the risk register actively is in a fundamentally stronger position than one that is managing by instinct and hoping for the best.

The key principles to carry forward:

  • Risk management is a cyclical process — identify, assess, respond, monitor, report — repeated throughout the project lifecycle, not a one-off exercise at the start
  • The risk register is a live document; it must be updated regularly and reviewed formally at every stage of the project
  • Risk provisions in the cost plan should be grounded in the quantified risk register, not simply derived from a percentage applied without analysis
  • Monte Carlo simulation provides a more honest representation of cost uncertainty than a single-point estimate and is increasingly expected on major projects
  • Risk should be allocated to the party best placed to manage it — and the cost plan and contract should be consistent with each other on this point
  • Optimism bias is real, pervasive, and expensive — QSs must be willing to challenge unrealistic estimates and advocate for adequate risk provision, even under client pressure

In the next post in this series, we turn to life cycle costing and whole-life value — how to move beyond the construction cost to consider the total cost of owning and operating a built asset over its full lifespan, and why this perspective leads to fundamentally better design and investment decisions.

This series is written for quantity surveyors, project managers, construction professionals, and students in the built environment. Feedback and questions are welcome.