Module 5

Module 5

Project Risk Management and

Procurement Management
Introduction
This module examines two additional facilitating project management
functions – risk, and procurement management. Project risk management
is the art and science of identifying, assigning, and responding to risk
throughout the life of a project and in the best interests of meeting project
objectives. Project procurement management is defined as the processes
required to acquire goods and services for a project from outside the
performing organisation.

Upon completion of this module you will be able to:

 explain the nature of risks in relation to project management.

 identify the different types of risk faced in project management.
 construct a plan to mitigate and monitor risk during the project
lifespan.
Outcomes
 evaluate the risk exposure of a project.
 apply procurement management as a competitive tool in project
management.
 implement the six processes in project procurement management.

Project risk Defined as identifying risk events and developing

management: strategies to respond and control risks should they
occur in a project. Especially important during
planning stage and continues throughout
implementation stage.
Terminology
Business risk: Normal risk of doing business that carries
opportunities for both gains and losses. Example;
Nokia’s phones were not popular with consumers
who preferred iPhones and Nokia suffered
financial losses.

Pure or insurable Risk that presents an opportunity for loss only.

risk: Example; a fire that damages the business
premises. Insurance coverage can be purchased.

136
 E2 Project Management

Known risks: Risks that were identified for a particular project.

Example; earthquakes are a known risk in Japan.

Unknown risks: Risks that were not identified or that could not be
reasonably identified. Example; assassination of
the head of a country that leads to chaos in that
country.

Frequency or How often a risk event may occur. Usually

probability of expressed in terms of how many times the risk
occurrence of a risk event occurs in a given period.
event:

Severity of impact of The degree or seriousness that a risk event poses to

a risk event: the project. Can be expressed in monetary losses,
loss of lives and loss of time.

Project procurement The processes required to acquire goods and

management: services for a project from external parties.

Make-or-buy An analysis on whether an organisation should

analysis: make a product or provide a service in-house or
outsource. The criteria in the analysis include costs
and competencies.

Fixed price or lump Contracts with a fixed total price for the delivery
sum contracts: of a well-defined product (e.g. $20 million for the
construction of a five-storey office building with
related specifications) or service ($2,000 per
machine for the rental and servicing of office
photo-copier machines).

Cost reimbursable Contracts involving payment to the vendor for

contracts: direct and indirect actual costs incurred, plus a
profit margin and incentive to the suppliers.

Unit price contracts: Contracts where the total value of the contract is a
function of the quantities needed to complete the
work. Example; $1,200.00/ton of cement.

Statement of work: A detailed technical and qualitative description of

the work required for the procurement.

Requests for Outlines the general problem and requirements of

proposal: the buyer for the potential suppliers to propose a
solution.

Invitations to quote: To solicit price quotes for products (usually ready-

made) with clearly defined features or for services
where the tasks are clearly defined.

137
Module 5

Required Reading
Reducing Project Management Risk:
http://www.netcomuk.co.uk/~rtusler/index.html

Reading

Project risk management

Project risk management is the art and science of identifying, assigning,
and responding to risk throughout the life of a project and in the best
interests of meeting project objectives.

Risk management can often result in significant improvements in the

ultimate success of projects. Risk management can be applied to:
 Selecting projects
 Determining project scope
 Developing schedules
 Developing cost estimates.

Risk management helps stakeholders understand the nature of the project,

involves team members in defining strengths and weaknesses and helps
to integrate the other project management knowledge areas.
Project risk management defined

Let’s start with a basic understanding of the concepts of risk management

and its general application within a project.

Risk management is a process that focuses on identifying risk events and

developing strategies to respond and control risks should they occur in a
project. It is not a one-time event carried out at the beginning of a project.

Risk management is a critical process in project management which is not

often conducted or handled well. Defining and using a risk management
process in your projects is proactive management. Risk management
allows the project manager to view the project across the life cycle to
identify, assess, prioritise, respond to and control project risk. Effective
risk management increases the probability of project success by:
 Preventing surprises/problems
 Preventing management by crisis
 Improving customer/stakeholder satisfaction
 Increased profitability and competitive advantage.

138
 E2 Project Management

PMI™6 in the Project Management Body of Knowledge (PMBOK™)

defines risk management as ‘the systematic process of identifying,
analysing, and responding to project risk.’ It includes maximising the
probability and consequences of positive events and minimising the
probability and consequence of adverse events to project objectives.

Risk management and the project planning process

Diagram used with permission Enterprise Project Management Ltd.

The nature of risk

A source of risk is any factor that can affect project performance, slow
down or stop the project. Considerations are probability of the occurrence
and the impact to the project should the risk occur.

At the onset of a project or during the initiation phase there is much

uncertainty or unknown. Clarity of potential risk occurs once planning
has completed and as the project implementation runs through until
completion.

Risk impact is the greatest during the mid-point of project

implementation when a significant amount of money and time have been
expended.

6
PMI – Project Management Institute ™

139
Module 5

Risk is often described as a negative value when in fact this definition is

not necessarily an accurate perception. A risk event can have either a
positive (opportunity) or negative (threat) impact to the project. For
example, there are threats that may not occur in the project, and there are
opportunity events that may or may not occur. Both threats and
opportunities must be addressed in a good risk management plan.

An example of an opportunity might be the use of new technology that in

itself has some risk; however using the technology could reduce
development time. A threat example is using untried technology in a
project which could fail and set the project behind schedule or even
require the investment of an alternative technology. Defining the
probability of such occurrences and their impact to the project should
they occur is essential to defining your risk management plan.

Risk is comprised of identifying events that may or may not occur in a

project and assessing the probability of the occurrence along with the
impact to the project should the risk occur.

Definition at the beginning of the project process of the objectives and

performance criteria has a fundamental influence on the level of project
risk. Tight schedules and budgets can make a project more “risky” if
there is no flexibility in the schedule and reaching the target may be
questionable to begin with.

Project risk management requires that strategies developed for managing

risk must be inclusive of strategies for managing project objectives. Often
projects establish objectives and performance criteria for the project
without consideration for various stakeholder groups who hold an interest
or are impacted by the project. All impacted parties need to be included
in this first step of establishing parameters for the project. It is only then
that a thorough risk management process can be developed and
implemented in a project.

Overall project risk is related to the risk components identified

previously, (event, probability, impact). The term risk exposure is often
used to describe the extent or significance of a particular risk to the
project. Risk exposure is calculated by multiplying the probability of a
risk occurrence by the impact should the risk occur. We will discuss tools
and processes to assess risk using this concept in future modules. Suffice
it to say that risk is a function of all three components and will vary from
project to project and according to the players involved in the project and
the situations particular to environments. PMI™ distinguishes business
risk from pure risk.
 Business risk: Normal risk of doing business that carries
opportunities for both gains and losses. (Business risk occurs as a
result of business decisions such as the decision to use a new
technology in a project to leverage future business opportunities.)
 Pure or insurable risk: Risk that presents an opportunity for
loss only. (For this type of risk you could purchase insurance)
 Known risks: Risks that were identified for a particular project

140
 E2 Project Management

 Unknown risks: Risks that were not identified or managed –

unknown risks if they occur on a project and are positive are
called windfalls.
The role of risk management in a project

Risk management is a critical part of the project planning process. Risk

management has the potential to influence project design and project
activities throughout the life of the project. It is therefore important to
establish a risk management plan in the early phases of a project and to
conduct risk management activities as a normal part of the project
management process.

Risk management is a proactive process when conducted well can modify

future incidents and their potential impact on the project. If a project
manager carries out a thorough risk management process it will reduce
the amount of time spent on reactive and crisis management. Effective
risk management reduces crisis management to an acceptable level.

Good project management can be viewed as risk management. Good

planning and change control, setting goals and milestones in itself are
responses to general sources of risk such as human error. Establishing a
risk management process in the early stages of the project integrated into
the project plan will provide a positive effect on proactive and reactive
risk management during the life of the project.

The project manager is responsible for initiating and leading the process
of project risk management. In other words, the project manager must
ensure that risk management happens. This would include ensuring that
risk management is integrated into all aspects of project management,
such as the project plan or the change control process.

In addition, the project manager must effectively communicate with the

team members to provide direction concerning risk management. The
project manager must ensure that the team members understand the risk
management process for the project and use the appropriate risk
management tools and techniques to ensure the effective management of
risk.

While the project manager initiates, leads, and provides direction for risk
management, the team members are responsible for carrying out risk
management as they are also the ones who actually do the work. The risk
management activities carried out by the team would include performing
risk identifying and analysing risks, developing response strategies and
carrying them through when necessary, and controlling risk. The team
members must then communicate on a consistent and frequent basis to
the project manager, the findings, strategies, and actions.

The project sponsor and the project steering committee have a role in the
risk management process. They must agree to the risk management plan
developed by the project team and the project manager and these are the
people that the project manager notifies when a risk is identified.
Agreement is essential to ensure that both the sponsor and any steering

141
Module 5

committee understand the types and nature of the risks the project is
exposed to and how the team plans to address the risks. In essence,
agreement is a sign-off process thereby reducing the element of surprise
should a risk occur.

Risk belongs to the organisation and the customer. It belongs to the

organisation because any risk can affect the ability to carry the project to
completion, and it affects the customer in a more indirect fashion; if a
risk can jeopardise the organisation’s ability to complete the project, it
can harm the customer if the final product is delayed, delivered or
otherwise affected by risk.

One of the largest hurdles to overcome for a project manager is senior

management understanding and attitude toward risk. Often this is a result
of minimal understanding of the concepts of risk and a preference to rely
on aggressive risk taking as a positive process. Better decisions are made
with higher chance of success when there is a common understanding and
acceptance of risk management as a key process in the project.
Risk and the project life cycle

The diagram below depicts that elements of risk management occur

across and throughout the project life cycle. Risk monitoring and control
occurs during the implementation phase and re-planning is completed
during the implementation and close out phase.

INITIATION PLANNING IMPLEMENTATION CLOSE OUT

Diagram used with permission Enterprise Project Management Ltd.

The risk management process

The PMBOK™ provides an overview of the processes defined as:

 Risk Management Planning – deciding how to approach and
plan the risk management activities for a project
 Risk Identification – determining which risks might affect the
project and documenting their characteristics

142
 E2 Project Management

 Qualitative Risk Analysis – performing a qualitative analysis of

risks and conditions to prioritise their effects on project
objectives
 Quantitative Risk Analysis – measuring the probability and
consequences of risks and estimating their implications for
project objectives
 Risk Response Planning – developing procedures and
techniques to enhance opportunities and reduce threats to the
project’s objectives
 Risk Monitoring and Control – monitoring residual risks,
identifying new risks, executing risk reduction plans, and
evaluating their effectiveness throughout the project life cycle.

All processes interact with each other and with all knowledge areas
within the PMBOK. The PMBOK also defines inputs, tools and
techniques and outputs for each of the processes identified within risk
management.

The process description for risk management is depicted in the chart

below.
 Risk Identification
 Risk Analysis
 Qualitative
 Quantitative.
 Risk Response Development
 Risk Response Control
 Implement Strategy.
 Evaluate Results
 Document Results.

The following diagram depicts a standard risk management process.

Diagram used with permission Enterprise Project Management Ltd.

143
Module 5

The above diagram displays that risk management is conducted as a

continuous process throughout the entire project life cycle. Planning and
execution are continuous.
Sources of risks in projects

A number of studies have shown that projects share some common

sources of risk. In 1996 the Standish Group developed7 the following top
ten success criteria for information technology projects based on
interviews with 60 IT professionals (weight indicate relative importance)
- the same concept is true across business projects within organisations:

Success Criterion Weight

User involvement 19
Executive Management support 16
Clear statement of requirements 15
Proper planning 11
Realistic expectations 10
Smaller project milestones 9
Competent staff 8
Ownership 6
Clear visions and objectives 3
Hard-working, focused staff 3
Total 100

Broad Categories of risk include:

 Market risk – will the project product be marketable, and
competitive?
 Financial risk – is the project affordable and will it provide the
expected ROI? What about opportunity cost? Could the money
be better spent elsewhere?
 Technology Risk – is the project technically feasible? Will the
technology meet project objectives? Will the technology be
obsolete before the product is produced?

The Project Management Institute has a specific interest group on risk

management. Check out their website at http://www.risksig.com/

7
The Standish Group. (1996) Unfinished Voyages (www.standishgroup.com/voyages.html)

144
 E2 Project Management

Risk identification

Risk identification involves identifying which risks are likely to affect a

project and documenting the characteristics of each. The most effective
way of identifying project risks is by using some form of systematic
approach, whether it be by project management knowledge area, systems
development life cycle phase or developing a customised checklist based
on previous project experience.

Risk events are specific things that may occur to the detriment of the
project (significant changes in project scope, strikes, supply shortages,
etc.). To characterise or define a risk event you need to examine and
document the following parameters.
1. What is the probability of occurrence?
2. What is the impact to the project or the outcome if it does occur
(severity)?
3. When might it occur?
4. How often might it occur (frequency)?

Risk symptoms are the indicators or triggers for the actual risk event. For
example, cost overrun may be symptomatic of poor estimation, or
product defects may be symptomatic of a poor quality supplier.
Identification and documentation of potential risk symptoms provides a
diagnostic tool for project teams and suggests potential corrective action.
Risk qualitative and quantification assessments

Risk analysis (qualitative or quantitative) is the process of evaluating risk

to assess the range of possible project outcomes. The approach involves
estimating probability of occurrence, potential impact on the project and
possible mitigation strategies. By quantifying risks, project managers and
teams can then rank and prioritise them and establish acceptable risk
thresholds.

Expected Monetary Value

Expected monetary value is defined as the product of the risk event

probability times the risk event’s monetary value. That is, if the estimated
cost of a risk event (e.g., the senior subject matter expert quitting and
having to recruit and hire a new one) is $10,000 and the probability of it
occurring is 20 per cent, the expected monetary value would be 20% X
$10,000 = $2,000.

PERT Estimations

Programme Evaluation and Review Technique (PERT) analysis,

discussed in Module 2, is actually a highly simplified risk analysis
method. It involves the provision of three estimates of an activity’s
duration – pessimistic, optimistic and most likely. The technique places
four times the weight on the most likely estimate than on the optimistic or

145
Module 5

pessimistic ones. A more accurate and flexible method is something

called Monte Carlo simulation.

Monte Carlo Simulation for Project Risk Analysis

Simulation uses a system model to analyse expected behaviour or

performance. Monte Carlo analysis is a risk quantification technique that
simulates a model’s outcome many times (100 – 1,000 times) to provide a
statistical distribution of the calculated results.

Monte Carlo analysis also uses pessimistic, optimistic, and most likely
estimates and the probabilities of their occurrence. Simulations such as
these are a more sophisticated method for creating estimates than PERT
and can more accurately help determine the likelihood of meeting project
schedule or cost targets. Many organisations globally use Monte Carlo
simulation for risk analysis. PC software programmes like @RISK
provide Monte Carlo simulation capability to project management
software like MS Project and to standard PC spread sheets.

Expert Judgment

Many firms use the past experience and intuition of experts in lieu of or
as a supplement to quantitative risk analysis. One common approach to
gathering expert opinion is the Delphi method, used to derive a consensus
among a panel of experts to make predictions about future developments.
The method uses repeated rounds of questioning including feedback of
earlier responses to take advantage of group input to refine the response.
The process is continued until the group responses converge to a specific
solution. This method works well in developing probability assessments
for risk events.

Quantification of Risk in Project Management

Risk is a measure of the probability and consequence of not achieving a

project on time and budget. Thus risk for each event is a function of two
components: likelihood of occurrence and its subsequent impact.

Mathematically Risk = f (likelihood, Impact)

Decision making under risk is crucial. It can be categorised into three

types:
1. Decision-making under certainty
2. Decision-making under risk
3. Decision-making under uncertainty.

Let’s look at each of these by taking an example from Kerzner (2003) to

explain these three situations and the decision-making process.

1. Decision-making under certainty

Here we are 100 per cent aware of what the states of nature will be and
the respective outcome. Say we have three strategies and each one has the

146
 E2 Project Management

probability of occurrence, then the maximum of all expected values

would be a manager’s choice.

States of Nature
Strategy N1 = Up N2= Even N3=Low
S1 $50 $40 -$50
S2 $50 $40 $60
S3 $100 $80 $90

Obviously strategy S3 will always yield high profits then other two. So a
project manager would always select S3 in this situation.
2. Decision-making under risk

Risk can be attributed to outcomes that can be established within

confidence limits known as probability distribution. The question is how
much probability can be assigned. These probabilities are often estimated
or come from previous experience. Using the previous example, we are
going to assign the probability of occurrence as 25 per cent, 25 per cent
and 50 per cent respectively for three states of nature N1, N2 and N3 as
indicated below.

States of Nature
Strategy N1 = Up N2= Even N3=Low
0.25 0.25 0.5
S1 $50 $40 -$50
S2 $50 $50 $40
S3 $100 $80 $90

Calculation:

The expected value for strategy S1, S2 and S3 are:

E1= 0.25 ($50)+0.25 ($40) -0.5 ($50) = -$2.5

E2 = 0.25 ($50)+0.25 ($50) +0.5 ($40) = $45

E3 = 0.25 ($100)+0.25 ($80) +0.5 ($90) = $90

So based on the expected value, the project manager will select strategy
S3 with highest yield $90.

The probability assignment varies from one manager to another. When

the probability assignment gets changed, the choice of strategy gets
changed as yield changes. That means when the probability of occurrence
is changed to 30 per cent, 25 per cent and 45 per cent respectively, the
yield changes, hence the decision.

147
Module 5

4. Decision-making under uncertainty

Under uncertainty, meaningful assignment of probability is not possible.

We are completely in the dark about the occurrence of any crisis.
Decision making under uncertainty implies that there is no single
dominating strategy. The following are four basic criteria for making
decision under uncertainty.
a. Hurwicz criterion (maximax criterion)
b. Wald criterion (maximin criterion)
c. Savage criterion (minimax criterion)
d. Laplace criterion (uncertainty is converted into risk).

We are going to explain each of them with examples.

a. Hurwicz criterion (maximax criterion):

The decision maker is always optimistic and attempts to maximise its

profits. In applying this criterion, a strategy with maximum profits will be
chosen. The use of maximax criteria is based on how big the risk is that
can be undertaken and how much one can afford to lose. The project
manager would always go for strategy S3 because maximum profit is
$100 (refer to example in 2).
b. Wald criterion (maximin criterion)

Wald or maximin criterion is a pessimistic rather than optimistic position

where the attempt is to minimise the maximum loss. Referring to the
example in (2), the minimum payoffs are -50, 40 and 80. As the objective
is to minimise the maximum loss, the project manager would select 80 in
strategy S3.
c. Savage criterion (minimax criterion)

The project manager’s objective is to minimise the maximum regret.

Therefore, the regret table can be calculated from the example cited in
section (2). The regret table can be calculated by subtracting all the
elements in each column from the largest element. The maximum regret
is the largest one for each strategy in each row.

States of Nature
Strategy N1 = Up N2= Even N3=Low
S1 $50 $40 -$50
S2 $50 $50 $40
S3 $100 $80 $90

148
 E2 Project Management

Regret table
Strategy N1 = Up N2= Even N3=Low
S1 $100-$50 $80 - $40 $90 - (-$50)
S2 $100 - $50 $80 - $50 $90 - $40
S3 $100 - $100 $80 - $80 $90 - $90

Regret table
Maximum
Strategy N1 = Up N2= Even N3=Low
regrets
S1 $140 $50 $40 $140
S2 $50 $50 $30 $50
S3 $0 $0 $0 $0

The savage criterion would select strategy S3, the minimum of all.
d. Laplace criterion (uncertainty is converted into risk)

In Laplace criterion the uncertainty situation is transferred into risky

situation. No probability is attached to uncertainty but definitely to
situation under risk. In this situation each states of nature has an equal
probability of occurrence say 1/3 = 33.33 per cent.

We can explain this using the same example from section (2) with
probability 1/3.

States of Nature
Strategy N1 = Up N2= Even N3=Low
0.33 0.33 0.33
S1 $50 $40 -$50
S2 $50 $50 $40
S3 $100 $80 $90

Calculation:

The expected value for strategy S1, S2 and S3 are

E1= 0.33 ($50)+0.33 ($40) -0.33 ($50) = $13.2

E2 = 0.33 ($50)+0.33 ($50) +0.33 ($40) = $46.2

E3 = 0.33 ($100)+0.33 ($80) +0.33 ($90) = $89.1

149
Module 5

The Laplace criterion would select strategy S3 resulting in profit of

$89.1.

Finally, risk is inevitable. Is the project manager ready to minimise the

loss or decide what kind of risk to take?
Risk response development

Risk response development is the process of taking steps to enhance

opportunities and developing responses to risks. The following are the
four basic responses to risk:
1. Risk avoidance involves eliminating a risk or threat, usually by
eliminating its causes (e.g., using hardware or software that is
known to work, even though there may be newer solutions
available).
2. Risk acceptance can be either active or passive:
a. Passive Acceptance means accepting the consequences
should a risk occur.
b. Active Acceptance means developing a contingency plan
should the risk occur (e.g. work around).
3. Risk mitigation involves reducing the probability and/or the
impact of a risk event.
4. Risk transference involves transferring the risk to a third party
e.g. buying insurance in the event that you have an accident.

The following matrix depicts risk response strategies for technical, cost,
and schedule risks:
Technical Risks Cost Risks Schedule Risks
Emphasise team support and
Increase the frequency of Increase the frequency of
avoid stand-alone project
project monitoring project monitoring
structure
Increase project manager Use WBS and Network Use WBS and Network
authority Diagram/CPM Diagram/CPM
Improve communication
Select the most
Improve problem handling project goals
experienced project
and communication understanding and team
manager
support
Increase the frequency of Increase project manager
project monitoring authority
Use WBS and NETWORK
DIAGRAM/CPM

Risk management plans, contingency plans and contingency

reserves

A risk management plan documents the procedures for managing risk

throughout the project. It summarises the results of risk identification and

150
 E2 Project Management

analysis processes and describes what the project team’s general

approach to risk management will be. A risk management plan should
address the following questions:
1. Why is it important to take/not take this risk in relation to the
project objectives?
2. What is the specific risk and what are the risk mitigation
deliverables?
3. What risk mitigation approach will be used?
4. Who are the persons responsible for implementing the risk
management plan?
5. When will the milestones associated with the mitigation approach
occur?
6. How much is required in terms of resources to mitigate risk?

Contingency plans are predefined actions that the project team will take
if an identified risk event occurs.

Contingency reserves are provisions held in reserve by the project

sponsor for possible changes in scope or quality that can be used to
mitigate cost and/or schedule risk.
Risk response control

Risk response control involves responding to risk events over the course
of the project by executing the risk management plan and risk
management processes.

This requires on-going risk awareness and monitoring. New risks may be
identified during the course of the project and should go through the same
risk assessment process as those identified in advance. When contingency
plans are not in place or an unplanned risk event occurs, a workaround or
temporary fix may need to be found.

Top Ten Risk Item Tracking

Top ten risk item tracking is a communication tool used for maintaining
awareness of risk throughout the life of a project. It consists of a periodic
review with management and the customers of what they feel are the
period’s most significant risk items. A risk-tracking chart is developed
that shows current and previous month’s top ten risks.

Risk management reviews:

 keep key stakeholders aware of factors that could prevent project
success
 provide opportunities to develop and/or consider alternate risk
mitigation strategies
 promote confidence in the project team by demonstrating its
ability to proactively manage risk.

151
Module 5

Using software to assist in project risk management

Software tools are available to assist in various aspects of risk

management. Risks can be tracked in databases or spread sheets. Spread
sheet software can also assist in simple risk analysis. More sophisticated
risk management software is also available that can help you build
models and run simulations to analyse and respond to project risks.
Monte Carlo simulation software is a particularly useful tool for helping
to get a better idea of project risks and risk drivers.

The sign of good risk management is that minimal crisis management is

required (i.e., fires to put out) during the life of the project.

Project procurement management

Project procurement management is defined as the processes required to
acquire goods and services for a project from outside the performing
organisation. Many private companies use the word purchasing instead of
procurement. Outsourcing is a process that is becoming more common in
organisations globally.

Common reasons for outsourcing projects are:

 Cost reduction. Both fixed and variable (recurrent) costs of
many products and services are lower when supplied by a firm
that specialises in that area and can, therefore, offer economies of
scale.
 It allows line employees to focus on the core business and core
competencies.
 It provides access to specific skills and technologies, which
would be too expensive for the company to acquire and maintain.
 Staffing flexibility. It’s often easier and more economical to use
contractors to cover peak workloads than to try to staff the entire
project internally.
 Increased accountability. A well-written contract clarifies
responsibilities and sharpens the focus on key project
deliverables.
The key processes and activities involved in project procurement
management are as follows:

152
 E2 Project Management

Process Description Activity

Procurement ‘Make or buy’
Determining what to procure and when
planning decision
Solicitation Documenting project requirements and Issue request for
planning identifying potential sources proposal
Obtaining quotations, bids, offers, or
Solicitation Receive proposals
proposals as appropriate
Source selection Choosing from among potential vendors Award contract
Complete
Contract Managing the relationship with the
substantial amount
administration vendor
of work
Completion and settlement of the
Contract close- Formally close
contract, including resolution of any open
out contract
items.

Procurement planning
Project procurement planning is the process of identifying which project
needs can best be met by using products or services outside of the
organisation. Key questions are:
1. Do we outsource?
2. How do we outsource?
3. What to outsource?
4. How much to outsource?
5. When to procure?

Inputs needed for procurement planning include the project scope

statement, product description, market conditions and constraints and
assumptions. Outsourcing is often used when people with specialised
skills are needed over a short period of time.
Procurement Planning Tools and Techniques

Make-or-buy analysis is used to help an organisation decide if it is in

their best interests to make certain products or perform certain services
inside the organisation, or if it is better to buy them from an outside
organisation. For IT hardware and software it is important to include the
full life cycle cost including installation, training, maintenance and
support. Expert judgement, both internal and external, is an asset in
making procurement decisions.
Types of contracts

Different types of contracts can be used to create different performance

incentives. The three main types are fixed price (lump sum), cost
reimbursable (including cost plus), and unit price.

153
Module 5

1. Fixed price or lump sum contracts are contracts with a fixed

total price for the delivery of a well-defined product or service. In
this case, the vendor assumes the majority of the risk. This is
especially true on contracts for the provision of a service where
the actual amount of time it will take to complete the service
cannot be accurately predicted. Fixed price contracts are
therefore more commonly used for the procurement of goods or
products.
2. Cost reimbursable contracts are contracts involving payment to
the vendor for direct and indirect actual costs. Indirect costs such
as overheads are often calculated as a straight percentage of
direct costs. These types of contracts often include a profit
margin and incentives for meeting or exceeding specific project
objectives. In this type of contract, the buyer assumes more of the
risk. There are three main types of cost reimbursable contracts. In
order of lowest to highest risk to the buyer they are:
a. Cost plus incentive fee (CPIF) – a contract where the buyer
pays the vendor for allowable performance costs along with a
predetermined fee and an incentive bonus.
b. Cost plus fixed fee (CPFF) – a contract where the buyer
pays the vendor for allowable performance costs plus a fixed
fee payment usually based on a percentage of estimated
costs.
c. Cost plus percentage of costs (CPPC) – a contract where
the buyer pays the vendor for allowable performance costs
along with a predetermined percentage based on total costs.
3. Unit price contracts are contracts where the buyer pays the
vendor a predetermined amount per unit of service to complete
the work. This is sometimes referred to as a time and materials
contract. IT consultants often use this type of contract where they
are paid a fixed fee per hour plus expenses for travel.

Contracts should take into consideration issues unique and critical to

project success (such as programmer experience) and include termination
clauses. Termination clauses are the contract language that deals with
how the buyer or seller may trigger the end of the contractual
arrangement.

Statement of Work

Many contracts include a statement of work (SOW), which is a

description of the work required for the procurement. Its purpose is to
allow potential vendors to determine if they have the requisite expertise
to perform the work and to allow them to develop a cost estimate. The
statement of work should be clear, concise and complete.

Solicitation planning
Solicitation planning involves preparing the documents needed for
soliciting goods or services and determining the evaluation criteria for

154
 E2 Project Management

awarding the contract. The two most common types of solicitation

documents are Requests for Proposal (RFP) and Invitations to Quote
(ITQ). An RFP is a document used to solicit proposals from prospective
vendors. The RFP outlines the general requirements and it is up to
respondents to come up with a solution. Invitations to Quote are usually
used to solicit price quotes for products with specific features or for
services where the tasks are clearly defined.

All solicitation documents should be written to facilitate accurate and

complete responses from prospective vendors. They should include:
 background information on the organisation and project
 relevant statement of work
 project schedule
 description of desired response
 evaluation criteria
 pricing forms
 required contractual provisions (e.g. general liability insurance,
registration with WCB).

Vendor track records are important in all contracts. Vendors should be

asked to supply a list of relevant past projects and references.

Clear evaluation criteria are important not only in terms of ranking

proposals but also in terms of protection against lawsuits from losing
bidders. Key things to look for in vendor proposals are:
 clear understanding of requirements
 technical capability
 financial capacity and stability
 management approach
 price.

Solicitation
Solicitation involves obtaining proposals or bids from prospective
vendors. Organisations may advertise their desire to procure goods or
services in a number of ways including newspaper ads, Internet bid sites
or through private solicitation to a known and trusted vendor.

Most government projects require an open bidding process unless a

compelling case can be made for a “sole source” contract. Competitive
bidding should result in the best price options for the buyer. Buyers
should beware of “low ball” bids where vendors have undercut the
competition in an attempt to win the contract but may not have allowed
themselves sufficient compensation to do a quality job. Buyers should
reserve the right to select any bidder (not just the lowest priced one).

155
Module 5

A bidders’ conference is a meeting with prospective vendors to ensure all

suppliers have a clear and common understanding of the project
requirements, products and services.

Source selection
Source selection involves evaluating bidders’ proposals, choosing the
best one, negotiating the contract, awarding the contract and notifying the
successful and the unsuccessful bidders. Formal proposal evaluation
sheets help to quantify and simplify the selection process. Caution should
be taken not to place too much emphasis on the technical aspects of the
proposal. It also has to be well managed. If a number of proposals have
been received, an iterative selection procedure is often used in which a
short-list is created in the first round of evaluations and then a final
selection made from the short list. Short-listed candidates may be invited
to make a presentation to the evaluation/selection committee and/or asked
to prepare a best and final offer (BAFO). The final output from the source
selection is a contract that binds the vendor to provide specific goods and
services and obligates the buyer to pay for them. Unsuccessful bidders
should be notified and provided an opportunity to discuss the
shortcomings of their proposals.

Contract administration
Contract administration entails managing the relationship with the vendor
to ensure that the vendor’s performance meets contractual requirements.
A contract is a legal document and should have scrutiny by a legal
professional. The project manager and project team should be involved in
drafting and administering the contract.

Change control is an important part of contract administration. The

following suggestions ensure adequate change control for projects that
involve outside contractors:
 Changes to any part of the project need to be reviewed, approved
and documented by the same people in the same way that the
original part of the plan was approved.
 Evaluation of any change should include an impact analysis.
How will the change affect the scope, time, cost and quality of
the goods and services being provided?
 Changes must be documented in writing. Project team members
should document all important meetings and phone calls.

Constructive change orders are oral or written acts or omissions by

someone with actual or apparent authority that can be construed to have
the same effect as a written change order. Project managers or team
members should be mindful that what they say to a vendor is not
unintentionally construed as an order to do or not do something.

156
 E2 Project Management

Contract close-out
Contract close-out is defined as completion and settlement of the
contract, including resolution of any open items.

Contract close-out activities:

 Verification that that all work is complete, correct and
satisfactory and all activities in the work break down structure
are 100 per cent complete and closed.
 Updating records to reflect final results.
 Archiving information for future use.
 Formal written notice from contract administrator to vendor that
the contract has been completed and closed.
 Procurement audits to identify lessons learned.
 Project lessons learned documented by team and project
manager.

157
Module 5

Module summary
In this module you learned two broad and critical areas in project
management, namely risks management and procurement management.
Project risk management is both an art (personal judgement and
experience) and science (based on past data and calculation). Each
Summary complements the other in identifying, assessing and responding to project
risks. Project risk management is critically important at the planning
stage of a project where the major risks events are identified and counter
measures taken. But the risk management does not end at the planning
stage, it is continuously conducted throughout the project by the project
team.
Project procurement management covers the needs for procurement and
the key procurement processes. As the nature and needs of one project
tend to be different from another, most pure project-based organisations
tend to be “light” on assets, i.e. own few fixed assets. This has made
procurement management a critical function in securing the needed
resources to meet the needs of each new project. As you have seen,
procurement management serves as an important function to reduce costs
by maximising resource flexibility.

158
 E2 Project Management

Assignment
1. With the aid of suitable examples, explain what types of purchases in
a project would be suitable for the following contracts:
a. Fixed price contract
b. Cost reimbursable contract
Assignment c. Unit price contract.
2. Why is risk assessment more difficult in a project environment when
compared to a non-project environment?

159
Module 5

Assessment
1. What is the importance of project risk management in project
management?
2. Identify the key stages of managing risk.
Assessment 3. How would a project team address an unanticipated risk event?
4. What are the implications of good risk management on the
organisation’s stakeholders?
5. Describe the different ways of solicitation in the procurement
process.
6. Why are the processes and procedures in project procurement
management important and what are the implications if they were
absent or not followed?
7. What are the advantages of outsourcing?
8. What are the downsides or risks of outsourcing?

160
 E2 Project Management

Assessment answers
1. What is the importance of project risk management in project
management?
Risk is any factor that can affect project performance, slow down or
stop the project consequently threatening the goals and objectives of
the project. Risk management is critical to project management for
the following reasons:
 Risk management is critical during the project planning
process as it may influence project design and project
activities throughout the life of the project
 Risk management can anticipate future negative incidents
and their potential impact on the project. This will reduce
the amount of time spent on reactive and crisis management
 The severity of risk impact increases as the project
implementation progresses and more resources (time and
money) are sunk in
 Effective risk management raises the probability of
successfully meeting the project goals and objectives
 Risk management impacts the stakeholders and project
sponsors by delaying delivery of products or services, and
reducing the expected returns of investments
 Risk can be an opportunity. A superior technology untested
in the field is in itself a risk. Utilising the new technology
(should it prove to work well) will provide an opportunity
that the old technology is unable to provide.
2. Identify the key stages of managing risk
There are six main stages in the risk management process:
 Risk Management Planning – deciding how to approach
and plan the risk
management activities for a project
 Risk Identification – determining which risks might affect
the project and
documenting their characteristics
 Qualitative Risk Analysis – performing a qualitative
analysis of risks and conditions to prioritise their effects on
project objectives
 Quantitative Risk Analysis – measuring the probability
and consequences of risks and estimating their implications
for project objectives
 Risk Response Planning – developing procedures and

161
Module 5

techniques to enhance opportunities and reduce threats to

the project’s objectives
 Risk Monitoring and Control – monitoring residual risks,
identifying new risks, executing risk reduction plans, and
evaluating their effectiveness throughout the project life
cycle.
3. How would a project team address an unanticipated risk event?
Should an unanticipated risk event occur, then the project team needs
to assess the severity of the risk event. If the risk event is too severe,
then the recommendation may be to kill off the project. If the risk
event is not severe and hence manageable, then a temporary fix or
modification may need to be found. The depth of experience and
innovativeness of the project team comes into play here. Before these
temporary fix or modifications can be implemented, the project team
must carry out the change control process where the revised costs,
time and quality are presented for the top management and project
sponsors’ approval.
When approval is secured, the contingency reserves (provisions held
in reserve by the project sponsor for possible unforeseeable changes)
will be released for the modification to be carried out.
4. What are the implications of good risk management on the
organisation’s stakeholders
Good risk management has the following implications on the
organisation’s stakeholders:
 By incorporating the element of risk management into
designing the project and the project activities, the project is
said to be more robust in that the probability of failure is
reduced. For the stakeholders, the probability of killing off
the project halfway through (and writing off the sunk costs)
is minimal.
 Good risk management raises the probability of successfully
meeting the project goals and objectives. To the
stakeholders, it means successfully launching the new
product and services to the market. It increases
competitiveness of the company and the expected returns of
investments.
5. Describe the different ways of solicitation in the procurement
process?
In terms of documentation, solicitation can be in the form of:
 Requests for Proposal (RFP). When the services or solution
needed can be in a variety of forms, an RFP is the document
used to solicit proposals from prospective vendors. The RFP
outlines the general requirements and it is up to respondents
to come up with a solution and the costs.

162
 E2 Project Management

 Request for Quotation (RFQ). RFQ is used to source for

quotations for products with specific or standard features
and services where the tasks are clearly defined.
In terms of communicating the solicitation, the ways are:
 Advertisement in the media; newspapers, trade magazines
and so on
 Internet bid sites
 Direct solicitation with known suppliers.
6. Why the processes and procedures are important in the
procurement process and what are the implications if they were
absent or not followed?
The main processes consist of Procurement Planning, Solicitation
Planning, Solicitation, Source Selection, Contract Administration and
Contract Close-out. These processes are important because:
 They represent a systematic and orderly acquisition of the
products or services required by the project team. The right
acquisitions are made and provided to the project team at
the correct time
 These processes also ensure that the procurement
expenditure incurred are budgeted for so that there will be
no costs overrun
 They introduce the element of transparency in the
procurement process and create a level playing field for the
suppliers
 They ensure that the right balance between price and quality
is struck when selecting the supplier, and not the lowest
priced supplier who may not deliver the required quality.
In the absence of these processes and procedures, the entire
procurement process will break down as there is no control. All the
earlier mentioned reasons in favour of observing the procurement
process will be loss. It should also be noted that procurement
management is a fiduciary duty. Absence of these processes and
procedures may lead to corruption.
7. What are the advantages of outsourcing?
The advantages of outsourcing in projects are:
 Cost reduction. Both fixed and variable (recurrent) costs of
many products and services are lower when supplied by a
firm that specialises in that area and can, therefore, offer
economies of scale
 Staffing flexibility. It’s often easier and more economical to
use contractors to cover peak workloads than to try to staff
the entire project internally

163
Module 5

 It allows project team members to focus on the core

business and core competencies while the non-core
competencies are outsourced. This increases the probability
of success of the project
 It provides access to specific specialist skills and
technologies, which would be too expensive for the project
organisation to acquire and maintain
 Asset flexibility. As the asset requirements vary from one
project to another, pure project-based organisations may not
want to be encumbered with the accumulation of assets
from the previous projects
 Increased accountability. The project organisation has to
issue well-written contracts which clarifies responsibilities
and sharpens the focus on key project deliverables.
8. What are the downsides or risks of outsourcing?
 New suppliers are not familiar with the project
organisation’s rules and culture. Training needs to be
provided. A phasing-in period is also required as the
suppliers adjust their operating procedures and get settled
down
 As suppliers are independent and external parties, the
project organisation is not able to monitor and exert control
over them. This can result in service failures and sub-
standard products from the suppliers
 Quality from an external source needs to be constantly
checked. In-house quality is deemed as built-in as the
processes and standards are developed internally
 External suppliers may leak out confidential project
information to the competitors
 As more and more services and products are outsourced, the
project organisation will have more suppliers making it
more difficult and complex to manage the “extended
organisation”.

164