BASIC Engineering Ltd.

Risk Analysis
&
Mitigation Process

Updated: February 2015

BASIC RAMP >>Page 1/18

CONTENT PAGE

1.0 Overview 03

2.0 Risk Identification 03

3.0 Risk Assessment 04

4.0 Risk Analysis 08

5.0 Risk Mitigation 14

BASIC RAMP >>Page 2/18

 Risk Analysis & Mitigation Process
1.0 Overview
1.1 Purpose
The purpose of this Risk Analysis & Mitigation Process is to prevent incidents in the BASIC
operated projects in a systematic approach. The approach will be such that all employees
including the workers will think proactively at their maximum capacity and analyze the
project activities to find the potentials to hazard that may occur.

1.2 Scope
This process will deal with all sorts of project activity and incident matters relevant to the
project inside the BASIC operational area.

1.3 Objective
The process will focus on the following objectives:
 To build a sense of reliability to the clients
 To make the employees confident that any work can be accomplished on time
without incidence

2.0 Risk Identification:

The risk identification establishes which risks might affect the project and register what their
characteristics are and in what way they might affect the project. The risk identification might
be the most important step in the project risk analysis, meant in that way that if the risk is not
identified you will not be prepared when should it occur. So a risk response can only be
planned if the risk is known. That is also the reason for importance of doing the ground work
properly before engagement in the project, in the form of defining the objectives. So, it is
possible to identify the risks and how and where they will occur in the project. The risk
identification is a repeated process since risks may evolve or be discovered through the life
cycle of the project. In the next step it is the identification of risk that will be used in the risk
assessment.

There are a lot of techniques to identify risks, but there is not a recognized best method and
none of the techniques are perfect, and an appropriate mix of the techniques will have to be
used depending on the project. The risk identification techniques include historical data,

BASIC RAMP >>Page 3/18

brainstorming, workshops, checklists, nominal group technique, Delphi technique and cause-
effect-diagrams.

 Identification by risk analyst

 Risk identification by work group
 Brainstorming
 Nominal group technique
 Delphi Technique
 Brainstorm, NGT and Delphi technique
 Cause-and-effect diagrams
 Risk breakdown structure
 Risk register

For understanding what kinds of risks that can be associated with project like gas plant, and
to help identifying the risk for a certain project the categories of risk are defined as below:
 External risks: risk that is associated outside of the organization. It involves laws,
cultural difference, customers, competitors and communities.
 Financial risks: monetary risks. Risk about inflation, costs, income, budget and
currency exchange rate.
 Environmental risks: concerning risks about the weather, natural disasters and the
conditions of that location, where the project is located.
 Organizational risks: related to the management of the organization. It involves risk
about communication, leadership, the structure of the organization.
 Resource risks: risks concerning the capacity of the company. It involves the
employees and their competences, material, equipment and facilities and the quality
of it.
 Operational risks: risk from the plan and execution of the project. It can be about
breakdown of major equipments or change in the work requirement and specification.

3.0 Risk Assessment:

After identifying and classifying the risks, analyses are performed where the possibilities and
the consequences of each risk factor are examined in order to establish the level of risk of the
project.

BASIC RAMP >>Page 4/18

The risk analysis will determine which risk factors would potentially have a greater impact on
the project and, therefore, must be managed by the entrepreneur with particular care.

There are four steps to assessing and managing risks, and effective risk management requires
all four of them.
1. Identify the risks
2. Qualify the risks
a. Assess each risk for impact to the project if it does occur
b. Assess the likelihood of the risk occurrence
3. Plan for risks by creating a watch list of risk triggers and how to handle the risk if it
does occur
4. Monitor and manage risks

3.1 Identify Risks

There are numerous ways to identify risks. If time is limited, the best ways to identify risks
are to:
 Review the project schedule and task list to look for:
 Tasks for which the workers have no expertise. The duration and cost
estimates for these tasks are more likely to be inaccurate.
 Duration and cost estimates that are aggressive. The estimators need to clarify
and validate the estimates, especially for critical path tasks.
 Situations, where a limited number of resources are available that can do
particular tasks and where those resources are fully allocated, over allocated,
or may become unavailable. A resource can become unavailable when it
leaves the organization or because of other commitments within the
organization.
 Tasks with several predecessors. The more dependencies a task has, the
greater the likelihood of a delay.
 Tasks with long durations or a lot of resources. The estimates for these larger
tasks are more likely to be inaccurate
 Brainstorm and talk with the experts
 All of the project risks may not be apparent from analyzing the project
schedule. It will be worthwhile to arrange a several brainstorming sessions

BASIC RAMP >>Page 5/18

 with key project resources and put the question where they see the most risk to
the project. There might be surprises which are uncovered.
 If there are some experienced project managers available, have them review
the schedule. Discuss with the people who have expertise in particular areas of
the project would be an effective option. For example, for planning to use an
outside contractor, talk to people who have used that contractor or other
contractors.

3.2 Qualify Risks

After analysis is accomplished, the probability and impact of the risks are to be qualified in
terms of Low, Medium and High. Qualifying risks and accuracy of the results are
commensurate with the experience and techniques used in the risk analysis.

Next is to qualify each risk item by asking:

 What is the impact to the project if the risk item occurs (Low, Medium and High)?
 What is the probability or likelihood of the risk item occurring (Low, Medium, High)?
 Review archived projects to see if similar tasks from the past have taken
longer than the present estimate or have cost more.
 If the resources that will do the work are not comfortable with the present cost
or duration estimates, then the risk is more likely to occur.

Once the impact and probability are determined, risks will be prioritized and sorted out,
which risks are going to be actively managed focusing on the order of priority. The priority
table may be modified according to the organization’s sensitivities.

3.3 Managing Risks

Once the risks are identified and qualified it is required to plan to manage them. Because risk
planning can take a lot of time and energy, it is wise to plan for only the high-priority risks
(priority 1) or the medium to high-priority risks (priorities 1 to 3). This planning entails:
 Identifying triggers for each risk
 Identifying and determining the plan for each risk

3.3.1 Identify Triggers

Triggers are indicators that a risk has occurred or is about to occur. The best triggers will tell,
well in advance that a problem will occur.

BASIC RAMP >>Page 6/18

To identify triggers, the people who are most likely to cause the risk to occur and those who
are most likely to feel its impact, should be interviewed for how they would know that the
problem is occurring. Start with how they would know that the problem has already occurred,
and then work backward to determine how they would know before the problem actually
occurred. The project manager shall consider how the risk would be reflected in the project
schedule. Would the project schedule show overtime for a specific resource on earlier tasks?
Would the project schedule show delays in specific tasks?

For each risk, a watch list shall be created which will show the possible triggers, when they
are likely to occur, and who should watch for the trigger.

3.3.2 Identify Plans

Once the triggers/indicators are identified and created the watch list, an action plan shall have
to be made to manage the risks. Either option can be selected to manage risks from the
following four basic ways:
 Avoidance – The project plan and project schedule may be changed to eliminate the
risk or to protect the project objectives from its impact. More in-depth planning may
be one way to avoid a risk later in a project. Reducing scope of work to avoid high-
risk activities, adding resources, or adding time may be other ways to avoid risk. For
example, if the project is dependent on a single resource with specific expertise,
alternative resource in that expertise should be created through training/education or
by other means.
 Transference – Risk transference is seeking to shift the consequence of a risk to a
third party together with the ownership of the response. It does not eliminate the risk.
The cost of the risk items can be given coverage by insurance. Another transference
technique is to enter into a fixed price contract, which transfers the risk to the
performing party.
 Mitigation – Mitigation seeks to reduce the probability and/or consequences of an
adverse risk event to an acceptable threshold by taking actions ahead of time, thereby
decreasing the likelihood of the problem occurring. Many times, it is much more
effective to reduce the probability of a risk even occurring than trying to repair the
consequences after it has occurred. Risks that seem large enough to threaten the
project should lead to an “early prototype or pilot” effort being before full
implementation.

BASIC RAMP >>Page 7/18

  Acceptance – The final technique of dealing with risk is to respond to the risk item
with a contingency plan.
Risk management plans can have unexpected ramification. The prudent project manager
might want to model each plan in their project-scheduling tool to see the plan's impact on the
project. Look for new risks that occur as a result of the project schedule and address them.

3.4 Monitor and Manage Risks

Project management team should ensure that the teams act to monitor and manage the risks.
Necessary actions are taken according to the risk responses that have been chosen. Monitor
the watch list to see if triggers are occurring, and implement contingency plans as needed.
Risks should be reassessed regularly. The following ideas might be useful for monitoring the
risks:
 Move High Risk items into Issues Matrix to be visited during each project status
meeting
 Include a Risks section in status reports and request that resources identify any
assumptions they are making, as well as any new risks they see
 Set up regular meetings with team members to reevaluate the risk management plan
and to identify new risks to the project
 Each time, when project's actual progress varies significantly from the project
schedule, risks should be reassessed and risk management plan should be reevaluated.
With a little preplanning and thought, risks can be decreased significantly in the projects.

4.0 Risk Analysis

Risk analysis can be performed by 2 procedures:
1. Qualitative Method
2. Quantitative Method

BASIC RAMP >>Page 8/18

4.1 Qualitative risk analysis
Qualitative Risk Analysis assesses the impact and likelihood of the identified risks and
develops prioritized lists of these risks for further analysis or direct mitigation.

The project team assesses each identified risk for its probability of occurrence and its impact
on project objectives. Project teams may solicit assistance from subject matter experts or
functional units to assess the risks in their respective fields.

Qualitative risk analysis is the process of prioritizing the risks by assessing the probability of
occurrence and impact.

Qualitative risk analysis can be used by project teams:

 As an initial screening or review of project risks.
 When a quick assessment is desired.
 As the preferred approach for some simpler and smaller projects where robust and/or
lengthy quantitative analysis is not necessary.

Qualitative assessment: An assessment of risk relating to the qualities and subjective

elements of the risk—those that cannot be quantified accurately. Qualitative techniques
include the definition of risk, the recording of risk details and relationships, and the
categorization and prioritization of risks relative to each other.

Qualitative analysis provides a convenient and “user-friendly” way to identify, describe, and
characterize project risks.

Risk identification results in the generation of a risk register. The risk register can be
sizeable; it is necessary to evaluate and prioritize the risk events identified in the risk register.
Evaluation and prioritization is typically accomplished by the project team and is an
interactive process and can take place at various points in project development. In some
cases, the project team may enlist help from cost risk experts and subject matter experts to
evaluate and prioritize the risks.

A thoroughly developed register of risks that may affect project objectives is helpful.
Sometimes, there are situations, where moving forward is difficult because of indecision.
Identifying, describing, and assessing project risks allow prioritizing them. Prioritization can
free the project management team from indecision by providing specific, documented risk

BASIC RAMP >>Page 9/18

events that they can act on to shift the odds in favor of project success. Prioritizing risks that
present the highest potential for significantly affecting project objectives gives Project
Managers the information necessary to focus on project resources. Prioritization helps
management to make decisions in an uncertain environment and address project risk in a
direct and deliberate manner.

Qualitative analysis utilizes relative degrees of probability and consequence for each
identified project risk event in descriptive non-numeric terms. The risk probability
assessment is the investigation on the likelihood that each risk will occur and the risk impact
assessment is the investigation of the effect from each risk on the objectives or the safety.
The risk probability of each risk will be assessed by the historical data or otherwise experts
on the field and in the same way the risk impact will be assessed by expert on the field
through meetings and interviews where explanatory details and justification assumed for the
assessment also will be recorded.

The project risks can be divided to recurring risks and non-recurring risks. The recurring risks
are risks that recur on regular basis, so there might be statistical data available, e.g. how big
the probability for bad weather is and how many days will be lost because of the bad weather.
With the recurring risks a more objective analysis can be made, where the non-recurring risks
will need a more subjective analysis, because there will be no historical data to back it up.

4.1.1 How we perform Qualitative Risk Analysis

Once a risk is identified, including a thorough description of the risk and risk triggers, it can
be characterized in terms of probability of occurrence and the consequence if it does occur.
1. Gather the project management team and appropriate persons to discuss project risk.
Decide which of the qualitative risk matrices shall be used and define the terms to be
used (High, Medium and Low etc.).
2. Review the risk information from the risk identification step.
3. Discuss the risk with the group.
4. Evaluate the likelihood of the risk occurring by asking the group, “How likely is it
that this risk will occur?” Record the result that the group agrees on.
5. Evaluate the consequences if the risk does occur by asking the group, “What will be
the impacts if this risk does occur?” Record the result that the group agrees on.

BASIC RAMP >>Page 10/18

 6. Prioritize the risks based on the results of the qualitative analysis. If it is desirable, the
risks can also be grouped by category (e.g., Environmental, Structures/ Geo-tech) and
ranked within each category.

4.1.2 Tools and Techniques for Qualitative Risk Analysis

1. Risk probability and impact Assessment: Risk probability and risk impact may be
described in qualitative terms such as very high, high, moderate, low and very low.

 Risk probability is the likelihood that a risk will occur.

 Risk impact is the effect on project objectives if the risk occurs, which may
be a negative effect (threat) or a positive effect (opportunity).

 These two dimensions of risk are applied to specific risks, not to the overall
project.

 The levels of probability and impact are assessed in meetings or by interviews.

Participants include subject matter (area of risk) experts and project team
members.

 Details justifying the assessment should be documented.

 Risks are rated according to the definitions given in the risk management plan
2. Probability / impact rating matrix: A matrix may be constructed that assigns risk
ratings (low, moderate or high) to risks based on combining probability and impact
scales of a risk on a project objective.

 The organization must determine which combinations of probability and

impact result in a risk’s being classified as high risk (red condition), moderate
risk (yellow condition), and low risk (green condition). The risk score helps
put the risk into a category that will guide risk response actions.

 Risks with high probability and high impact are likely to require further
analysis, including quantification, and aggressive risk management (both
threats & opportunities).

 Lower Risks would require less emphasis and it may be enough to include
them in a watch list for monitoring

BASIC RAMP >>Page 11/18

Probability-Impact Matrix:
Risk Score for a Specific Risk: THREATS
Probability Risk Score = P x I
0.9 0.045 0.09 0.18 0.36 0.72
0.7 0.035 0.07 0.14 0.28 0.56
0.5 0.025 0.05 0.10 0.20 0.40
0.3 0.015 0.03 0.06 0.12 0.24
0.1 0.005 0.01 0.02 0.04 0.08
0.05 0.10 0.20 0.40 0.80
Impact on an Objective (e.g. cost, time, or scope)
(Ratio Scale)

3. Risk Data Quality Assessment: The use of accurate data is necessary for a reliable
qualitative risk analysis. Assessment involves examining:
 Extent of understanding of a risk
 Data available about the risk
 Reliability of data
 The use of low precision data, for instance if a risk is not well understood,
may lead to a qualitative risk analysis of little use to the project manager. It
may be necessary to gather better data.
4. Risk Urgency Assessment: Urgent risks require urgent responses. Urgency can be
addressed by including time of response as an indicator of priority. Other indicators
may include symptoms and warning signs, as well as the risk rating.

4.2 Quantitative risk analysis

The quantitative risk analysis is the process of numerically analyzing the effect of the
identified risks on the projects objectives.

Quantitative Risk Analysis numerically estimates the probability that a project will meet its
cost and time objectives. Quantitative analysis is based on a simultaneous evaluation of the
impacts of all identified and quantified risks.

BASIC RAMP >>Page 12/18

4.2.1 Quantitative risk analysis methods
The quantitative risk analysis is performed on the risks that are prioritized from the
qualitative risk analysis and is the process that analyzes the numerical effect of the identified
risks impact on the overall objectives. The numerical effect could be measured in monetary
value, for the effect on the cost objectives, and with time (hours, days, weeks etc.). What is
more difficult is to quantify quality, since quality is more relative and subjective. Some risk
might also correlate on the impact on the objectives, if the time schedule is exceeded then it
might cost more, and if a quality control is not accepted it might take longer and cost more to
fix it, etc., so one risk might affect all of the objectives.

4.2.2 Tools and Techniques for Quantitative Risk Analysis

1. Data Gathering & Representation Techniques:
 Interviewing: Interviewing techniques are used to quantify the probability
and impact of risks on project objectives. Information needed depends on the
type of probability distributions that will be used (Need distribution
parameters).
 For example, if triangular distributions are used, information would be
gathered on the optimistic, pessimistic, and the most likely scenarios. If
normal distribution is used information on the mean & standard deviation
would be needed.
 Documenting the rationale of the risk ranges is an important component of the
risk interview because it indicates reliability of data.
 Expert Judgment: Subject matter experts are useful to validate data. They can
come from the organization or from outside.
2. Quantitative Risk Analysis & Modeling Techniques:
 Sensitivity analysis:
 Used to determine which risks have the most potential impact on the project.
 Sensitivity analysis examines the extent to which variation of a project
element affects a project objective when all other uncertain elements are held
at their baseline values.
 Expected monetary value analysis:
 The method considers the probability of each possible outcome and
determines the average value of all outcomes
 Decision tree analysis:

BASIC RAMP >>Page 13/18

  A decision analysis can be structured as a decision tree. The decision tree is a
diagram that describes a decision under consideration and the implications of
choosing one or another of the available alternatives.
 It incorporates probabilities of risks and the costs or rewards of each logical
path of events and future decisions.
 Solving the decision tree gives the expected value of each decision. The
decision-maker can select the decision yielding the highest expected value
when all the uncertain implications, costs, rewards and subsequent decisions
are quantified.
 Simulation:
 A project simulation uses a model that translates the uncertainties specified at
a detailed level into their potential impact on objectives at the level of the total
project.
 Project simulations are typically performed using the Monte Carlo technique.
 For a cost risk analysis, a simulation may use the traditional project WBS as
its model. For a schedule risk analysis, the Critical Path Method (CPM) is
used.

5.0 RISK MITIGATION

It has been established that there will be risk in a project that will need attention, and it is
done by risk management. There are many ways to confront the risks, but one of the more
generally accepted structured risk management model, is the one that is pictured in the figure-
1.

Figure: 1 – Model for risk analysis

BASIC RAMP >>Page 14/18

Figure: 2 – 5x5 model

Risk management plan: It is a formal approach for a systematic process of identifying,

analyzing and responding to project risks. So the risk management plan will document how
the project management suggests dealing with the risk in the project.

Risk control is a part of the risk management plan. Since the risk and work environment may
constantly change, it is important that project management team continually monitor and
review the level of risk and the capability to effectively respond to the risk. The risk
management plan an ongoing process that can be subdivided as listed below.

1. Define objectives: Define the context of the work and the plan for success. This
defines what will have to be achieved and establishes a basis for what will have to be
done for dealing with the risks. The elements in this part of the plan are basically the
context of the 5x5 model in figure-02.
2. Identify risk: Identify areas of risk, uncertainty and constraints that may affect, limit
or prevent the project for achieving the objectives.
3. Assess risk: Evaluate the identified risks, prioritize them, ascertain risk-level and
uncertainty and then quantify the rate of occurrence and impact.
4. Develop response: Define what the responses to the identified and assessed risk are
going to be.

Risk mitigation techniques include the following:

 Condition-based monitoring: Placement of sensors to measure various conditions
(temperature, vibration, etc.) to detect situations that may indicate potential equipment
failure. The more sophisticated systems have alerting capabilities and are integrated

BASIC RAMP >>Page 15/18

 with enterprise asset management applications that can automatically generate
inspection or work orders.
 Predictive maintenance: Predictive maintenance goes beyond condition-based
maintenance in applying advanced analytics to predict potential equipment failures,
providing enough notice to procure complex non-commodity replacement equipment.
The algorithms identify a departure from normal operating levels of a piece of
equipment rather than comparing performance with expected performance levels for
the equipment class.
 Criticality-based maintenance: This technique informs decisions on maintenance
strategy by identifying which assets are critical to the process and what the process
impacts would be if the asset were to fail. Criticality-based maintenance also informs
procurement strategy so that inventories, and the costs associated with keeping them,
are reduced but not at the expense of increased downtime.
 Performance center or center of excellence: The most advanced companies have
adopted centers of excellence where engineering staff are able to bring together
engineering knowledge for root cause analysis when potential problems are
identified. Centers of excellence can also have a view of multiple assets to support
decision making and maintenance planning and even suggest future equipment design
modifications.

Collaborative Planning, Operations, and Decision Making

To reduce non-productive time, enhance production, and reduce both economic and HES
risks, the project management team must create a stronger and more comprehensive
connection between field operations staff, subcontractors, clients and experts. This
connection involves:

 Collaboration: The ability for multiple parties to visualize and analyze the same set
of data and information from disparate locations.
 Workflow: Rationalizing data to make it automatically available to personnel and
applications according to role-based need.
 Access to real-time data: Surface and subsurface to improve production, often
involving sensors.

BASIC RAMP >>Page 16/18

Safety Measures for Risk Mitigation:
 Appropriate Personal Protective Equipment (PPE)
 Safety barricade around operation area
 Engage qualified/ trained manpower onto risky tasks
 Frequent training program
 Risk communication
 Hazard Analysis & Reporting

Appropriate Personnel Protective Equipment:

Each and every employees working on the gas plant or other process or heavy lifting area,
must have practice to wear PPE. All employees are instructed & also frequently trained to
aware themselves to use PPE. Through different training facilities, all employees and workers
will be conscious about the use of PPE considering the aspect of work. Also wastage, broken
PPE should always be removed and destroyed outside of the facility.

Safety barricade around operation area:

The area under operation of lifting, excavation, electrical works, maintenance work, gas line
work etc. must be cordoned around with barrier tag, caution tape or hard barrier as
appropriate. Signage & caution tag must also be posted near process area & at different
hazardous points. Warning tag, caution tag, chemical label should be provided in all sorts of
Heavy Equipments for minimization of the probability of risk. All signage, caution tag must
be internationally recognized which can be identifiable to all workers inside the premises.

Engage qualified/ trained manpower in risky tasks

Trained, experienced and technically qualified personnel should be deployed to reduce the
risks in operation. The responsible project manager should allocate the competent persons in
the relevant work in coordination with the project execution team.

Frequent training program

For risk management, training is one of the most vital sources, where employees can develop
their knowledge level. By training program, employees can develop their theoretical,
practical knowledge and become enough conscious about risks/safety from different
presentation, case-study & videos. It is obvious that, for risk management,
Employer/Company can arrange training programs on different occasions on different
subjects relating to the Project demand.

BASIC RAMP >>Page 17/18

Risk communication
Project specific HAZCOM process should be developed by the project management team.
This process will present a visible and easy to understand hazard/risk communication system
among the employees and the visitors who work inside the project area. This process will
cover usage, handling of different chemicals through symbols, MSDS, signage needed for
project work at different critical points/locations, where there are potentials of risk/hazard.
There should be a sophisticated communicating system through cell phone, radio, walky-
talky etc. Any kind of incident must be reported to the concerned authorities.

Hazard Analysis & Reporting

Project management team will define the scope of work for the project and develop Hazard
Analysis for each activity before they commence the work. Hazard Analysis shall be verified
by the concerned HES Department and reviewed time to time as the nature of the same job
may change due to various factors that come into play.

BASIC RAMP >>Page 18/18