A Framework to Select Techniques Supporting Project Risk Management

one of the main topics of interest for researchers and practitioners working in the field of project management. Different perceptions, attitudes, values regarding risk, needs, project sectors, specifications, geographical, social, economic,


Introduction
Projects may be conceived as temporary endeavors with a finite completion date aimed at generating unique products or services [1].Today's marketplace characterised by fierce competition requires increased accuracy and reduced time and costs in running projects [2].In such a context, the variability of actual quality, time, and cost performance compared to the expected one crucially impacts on the success of a project and makes risk a central issue in project management [3].It has been demonstrated that failure to deal with risk is a main cause of budget exceeding, falling behind schedule, and missing performance targets [4,5].Additionally, in several industries, such as the construction and information and communication technology ones, the growing level of complexity, due to increased size and scope, huger investments, longer execution processes, more required resources, an augmented number of stakeholders, instable economic and political environments, and changing regulations, exacerbates the degree of risk in projects [6].Therefore, these aspects ask for assessing and controlling risk throughout all the phases of a project.Before going into detail about project risk management, it is beneficial to recall the notions of uncertainty and risk.Uncertainty arises from either the natural variability or randomness of a system or an incomplete information or knowledge of some of its characteristics.In the first instance, uncertainty cannot be reduced by increasing data collection or knowledge, though they are valuable for assessing it, while in the second case a more accurate data collection and understanding are able to decrease the level of uncertainty [7][8][9].Project risk is defined as an uncertain event or condition that, if it occurs, has either a positive or a negative effect on project objectives [1,10].
The management of risk is currently one of the main topics of interest for researchers and practitioners working in the field of project management.Different perceptions, attitudes, values regarding risk, needs, project sectors, specifications, geographical, social, economic, and political environments have led to a variety of definitions, concepts, terms, and approaches, all highlighting the need for systematically addressing uncertainty.
Since the Nineties, most of the contributions have focused on the establishment of a risk management process: significant examples are the Project Uncertainty MAnagement (PUMA) process [11],the Multi-Party Risk Management Process (MRMP) [12],the Shape, Harness and Manage Project Uncertainty (SHAMPU) process [13], the Two-Pillar Risk Management (TPRM) process [14],the risk management process developed by the Project Management Institute [1], the Project Risk Analysis and Management (PRAM) process [15], the Risk Analysis and Management for Projects (RAMP) process [16], and The Active Threat and Opportunity Management (ATOM) Risk Process [10].
An effective application of risk management processes is not disjointed from sound enabling instruments.So, another research stream is running parallel to that focusing on the overall risk management structure: the development, implementation, and evaluation of operational means to put in practice risk management [17].
However, in literature there is a scarce systematisation of the actual capabilities of such practices.In addition, there is a lack of frameworks categorising them based on a comprehensive set of the peculiar characteristics of a project, of its management process, and of its surrounding business environment, as well as on the attitude of an organisation towards risk.
In order to contribute to fill this gap, the present work puts forward a taxonomy supporting the selection of the most suitable risk management techniques in any given project scenario, with the aim of fostering knowledge creation about how to treat risky events.The research mainly focuses on projects characterised by the achievement of a final work product not completely defined at the beginning of the project itself, such as in the construction, engineering, and information and communication technology industries.
After discussing the value of communication and knowledge in risk management, a set of dimensions reflecting the most important managerial and operational conditions characterising a project is developed starting from a review of pertinent literature.Widely applied techniques to support project risk management are presented and classified according to the framework.Finally, implications, ramifications, and future research directions are elaborated and conclusions drawn.

Communication and knowledge creation in risk management
Identifying and assessing risk sources and their impacts on project activities as well as developing responses to risk rely on a heterogeneous knowledge basis made up of past experiences, skills, and perspectives of involved people.However managing data, information, and in general the knowledge generated during the life cycle of a project is a difficult task and an inappropriate way of doing that may be a cause of failure.In particular, communication about risk is often very poor, even if the interactive process of exchanging information and opinions among all the concerned parties is a critical condition in the risk management process to effectively support decision-making [18].Projects are often organised and managed in ways that create information and communication disconnects.Decisions about risk are made independently from one another according to the different nature of possible risky events (e.g.business, technical, operation, and country-specific) and the interactions among them are not taken into account.Participants in a project do not share a comprehensive understanding of the risks that may affect it and a life cycle view of uncertainty is usually uncommon.This brings compartmentalisation of risks because they are identified, assessed, and controlled by using only one perspective [19].A structured communication of the objectives, instruments, and findings of the risk management process as well as of the required actions as a result of its output is strongly needed, being organisational and individual learning increasingly important when dealing with risk [20].
Communication among project parties generates awareness of risk and supports knowledge creation about both drivers and effects of uncertainty and approaches to cope with it.
A variety of practices exists to deepen the understanding of causes and consequences of uncertainty [4,[21][22][23].However, their application is still limited because several organisations do not systematically track past data and performance for this purpose.When there is a substantial lack of explicit information an important source of knowledge is represented by the implicit information held by the so called "experts".The term expert refers to those people to whom special knowledge about specific issues is attributed and from whom it is possible to obtain information that is useful for risk investigation.The process of extracting information from experts is named elicitation, which is defined as formulating a person's knowledge and beliefs about one or more uncertain quantities into a probability distribution for these quantities [24].Elicitation of implicit expert knowledge is a core component of qualitative risk assessment, by means for instance of Delphi analysis or SWOT analysis, where it is used to define probability distributions for the occurrence and the impact of risky events.
Another relevant issue in knowledge creation about risk is related to the guidelines on how to approach it.As mentioned, literature offers a wide range of frameworks to identify risk sources, evaluate their probabilities and impacts in both a qualitative and a quantitative way, and set up risk response strategies.Also, there are some attempts to categorise these practices according to the nature of the data they rely on, the phase of the risk management process, the kind of project, or the purpose of the analysis [1,[25][26][27].However, existing contributions usually focus on just one single aspect and there is a lack of taxonomies that simultaneously look at all the relevant dimensions that should be taken into account when choosing an appropriate means of treating risk.In addition, the terminology used to address risk management practices is somewhat confused.The most common words that can be found in literature are tool, technique, and method but there is no widely accepted definition of these concepts and of the relationships among them in the field of risk management.Sometimes a same practice is referred to with different terms.For instance, while Delphi is generally classified as a technique [1,26], the Failure Mode and Effects Analysis (FMEA) is defined as either a tool [4] or a method [25].However, determining the exact nature of risk instruments and creating a hierarchy among them help to recognise their scope and range of application and allow a more appropriate use at various risk management levels.
How to select the correct practices and capture their actual potentialities is of paramount importance to enhance the knowledge that is necessary to manage in an effective and efficient manner the risk and the associated information throughout the development of a project.Such understanding facilitates a clear view of the critical conditions of a project, thus fostering performance improvement and enhancing trust within the project team [28].
The developed framework focuses on the need for a comprehensive perspective on the factors affecting risk investigation and proposes a taxonomy based on the most significant elements characterising the scenario in which project risk is approached.The aim is assisting in the choice of the appropriate practices according to the level and the purpose of the risk management effort.Since the distinction among the different terms to address risk management practices is not the purpose of this work, they are all referred to as "techniques".

Dimensions for selecting techniques to support project risk management
There are multiple aspects that can be considered when facing the decision about the appropriate techniques to be applied for the purpose of risk identification, assessment, or control.They will be widely explained in the following sections.

A review of classification criteria
A commonly used criterion suggests looking at the nature of information that is available in a project.Qualitative and quantitative techniques are two fundamental groups applied to risk management.In the qualitative techniques risk assessment is connected with the determination of qualitative scales for evaluating the frequencies of occurrence of risky events and their impacts.They do not operate on numerical data but present results in the form of descriptions and recommendations basically according to opinions and risk tolerance boundaries collected from experts.The qualitative techniques are adopted to prioritise the identified risks for subsequent further action, such as quantitative risk analysis or response planning [1].Moreover, they are used for determining highly risky areas in a short time, cheaply, and easily.At the other hand of the spectrum, quantitative techniques to support project risk management numerically analyse the effects of risks on overall project objectives in order to elaborate future trends [1,29].They are applied to give an accurate image of risk that facilitates the cost and benefit analysis during the selection of reduction measures.However, the implementation of quantitative techniques is generally more expensive and requires greater experience than the application of qualitative techniques [30].
Another criterion is choosing techniques to support risk management according to the degree of knowledge about risk and the goal of the analysis.Kmec [27] discusses approaches to risk identification for the following situations: the majority of risks are known, the risks have been prioritised, the risk list is short, risks are classified according to some criteria, risks are broken down to build a hierarchy, relationships among risk are investigated, and risk evolution is studied overtime.Also, techniques for risk management differ according to whether the main aim is monitoring economic and financial outcomes, checking quality variance, tracking time delays or estimating the probability of the overall success or failure of a project.
In addition, risk management practices can be distinguished based on how the investigation is performed.Gidel and Zonghero [31] focus on selected techniques and suggest when they are suitable depending whether an analogical, heuristic, or analytic approach is applied to risk identification.With an analogical approach the study of risk mainly relies on the experience coming from the management of previous and similar projects.The heuristic approach uses the project team creativity or expertise through for instance brainstorming sessions.Finally, the analytic approach is typically based on FMEA and Fault Tree Analysis and aims to decompose a system to identify risky events for each sub-system together with their causes and effects.Also, the nature, size, and phase of the life cycle of a project as well as the kind of associated consequences determine which techniques to support risk management should be used.Some authors highlight that, although risk management should assist in the entire life cycle of a project, it is particularly crucial in the planning stage and its scope and depth increase as the project moves towards the execution phase, while they decrease in the termination phase [13,32].As a matter of fact, the earlier the risks are identified, the more realistic the project plan and the expectation of results and the more effective the contingency plans both during the development of the project and beyond [1,33].
Other works focus on the strong correlation between the risk profile of a project and its organisation: for instance, different procurement schemes require different risk practices [22].
Furthermore, every single step of managing risks, whether identifying or assessing them, developing response plans, or monitoring their execution, implies a different level of information and detail, thus it requires the application of different techniques.Literature reports numerous classifications of techniques according to the phase of risk management for which they are most suitable [1,34,35].
Finally, the project risk management capabilities of an organisation improve as its risk culture increases.A scarce awareness towards risk drives occasional applications of informal risk techniques to specific projects and problems are dealt with only when they show up.Recognising the relevance of risk, instead, is the condition for proactively managing uncertainty [33,36,37].As a consequence, techniques supporting risk management require different levels of corporate risk maturity in order to yield the expected benefits and this constitutes a criterion according to which risk techniques may be classified [25].

Three dimensions to characterise project risk management techniques
Based on a careful analysis of the characteristics of the techniques supporting risk management proposed in literature and applied in business practice, the authors believe that among the discussed criteria  the phase of the risk management process;  the phase of the life cycle of a project;  the corporate maturity towards risk; are the three dimensions that encompass the most relevant aspects for understanding and choosing among project risk management techniques.In fact, the focus is on "risks" that occur in "projects" which are in turn run by "companies".Moreover, such dimensions adequately reflect the crucial concept that risk practices can only be selected once a problem is structured and well understood and the application of these instruments depends on the circumstances of the problem, hence on the need to fully comprehend it.
Every specific risky event in a project has its own escalation process characterised by one or more sources or causes, an occurrence, and one or more consequences [35].Each of these phases requires its own approach to be studied.Sources of risk are analysed by concentrating on their identification, description, and classification (e.g.internal and external causes), the occurrence is defined by the probability and the impact of the risky event, and the consequences are described in terms of time, cost, and quality variance against the expected performance.
Additionally, no practice is perfectly tailored to deal with every risk occurring in the course of a project [22].Each of the risks faced during a project has its own specificity depending on its position within the project life cycle.For example, throughout the feasibility study, when the main issue is making appropriate strategic choices, the probabilities of occurrence of risks are difficult to be defined because of the still scarce level of information associated with that phase.By contrast, in the following phases risks are mainly related to the consequences of decisions made in the previous steps of the project and their sources, manifestation, and effects can be characterised in a more accurate way.Also, in the late phases of a project a risk may be the effect of other risks that manifested themselves in previous phases.
Besides the phases of the risk management process and the life cycle of a project, a third pillar constitutes the foundation of a sound selection of techniques supporting risk treatment: the reference context of the organisation that develops a project.In particular, this work is interested in the maturity towards risk, that is basically achieved through risk awareness, the consideration that the risk management activity is on the same level as cost, time, and scope management tasks, commitment to high quality of data, systematic implementation of instrument to deal with risk, development of responses to risk, and assessment of the obtained results [38].The extent to which a company possesses these features represents that cultural bedrock that enables the application of specific techniques to prevent, accept, mitigate or exploit risky events and their effects.In particular, a high level of risk awareness, together with appropriate availability of knowledge, make possible to obtain that objective information allowing the quantification of risk.
A selection of support techniques based on the above dimensions represents a strength inside the risk management process because it stimulates the achievement of improved outcomes in terms of time, cost, and quality performance [39].

Phases of the risk management process
According to Hillson [40], risk management is about finding an answer to six simple questions such as "What do we want to achieve?", "What might affect us?", "Which of the things that might affect us are most important?","What should we do about them?", "Did our actions work?", and "What has changed in the new scenario?".These questions represent the main issues of the risk management process, which is generally recognised as the process concerned with conducting the following phases: risk management planning, risk identification, risk analysis, risk response, and risk monitoring and control [1].
In risk management planning the objectives and the approach to carry out risk treatment tasks are decided together with assigning resources and time to these activities, with the aim of allowing a smooth conduction of the subsequent phases.Risk identification defines the risks to which the project is exposed and describes their causes and characteristics.The goal of the risk analysis phase, sometimes named risk assessment, is giving an importance priority to the identified risks to enable managerial actions and establishing the overall level of risk exposure of the project.In particular, qualitative risk analysis is focused on determining the probabilities of occurrence of risky events and the associated impacts on project outcomes, the time periods when the risks could affect the project, when it is possible to influence them, and the relationships between risks and cost, schedule, scope, and quality constraints.Quantitative risk analysis operates on those risks that substantially impact the project and numerically evaluates their effects.Risk response starts from the previously identified risks and their significance to develop actions to increase opportunities and decrease threats.Resources and activities are inserted into the budget, schedule, and project management plans.The final phase, risk monitoring and control, is the on-going identification and management of new risks that become known during a project, the tracking of already identified risks, the monitoring of residual risks, the implementation of planned responses as well as the review of their effectiveness, the development of additional actions, if needed, and the formalisation of lessons learned about risk [1,35].
The importance of the dimension of the risk management process phases for selecting techniques to support the treatment of risk is witnessed by the many works discussing instruments for each phase existing in literature.Some of them have been already presented in Section 3.1.

Phases of the project life cycle
In a similar way as when the risk management process is approached, undertaking a project means tackling some basic questions: "Who are the parties ultimately involved?","What do the parties want to achieve?", "What is it the parties are interested in?", "How is it to be done?","What resources are required?",and "When does it have to be done?".These questions are answered during the life cycle of a project, which is defined as a systematic way of conceptualising the generic structures of projects into a number of phases that assure better management control [1,13,41].
The project life cycle is domain specific and, because of the complexity and diversity of projects, its breakdown into phases is different based on several factors such as the size (e.g.small or large-scale projects) and the type (e.g.engineering and construction projects or new product development projects) of the project.Four general phases can be associated to the kinds of projects that are considered by this work: conceptualisation, planning, execution, and termination [1,13].The conceptualisation phase regards identifying an opportunity or a need, clarifying the purpose of the project by defining the relevant performance objectives and their importance, formalising the concept of the project, and evaluating its feasibility.
The planning phase includes undertaking the basic design, developing performance criteria, formulating a base plan together with targets and milestones, and allocating internal and external resources to achieve the plan.With the execution step of a project action begins: the main tasks here are coordinating and controlling the performing of planned activities, monitoring progress, and changing targets, milestones, and resource allocation as required.
Finally, the termination phase involves commissioning and handover, reviewing the lessons learned during the project, and assuring the necessary support to the product of the project until it is discarded or disposed.
It is widely recognised that a structured view of the project life cycle provides a proper frame for understanding major sources of uncertainty, as well as their occurrence timing and impacts, during all its phases [13].Also, the project life cycle is a natural setting for distinguishing among approaches to risk management.As the life cycle evolves, different information becomes available about the aspects and components of both a project and its environment, such as stakeholders, scope, time, and cost as well as corresponding assumptions and constraints.Therefore, there are more risks at the beginning of a project, while they decrease as the project progresses towards its termination.As a consequence, the greatest opportunity to risk reduction resides in the early project stages.In general, during the conceptualisation phase, decision makers should focus on different sources of uncertainty, such as technological, cultural, social, and economical ones, to make sure about the feasibility of the project [42].The identified uncertainties should be then taken into account during the planning phase of the project.The risk management process should monitor the changes as well as the new risks emerging in the execution phase and manage the appropriate actions to reduce or eliminate them [1].Finally, the typical risks in the termination phase are related to the proper maintenance, improvement, and changing needs in light of evolving societal, demographic, operational, or economic conditions.
Since the sources of uncertainty change during the project life cycle, it is vital to understand how the risk management process has to vary accordingly.This consideration supports the need to enable project managers to focus on specific sources of uncertainty in each stage of the project by means of appropriate practices to identify, assess, and treat such uncertainty in order to optimise its impacts.In addition, a project life cycle-oriented view of risk management techniques helps to avoid compartmentalisation in approaching risk, which occurs when each participant looks at risks with a single, specific perspective and based on his own goals, irrespective of the other project parties [19].

Corporate maturity towards risk
The concept of maturity indicates an evolution from an initial state to a more advanced one through multiple intermediate states corresponding to different levels of awareness towards risk and capability to deal with it.The degree of maturity towards risk of an organisation depends on its risk culture, which is stimulated by the available informational context and the type and size of the organisation itself.All these factors also impact on the maturity of the project management process, that may go from basic project management, to the systematic planning and control of a single project, to the integrated planning and control of multiple projects, to the continuous improvement of the project management process [43], which in turn influences how risk management is applied.
Hillson [37] proposes a risk maturity model made up of four stages: Naïve, Novice, Normalised, and Natural.Naïve means that an organisation has not yet captured the need for managing risks and no structured approach is in place for this purpose.Novice defines an organisation that recognises the benefits of managing risk and is actually implementing some form of risk governance but it lacks a formalised process to perform this task.Normalised is the degree of maturity characterised by a formalised risk process included in routine business activities whose benefits, however, are not consistently achieved in every project.Finally, the Natural maturity level denotes an organisation that is completely aware of risk and proactively manages opportunities and threats through consistent risk information.A similar organisation will benefit from improved corporate planning, more transparent relationships with stakeholders, and better global performance [44].
Moving from one level to the upper one in this maturity scale implies that an organisation is willing to perform a more thorough and systemic analysis of the escalation processes of project risks.In order to do that, not only different but also more sophisticated and detailed techniques have to be applied [33,38].Based on this, it can be stated that the more mature is an organisation towards risk, the more the phases of the risk management process it will implement.Companies with a low maturity degree only limit themselves to risk identification or qualitative risk analysis, while organizations with a higher level of maturity deal with all the stages of the risk management process, including collecting past data to carry out quantitative analysis.Thus, the maturity of a company towards risk and its response to possible consequences are strictly related to the development of the risk management phases.

Classifying techniques supporting project risk management
The three defined dimensions characterising the choice of project risk management techniques are here applied to a selection of practices that can be commonly found in both literature and practice.
First, the focus techniques are briefly described and their strengths and weaknesses highlighted (Table 1).

No. Technique Description Strengths Weaknesses
1 Brainstorming [1,13] An effective way to generate lots of ideas on a specific issue and then determine which idea-or ideas-is/are the best possible solution.Ideas about project risk are generated under the leadership of a facilitator.
• Improves problem analysis by providing more possible solutions and unusual approaches to a problem.
• Increases the chances of obtaining an excellent idea.
• Involvement of individuals with a variety of backgrounds.
• Utilises the thoughts of others.
• Attempts to view situations from an unfamiliar perspective.
• Prone to the negative effects of personality excesses.
• Difficult to create a criticism-free atmosphere.
• Not much structured.
• The smaller problems that can have severe consequences on the project success are not identified.
• Reduced participation due to dominant personalities.

Cause and effect diagram
or Cause Consequence Analysis (CCA) [1] It identifies the set of unwanted effects and goes backwards to trace the causal chain.
It is also known as Ishikawa or fishbone diagram and is useful for identifying causes of risks.
• Helps to determine the root causes of a problem or of a quality characteristic in a structured way.
• Increases knowledge of a process by helping everyone to learn more about the relevant factors and how they relate to each other.
• Not particularly useful for extremely complex problems where many causes and problems are interrelated.

No. Technique Description Strengths Weaknesses
3 Change Analysis (ChA) [18] It is used to systematically investigate the possible risks and to identify the appropriate risk management strategies and measures in changing situations.
• Predictive and proactive risk analysis technique.
• Can be used as a root cause analysis. [18] • Relies on the comparisons between two or more systems or activities.
• Does not traditionally involve the quantification of risk.
• Depends very much on expert judgements.
• Limited to the analysis of system changes. [18] 4 Checklist [1,13,20] It is a detailed aide-memoire for the identification of potential risks.It can be developed based on historical information and knowledge that have been accumulated from previous similar projects.
• Systematically assesses the experience accumulated by an industry.
• Can be prepared by a single analyst or a small group.
• Simple to use at the basic level.
• Useful as a memory jogger.
• A guide to the existing risk and opportunity knowledge.
• Limited to previous experience only.
• Useful only for the early stages of the selection of an idea.
• Risk drivers are assumed to be independent.
• Length may discourage a more selective analysis of a subset of risk drivers.

5
Decision Tree Analysis [32] It is usually structured using a decision tree diagram that describes a situation and the implications of each of the • Many application possibilities in different areas.
• Enables a detailed • Must be careful when assigning probabilities.

No. Technique Description Strengths Weaknesses
available choices and possible scenarios.It incorporates the cost of each available choice, the probabilities of each possible scenario, and the rewards of each logical path.
insight into the decision making process.
• Appropriate for solving complex problems.
• Often supported by statistics.
• Can be computer assisted. technique.
6 Delphi [1] The purpose is to elicit information and judgments from participants to facilitate problemsolving, planning, and decisionmaking.A facilitator uses a questionnaire to solicit ideas about the important project risks and the experts participate anonymously.
• Mainly used as a forecasting technique.
• Helps to reduce bias.
• Keeps any person from having undue influence on the outcome.
• Elimination of direct social contact.
• Provision of feedbacks.
• Opportunity to revise opinions.
• The quality of results depends on the competencies of experts and on the content of the questionnaire.
• Time consuming and expensive.
• No opportunity for verbal clarification or comment.
• Conflicts not resolved.

7
Event and Causal Factor Charting (ECFCh) [18] It consists of a graphical description of the sequence of events and conditions associated with an accident.The chart provides a logical progression of events.
• An effective technique for understanding the sequence of contributing events [18].
• Does not necessarily ensure that the root causes have been identified.
• Can overwork simple problems that may not require an extensive investigation [18].

8
Event Tree Analysis (ETA) [18] It is an analysis technique that models the range of possible outcomes of one or a category of initiating events.
• Highly effective in determining how various initiating events can result in accidents.
• Usually limited to one initiating event; multiple event trees may be needed.

No. Technique Description Strengths Weaknesses
• Shares similar strengths with Fault Tree Analysis [18].
among system elements can be overlooked [18].9

Expected
Monetary Value (EMV) [1] The EMV analysis is a statistical concept that calculates the average outcome when the future includes scenarios that may or may not happen.
• The EMV of opportunities is generally expressed as a positive value, while that of risks as a negative value.
• Requires a great availability of historical data.
10 Expert Judgement [1] Technique based on the experts' opinion.It is useful for the evaluation of the failure rate and the success chances of the overall project.
• Uses experiences on past projects to assess factors about a new project.
• Adapt to exceptional circumstances.
• The estimation can be biased.
• No better results than those provided by the expertise of estimators.
• May be repeated multiple times in order to get more accurate information.
11 Fault Tree Analysis (FTA) [45] An approach that starts from a particular event, known as the top event, in an attempt to identify all the possible event sequences giving rise to it.
• Highly effective in determining combinations of events and failures.
• Systematic, logical, and detailed system approach.
• Applicable to any kind of complicated system or activity.
• Usually employed to examine only one specific event at a time; multiple fault trees may be developed.
• The levels and the organisation of the tree vary from analyst to analyst.
• Quantification requires a high level of expertise [18].
12 Failure Mode and Effects Analysis (FMEA) [46] An analysis technique used in high-risk organizations to identify failure modes in systems/processes and work out response strategies.
• Effective for collecting the information that is needed.
• Widely used/ understood, provides a great understanding • Examination of human errors is limited.It is focused on technical failures and operational errors may be overlooked.

• Complex
No. Technique Description Strengths Weaknesses of a system.
interactions resulting from more than one failure are often omitted [18].
• Not appropriate for selecting single ideas.
13 Failure Mode and Effects Criticality Analysis (FMECA) [46] An analysis technique used in high-risk organizations to identify and assess failure modes in systems/processes and work out response strategies.
Like FMEA Like FMEA 14 Fuzzy Logic [47] Useful approach to address the problems associated with imprecision, uncertainty, and subjectivity of data.
• Permits different kinds of data to be manipulated simultaneously using a standardised methodology and a common scale for expressing the significance of impacts.
• Offers no significant benefits in the case of simple projects.
• Characterized by mathematical complexity.
15 Hazard and Operability (HAZOP) [48] It is a hazard identification technique that uses a structured and systematic team review of a system or process to identify the possible deviations from normal operations and their causes and consequences.It uses a standard list of guidewords (e.g."more," "less," "no") combined with process conditions to systematically consider all the possible deviations from the normal conditions.For each deviation, possible causes and consequences are identified as well as whether additional safeguards should be recommended.
• Uses the experience of operating personnel.
• Systematic and comprehensive.
• Effective for technical faults and human errors.
• Employs a team approach requiring the interaction of several disciplines or organisations [18].
• Depends very much on expert judgements.
• Optimised especially for sequential operations or procedures.
• Requires the development of procedural descriptions that are often not available in detail.
• Documentation is lengthy.
• One of the most time consuming and expensive techniques [18].

No. Technique Description Strengths Weaknesses
16 Hazard Review (HR) [18] The Hazard Review, also known as Hazard Survey or Safety Review, is mainly a qualitative review of an activity or system to identify the hazards and to gain qualitative understanding of their significance.
• Makes use of the existing experience taken from a wide range of sources.
• Can be performed by a single analyst at a low cost [18].
• A lack of structure makes it difficult to audit.
• Limited to previous experience and thus with a limited value for novel installations.
• Does not produce a list of failure cases for a quantitative risk assessment [18].
17 Human Reliability Assessment (HRA) [49] It is especially used for a detailed evaluation of human operations in procedural tasks.It is a special form of FTA and ETA, designed for modelling and analysing the range of possible accidents that may happen while performing a procedure.
• Provides useful information about the cost and value of human resources.
• Helps an organisation to make the best utilisation of human resources.
• Focused on specific human reliability issues.
• The evaluation of human assets is based on the assumption that the employees are going to remain with the organisation for a specified period.However, this assumption is wrong because employee mobility is very high.
18 Incident Reporting (IR) [50] A structured mode for accident, incident, and near miss signalling collection.
• IR forms identify the barriers that prevent adverse situations.
• IR schemes provide a means of encouraging staff participation in safety improvement.
• It can be difficult both to set up and to maintain.
19 Interviews [1] The list of risks is produced by interviewing project managers or experts on the applications of the project.
The risks are identified and • Simple to use at the basic level.
• Systematically assesses the experiences • Limited to previous experience only.
• Gives few insights into the nature of the hazards, may miss

No. Technique Description Strengths Weaknesses
defined and a risk management capability score can be determined from a five-point scale.
accumulated by an industry.
• Can be prepared by either a single analyst or a small group.some potential problems.
• Individual risk drivers may be described in insufficient detail to avoid ambiguity.
• Can be limiting.
20 Monte Carlo [1] A type of spreadsheet simulation that randomly and continuously generates values for uncertain variables to simulate a model.
• Allows to work in terms of real units.
• Allows models to be firmly rooted in the plans of a project.
• Makes the relationship between the output of models and real-world decisions relatively straightforward.
• No statistically sound basis to specify distributions.
• No basis for estimating the most likely values.
• No basis to create custom tailored distributions when real world data are missing.
21 Pareto Analysis (PA) or ABC analysis [51] It is a technique that is used to identify and prioritise the most significant items, for example causes and contributing factors or effects of accidents.This technique employs the Pareto rule (or 80-20 rule),which says that about 80 percent of the effects are generated by about 20 percent of the causes.
• Many application possibilities in different areas, from the activity or operations level to the system level, such as ranking activities or system accidents and their causes.
• Can also be used to evaluate changes in risks after modifications in a system or activity.
• Simple to use.
• Individual or group technique.
• Focuses only on the past.
• Produces considerable variability in the levels of risk assessment resolution.
• Dependent on availability and applicability of data [18].
• Must be careful when setting importance criteria.

No. Technique Description Strengths Weaknesses
22 Preliminary Hazard Analysis (PHA) [52] It is used to identify hazards, assess the severity of potential accidents that may happen, and identify measures for reducing or eliminating the risks associated with the hazards.
• Used as a proactive technique because it identifies the weaknesses of a system at the early stages of its life, thus saving time and money [18].
• May be applied to any kind of risk analysis and to any activity or system.
• Requires additional analysis to understand more in depth and evaluate hazards and potential accidents.
• Relies heavily on the knowledge of subject matter experts [18].
23 Risk Breakdown Matrix (RBM) [23] An activity and threat matrix where the value of risk associated with each activity and the most frequent overall risks are evaluated.
• Many application possibilities in different areas.
• Individual or group technique.
• Must be careful when setting scoring criteria.
• Enables a more detailed analysis of vital factors.
• Very complex, requires training.
24 Risk Breakdown Structure (RBS) [53] It is a source-oriented grouping of project risks that defines the total risk exposure of a project.Each descending level represents an increasingly detailed definition of sources of risk to the project.
• Help the project/risk manager to better understand recurring risks and concentrations of risks which would lead to issues that affect the status of the project.
• The level of detail depends on the available information.
25 Risk Mapping, Risk Matrix, Probability and Impact Matrix [1,13] It is a qualitative technique that can be used to evaluate and prioritise a group of risks which could significantly impact on a project.
• Allows to brainstorm the most likely project risks and to apply simple formulas to them.
• Aids the creation of a shared understanding of the importance of various risks to the project.
• Shortcomings result from a checklist approach (see Checklist).
• Ratings have no absolute meaning.
• Danger of prematurely defining high and low risks with no further considerations.

No. Technique Description Strengths Weaknesses
26 Risk Probability and Impact Assessment, Risk Ranking/ Risk Index [1] It investigates the likelihood that each specific risk will occur and the potential effects on the objectives of a project, such as time, cost, scope, or quality.
• Identifies both negative effects for threats and positive effects for opportunities.
• Results can be difficult to link to absolute risks.
• Appropriate ranking tools may not exist.
• Does not account for unique situations [18].
27 Sensitivity analysis [1,13] It helps to determine which risks have the most potential impact on a project.
• Useful for comparing the relative importance of variables that have a high degree of uncertainty to those that are more stable.
• Requires a great availability of historical data.
28 Strengths, Weaknesses, Opportunities, and Threats (SWOT) [54] The SWOT analysis provides a good framework for reviewing strategies, positions and business directions of a company or an idea.
• Individual or group technique.
• Very broad areas of application.
• Easy to use.
• Not very applicable to general idea selection.
• Mainly used in the business field.
29 SWIFT Analysis [18] It is a more structured form of the "What-if Analysis" technique and it is used to identify hazards based on brainstorming and checklists.
• Possible problems and combinations of conditions that can be problematic are described.
• Possible riskreducing measures are identified.
• Requires a great variety of competencies of the analysis team.
30 What-if Analysis [18] It is a brainstorming technique that uses a systematic, but broad and not very structured, questioning procedures to generate descriptive information.
• Highly effective to identify system hazards.
• A simplistic approach that offers great value for minimal investment [18].
• Loose structure and reliance on judgements, likely to miss some potential problems.
• Difficult to audit for thoroughness.

No. Technique Description Strengths Weaknesses
• The danger in this technique lies in the unasked questions [18].
31 "5 Whys" Technique [18] It is a qualitative brainstorming technique that attempts to identify root causes of accidents by asking "why" these events did occur or conditions did exist, in order to help to get to the true causes of problems.
• Used as an effective technique for identifying root causes of accidents and determining causal factors.
• Mainly based on brainstorming that is often time consuming.
• The brainstorming process is very difficult to duplicate and the results may not be reproducible or consistent.
• It does not ensure that all the root causes can be identified.

Table 1. Project risk management techniques
The selected project risk management techniques are now classified according to the three proposed dimensions (Table 2).It is worth remarking that the techniques have been matched with the dimensions based on their most frequent applications as documented by literature and on the authors' experience.Different categorisations may be possible according to the peculiar characteristics of specific project settings.
During the entire project life cycle and in every stage of the risk management process, the nature and the quantity of available information influence the choice of the techniques that should be applied.In the conceptualisation phase decision-makers have a high degree of freedom in defining project goals and how to achieve them.However, owing to the lack of project specifications on the ways to meet the set objectives in that stage of the project, all the necessary information for a complete investigation of risk is not always available.Then, we are in an uncertain scenario characterised by a limited amount of information or in a context where the source of information is subjective.Therefore, it is necessary to build a systematic framework that can be used by decisionmakers to obtain subjective judgements from experts in a clear and straightforward manner.This can be accomplished by applying "extractors" of information like Interviews or the so called "group techniques" such as Brainstorming, Delphi, and Expert Judgment.At the same time, it is also necessary to train the experts so that they can make good judgements.Moreover, this context may just allow to define the strengths and weaknesses of the project and the decision-makers may stop their risk investigation at the identification phase by means of a SWOT analysis.However, if we are in the case of repetitive projects, the greater availability of information could allow the use of detailed tables, such as FMEA [25], and makes possible to define occurrence probabilities and economic and/or time impacts for every alternative event.In this situation, decisionmakers could move on to a quantitative analysis of risks through the use of FMECA tables, Decision Trees, and Event Tree Analysis.As a consequence, the quantity and kind of information in the conceptualisation phase usually allow risk identification and they seldom enable also risk analysis.Coming to the planning phase, the ways and means to achieve the project objectives become clearer thanks to a considerable increase in the available information, which allows a complete investigation of risks.All the techniques for risk management can be used in this project stage based on the phases of identification, analysis, and response to risk and on the type of information available.In general, the degree of knowledge and the ability to influence the course of a project are inversely proportional to each other as the project develops overtime.Therefore, in the execution phase there will be a high level of knowledge about project constraints but a low ability to influence events because all the most important project and risk management choices have been already made in the previous phases.The result is that in this phase the time and economic performance resulting from the project choices and the actions undertaken to either mitigate or exploit risk can be mainly controlled and monitored.Therefore, in the execution phase the outputs obtained from the techniques applied in risk identification, analysis, or response will be revised and the results of the implementation of designed actions will be monitored by means of careful and sensible human action.In addition, in this project stage the risk management techniques used in the planning phase can be applied again to unveil new risks that have not emerged before.The termination phase is not considered by the classification in Table 2 because the risk management effort is more relevant in the previous stages of the project life cycle.Also, the risk management planning phase is not included being less operational in nature than the subsequent phases and more focused on the strategy to deal with risk and the project goals.
Finally, the level of maturity is very linked with the level of communication in the organisation and the availability of data/information about the project.The higher the maturity towards risk management of the project team the more common the use of various techniques, especially the quantitative ones, during the entire risk management process.For example, the Monte Carlo simulation technique, that can be applied in the phase of quantitative risk analysis, is basically used by companies with a high level of maturity towards data and information management and hence project risk.The last column of Table 2 refers to the maturity levels proposed by Hillson [37]: the Naïve stage is not taken into account because it is not characterised by the use of any risk management technique.Also, the following notation has been used in Table 2: I = "risk Identification", QlA = "Qualitative risk Analysis", QtA = "Quantitative risk Analysis", and R = "risk Response".

Planning
Normalised, Natural 11 Fault Tree Analysis (FTA) I [22,45], QlA [11], QtA [18,11] Conceptualisation [25], Planning Normalised, Natural [18] 12 Failure Mode and Effects Analysis (FMEA) Table 2 allows to characterise each technique based on the risk management phases, the project life cycle phases, and the degree of corporate maturity towards risk for which it is most suitable.However, it does not provide a global view of how all the analysed techniques fit into the dimensions.In order to overcome this limitation, two bi-dimensional charts are built.On the one hand, Figure 1 places the techniques on a Cartesian plane according to the phases of the risk management process (x-axis) and phases of the project life cycle (y-axis) for which they can be used.On the other hand, Figure 2 compares the same techniques but against the risk management phases (x-axis) and the corporate maturity towards risk (y-axis).
These charts are intended to be a valuable mean to communicate and to stimulate knowledge creation about risk.They may be used by an organisation to select a set of techniques, discuss when they are appropriate, and decide which of them could be used, how, and in which part of the project and risk management processes.Also, such representations allow to make further considerations about the appropriateness of each technique.Figure 1 highlights that in the Planning phase of a project there are a lot of techniques that can be used.In fact, in this stage more time can be spent on strategic issues such as risk managing than in the Conceptualisation stage, which has usually a quite limited duration, and in the Execution stage, which is mainly focused on the achievement of the project objectives from an operational point of view.Figure 2 graphically proves the relationship between the maturity towards risk and the phases of the risk management process that are carried out by a company.By considering the maturity model proposed by Hillson [37], a Novice level of maturity usually implies performing just risk identification.A Normalised maturity also involves a qualitative risk analysis and, in some limited cases, also risk response and monitoring and control.Finally, a Natural maturity is associated with undertaking the complete risk management process, from identification to monitoring and control, including the quantitative risk analysis.Therefore, the quantitative analysis of risk distinguishes companies with a Natural maturity level from companies having a Normalised maturity level.Additionally, in the Natural maturity level there is a complete integration between the project management and the risk management processes that allows a regular revision of the outputs of the applied risk techniques.

Discussion
Communication, information, and hence knowledge are the cardinal points for an attitude towards project risk management that goes beyond an informal approach limited to qualitative investigation.A systematic acquisition and organisation of information is a necessary step in order to move from a subjective knowledge about risk, that has to be elicited from experts, to an objective and easily accessible knowledge forming the condition for a quantitative risk analysis.The framework proposed in this chapter aims to help such transition by generating knowledge about the potentiality of application of common risk techniques.Some advantages can be identified.First of all, the developed taxonomy helps to understand how the project environment relates to risk techniques.Also, the suggested scheme provides guidelines about the most relevant dimensions that should be taken into account simultaneously in a risk management process, thus making it more comprehensive, even if it can never be complete because of the limited amount of available resources and the bounded rationality of human beings [66].This generates knowledge based on the degree of maturity towards risk of the organisation running the project and such knowledge in turn increases the level of corporate awareness towards the instruments to tackle risk.Furthermore, the proposed framework benefits from being quite general, so that it can be easily adapted to reflect the requirements of different industries.Finally, it is suitable to both small-scale and large-scale projects.
Tangible and intangible benefits can be derived from the application of the framework.Tangible advantages are associated with decision-making and include an improved understanding of projects, giving as a consequence a better control over resources, the provision of a structured support to develop and implement monitoring strategies, and a better use of means to identify and assess risk with an inherent positive impact on the evaluation of contingencies.Among intangible benefits, facilitation of a rational risk taking and improvement of communication can be mentioned.The developed framework also encourages a more proactive approach to risk as a result of a well planned management process.All these characteristics ultimately emphasise the integration among project and risk management.
However, the criteria and the classification of the techniques to support risk management have been derived exclusively from the available literature and from the authors' experience.Empirically testing the outcomes of this study by applying them to real projects would be of great value to validate and refine the framework.
Therefore, future research efforts will be directed towards the implementation of the framework in multiple project settings in representative industries.Enhancing the taxonomy by introducing further dimensions, such as the complexity level of a project and the degree of innovation of its product, will be considered.The degree of innovation of the product of a project is particularly interesting because it may be connected with the phases of the project life cycle.In fact, the more innovative is the outcome, the more the risk management process will be concentrated in the planning phase.Conversely, the less innovative the product the more the focus on risk in the execution phase.Additional evolutions will be concerned with a systematic analysis of the concepts of method, technique, and tool together with the study of the relationships among them, and with extending the framework to include new practices to support risk management.Finally, a further research line could deal with the integration of the proposed framework into a global project management process with the aim of overcoming the traditional separation between running a project and identifying, assessing, and controlling the associated risks.

Conclusion
The extreme importance of information and associated knowledge to ensure an effective management of risk demands paying greater attention both to the understanding of the effects of randomness in projects and to the learning of available means to capture this variability.The present work focuses on the second issue and introduces a framework to classify techniques supporting project risk management based on their purpose and the context for which they are most suitable.The main aim is incrementing communication and knowledge enabling a quantification of risk.The scheme is general and can be applied to very diverse projects in numerous industries.

Figure 1 .
Figure 1.Risk technique mapping: risk management and project life-cycle phases

Table 2 .
Classification of project risk management techniques Risk technique mapping: risk management phases and corporate maturity levels