Introduction

The European Commission (2023) defines a project as a temporary organizational structure designed to produce a unique product or service according to specified constraints, such as time, cost, and quality. As projects are inherently complex, they involve risks that must be effectively managed (Naderpour et al. 2019). However, achieving project objectives can be challenging due to unexpected developments, which often disrupt plans and budgets during project execution and lead to significant additional costs. The Standish Group (2022) notes that managing project uncertainty is of paramount importance, which renders risk management an indispensable discipline. Its primary goal is to identify a project’s risk profile and communicate it by enabling informed decision making to mitigate the impact of risks on project objectives, including budget and schedule adherence (Creemers et al. 2014).

Several methodologies and standards include a specific project risk management process (Axelos, 2023; European Commission, 2023; Project Management Institute, 2017; International Project Management Association, 2015; Simon et al. 1997), and there are even specific standards and guidelines for it (Project Management Institute, 2019, 2009; International Organization for Standardization, 2018). Despite the differences in naming each phase or process that forms part of the risk management process, they all integrate risk identification, risk assessment, planning a response to the risk, and implementing this response. Apart from all this, a risk monitoring and control process is included. The “Risk Assessment” process comprises, in turn, risk assessments by qualitative methods and quantitative risk assessments.

A prevalent issue in managing project risks is identifying the significance of different sources of risks to direct future risk management actions and to sustain the project’s cost-effectiveness. For many managers busy with problems all over the place, one of the most challenging tasks is to decide which issues to work on first (Ward, 1999) or, in other words, which risks need to be paid more attention to avoid deviations from project objectives.

Given the many sources of risk and the impossibility of comprehensively addressing them, it is natural to prioritise identified risks. This process can be challenging because determining in advance which ones are the most significant factors, and how many risks merit detailed monitoring on an individual basis, can be complicated. Any approach that facilitates this prioritisation task, especially if it is simple, will be welcomed by those willing to use it (Ward, 1999).

Risk matrices emerge as established familiar tools for assessing and ranking risks in many fields and industry sectors (Krisper, 2021; Qazi et al. 2021; Qazi and Simsekler, 2021; Monat and Doremus, 2020; Li et al. 2018). They are now so commonplace that everyone accepts and uses them without questioning them, along with their advantages and disadvantages. Risk matrices use the likelihood and potential impact of risks to inform decision making about prioritising identified risks (Proto et al. 2023). The methods that use the risk matrix confer higher priority to those risks in which the product of their likelihood and impact is the highest.

However, the probability-impact matrix has severe limitations (Goerlandt and Reniers, 2016; Duijm, 2015; Vatanpour et al. 2015; Ball and Watt, 2013; Levine, 2012; Cox, 2008; Cox et al. 2005). The main criticism levelled at this methodology is its failure to consider the complex interrelations between various risks and use precise estimates for probability and impact levels. Since then, increasingly more academics and practitioners are reluctant to resort to risk matrices (Qazi et al. 2021).

Motivated by the drawbacks of using risk matrices or probability-impact matrices, the following research question arises: Is it possible to find a methodology for project risk prioritisation that overcomes the limitations of the current probability-impact matrix?

To answer this question, this paper proposes a methodology based on Monte Carlo Simulation that avoids using the probability-impact matrix and allows us to prioritise project risks by evaluating them quantitatively, and by assessing the impact of risks on project duration and the cost objectives. With the help of the ‘MCSimulRisk’ simulation software (Acebes et al. 2024; Acebes et al. 2023), this paper determines the impact of each risk on project duration objectives (quantified in time units) and cost objectives (quantified in monetary units). In this way, with the impact of all the risks, it is possible to establish their prioritisation based on their absolute (and not relative) importance for project objectives. The methodology allows quantified results to be obtained for each risk by differentiating between the project duration objective and its cost objective.

With this methodology, it also confers the ‘Risk Assessment’ process cohesion and meaning. This process forms part of the general Risk Management process and is divided into two subprocesses: qualitative and quantitative risk analyses (Project Management Institute, 2017). Although Monte Carlo simulation is widely used in project risk assessments (Tong et al. 2018; Taroun, 2014), as far as we know, the literature still does not contain references that use the data obtained in a qualitative analysis (data related to the probability and impact of each identified risk) to perform a quantitative risk analysis integrated into the project model. Only one research line by A. Qazi (Qazi et al. 2021; Qazi and Dikmen, 2021; Qazi and Simsekler, 2021) appears, where the authors propose a risk indicator with which they determine the level of each identified risk that concerns the established threshold. Similarly, Krisper (2021) applies the qualitative data of risk factors to construct probability functions, but once again falls in the error of calculating the expected value of the risk for risk prioritisation. In contrast, the novelty proposed in this study incorporates into the project simulation model all the identified risks characterised by their probability and impact values, as well as the set of activities making up the project.

In summary, instead of the traditional risk prioritisation method to qualitatively estimate risk probabilities and impacts, we model probabilities and impacts (duration and cost) at the activity level as distribution functions. When comparing both methods (traditional vs. our proposal), the risk prioritisation results are entirely different and lead to a distinct ranking.

From this point, and to achieve our purpose, the article comes as follows. Literature review summarises the relevant literature related to the research. Methodology describes the suggested methodology. Case study presents the case study used to show how to apply the presented method before discussing the obtained results. Finally, Conclusions draws conclusions about the proposed methodology and identifies the research future lines that can be developed from it.

Literature review

This section presents the literature review on risk management processes and probability-impact matrices to explain where this study fits into existing research. This review allows us to establish the context where our proposal lies in integrated risk management processes. Furthermore, it is necessary to understand the reasons for seeking alternatives to the usual well-known risk matrices.

Risk management methodologies and standards

It is interesting to start with the definition of ‘Risk’ because it is a term that is not universally agreed on, even by different standards and norms. Thus, for example, the International Organization for Standardization (2018) defines it as “the effect of uncertainty on objectives”, while the Project Management Institute (2021) defines it as “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives”. This paper adopts the definition of risk proposed by Hillson (2014), who uses a particular concept: “risk is uncertainty that matters”. It matters because it affects project objectives and only the uncertainties that impact the project are considered a ‘risk’.

Other authors (Elms, 2004; Frank, 1999) identify two uncertainty categories: aleatoric, characterised by variability and the presence of a wide range of possible values; epistemic, which arises due to ambiguity or lack of complete knowledge. Hillson (2014) classifies uncertainties into four distinct types: aleatoric, due to the reliability of activities; stochastic, recognised as a risk event or a possible future event; epistemic, also due to ambiguity; ontological, that which we do not know (black swan). Except for ontological uncertainty, which cannot be modelled due to absolute ignorance of risk, the other identified uncertainties are incorporated into our project model. For this purpose, the probability and impact of each uncertainty are modelled as distribution functions to be incorporated into Monte Carlo simulation.

A risk management process involves analysing the opportunities and threats that can impact project objectives, followed by planning appropriate actions for each one. This process aims to maximise the likelihood of opportunities occurring and to minimise the likelihood of identified threats materialising.

Although it is true that different authors have proposed their particular way of understanding project risk management (Kerzner, 2022; Hillson and Simon, 2020; Chapman and Ward, 2003; Chapman, 1997), we wish to look at the principal methodologies, norms and standards in project management used by academics and practitioners to observe how they deal with risk (Axelos, 2023; European Commission, 2023; International Organization for Standardization, 2018; Project Management Institute, 2017; International Project Management Association, 2015) (Table 1).

Table 1 Risk Management Processes.
Full size table

Table 1 shows the main subprocesses making up the overall risk management process from the point of view of each different approach. All the aforementioned approaches contain a subprocess related to risk assessment. Some of these approaches develop the subprocess by dividing it into two parts: qualitative assessment and quantitative assessment. Individual project risks are ranked for further analyses or action with a qualitative assessment by evaluating the probability of their occurrence and potential impact. A quantitative assessment involves performing a numerical analysis of the joint effect of the identified individual risks and additional sources of uncertainty on the overall project objectives (Project Management Institute, 2017). In turn, all these approaches propose the probability-impact or risk matrix as a technique or tool for prioritising project risks.

Within this framework, a ranking of risks by a quantitative approach applies as opposed to the qualitative assessment provided by the risk matrix. To do so, we use estimates of the probability and impact associated with each identified risk. The project model includes these estimates to determine the absolute value of the impact of each risk on time and cost objectives.

Probability-impact matrix

The risk matrix, or probability-impact matrix, is a tool included in the qualitative analysis for risk management and used to analyse, visualise and prioritise risks to make decisions on the resources to be employed to combat them (Goerlandt and Reniers, 2016; Duijm, 2015). Its well-established use appears in different sectors, ranging from the construction industry (Qazi et al. 2021), oil and gas industries (Thomas et al. 2014), to the healthcare sector (Lemmens et al. 2022), engineering projects (Koulinas et al. 2021) and, of course, project management (International Organization for Standardization, 2019; Li et al. 2018).

In a table, the risk matrix represents the probability (usually on the vertical axis of the table) and impact (usually on the horizontal axis) categories (Ale et al. 2015). These axes are further divided into different levels so that risk matrices of 3×3 levels are found with three levels set for probability and three others to define impact, 5 × 5, or even more levels (Duijm, 2015; Levine, 2012; Cox, 2008). The matrix classifies risks into different risk categories, normally labelled with qualitative indicators of severity (often colours like “Red”, “Yellow” and “Green”). This classification combines each likelihood level with every impact level in the matrix (see an example of a probability-impact matrix in Fig. 1).

Fig. 1
figure 1

Probability – impact matrix. An example of use.

Full size image

There are three different risk matrix typologies based on the categorisation of likelihood and impact: qualitative, semiquantitative, and quantitative. Qualitative risk matrices provide descriptive assessments of probability and consequence by establishing categories as “low,” “medium” or “high” (based on the matrix’s specific number of levels). In contrast, semiquantitative risk matrices represent the input categories by ascending scores, such as 1, 2, or 3 (in a 3×3 risk matrix), where higher scores indicate a stronger impact or more likelihood. Finally, in quantitative risk matrices, each category receives an assignment of numerical intervals corresponding to probability or impact estimates. For example, the “Low” probability level is associated with a probability interval [0.1 0.3] (Li et al. 2018).

Qualitative matrices classify risks according to their potential hazard, depending on where they fit into the matrix. The risk level is defined by the “colour” of the corresponding cell (in turn, this depends on the probability and impact level), with risks classified with “red” being the most important and the priority ones to pay attention to, but without distinguishing any risks in the different cells of the same colour. In contrast, quantitative risk matrices allow to classify risks according to their risk level (red, yellow, or green) and to prioritise each risk in the same colour by indicating which is the most important. Each cell is assigned a colour and a numerical value, and the product of the value is usually assigned to the probability level and the value assigned to the impact level (Risk = probability × impact).

Risk matrix use is frequent, partly due to its simple application and easy construction compared to alternative risk assessment methods (Levine, 2012). Risk matrices offer a well-defined structure for carrying out a methodical risk assessment, provide a practical justification for ranking and prioritising risks, visually and attractively inform stakeholders, among other reasons (Talbot, 2014; Ball and Watt, 2013).

However, many authors identify problems in using risk matrices (Monat and Doremus, 2020; Peace, 2017; Levine, 2012; Ni et al. 2010; Cox, 2008; Cox et al. 2005), and even the International Organization for Standardization (2019) indicates some drawbacks. The most critical problems identified in using risk matrices for strategic decision-making are that risk matrices can be inaccurate when comparing risks and they sometimes assign similar ratings to risks with significant quantitative differences. In addition, there is the risk of giving excessively high qualitative ratings to risks that are less serious from a quantitative perspective. This can lead to suboptimal decisions, especially when threats have negative correlations in frequency and severity terms. Such lack of precision can result in inefficient resource allocation because they cannot be based solely on the categories provided by risk matrices. Furthermore, the categorisation of the severity of consequences is subjective in uncertainty situations, and the assessment of probability, impact and risk ratings very much depends on subjective interpretations, which can lead to discrepancies between different users when assessing the same quantitative risks.

Given this background, several authors propose solutions to the posed problems. Goerlandt and Reniers (2016) review previous works that have attempted to respond to the problems identified with risk matrices. For example, Markowski and Mannan (2008) suggest using fuzzy sets to consider imprecision in describing ordinal linguistic scales. Subsequently, Ni et al. (2010) propose a methodology that employs probability and consequence ranks as independent score measures. Levine (2012) puts forward the use of logarithmic scales on probability and impact axes. Menge et al. (2018) recommend utilising untransformed values as scale labels due to experts’ misunderstanding of logarithmic scales. Ruan et al. (2015) suggest an approach that considers decision makers’ risk aversion by applying the utility theory.

Other authors, such as Duijm (2015), propose a continuous probability consequence diagram as an alternative to the risk matrix, and employing continuous scales instead of categories. They also propose utilising more comprehensive colour ranges in risk matrices whenever necessary to prioritise risks and to not simply accept them. In contrast, Monat and Doremus (2020) put forward a new risk prioritisation tool. Alternatively, Sutherland et al. (2022) suggest changing matrix size by accommodating cells’ size to the risk’s importance. Even Proto et al. (2023) recommend avoiding colour in risk matrices so that the provided information is unbiased due to the bias that arises when using coloured matrices.

By bearing in mind the difficulties presented by the results offered by risk matrices, we propose a quantitative method for risk prioritisation. We use qualitative risk analysis data by maintaining the estimate of the probability of each risk occurring and its potential impact. Nevertheless, instead of entering these data into the risk matrix, our project model contains them for Monte Carlo simulation. As a result, we obtain a quantified prioritisation of each risk that differentiates the importance of each risk according to the impact on cost and duration objectives.

Methodology

Figure 2 depicts the proposed method for prioritising project risks using quantitative techniques. At the end of the process, and with the prioritised risks indicating the absolute value of the impact of each risk on the project, the organisation can efficiently allocate resources to the risks identified as the most critical ones.

Fig. 2
figure 2

Quantitative Risk Assessment Flow Chart.

Full size image

The top of the diagram indicates the risk phases that belong to the overall risk management process. Below them it reflects the steps of the proposed model that would apply in each phase.

The first step corresponds to the project’s “risk identification”. Using the techniques or tools established by the organisation (brainstorming, Delphi techniques, interviews, or others), we obtain a list of the risks (R) that could impact the project objectives (Eq. 1), where m is the number of risks identified in the project.

$$R=\left[\begin{array}{c}{R}_{1}\\ {R}_{2}\\ \begin{array}{c}\ldots \\ {R}_{m}\end{array}\end{array}\right]$$
(1)

Next we move on to the “risk estimation” phase, in which a distribution function must be assigned to the probability that each identified risk will appear. We also assign the distribution function associated with the risk’s impact. Traditionally, the qualitative risk analysis defines semantic values (low, medium, high) to assign a level of probability and risk impact. These semantic values are used to evaluate the risk in the probability-impact matrix. Numerical scales apply in some cases, which help to assign a semantic level to a given risk (Fig. 3).

Fig. 3: Correspondence of the semantic level to risk probability and impact.
figure 3

Source: Project Management Institute (2017).

Full size image

Our proposed model includes the three uncertainty types put forward by Hillson (2014), namely aleatoric, stochastic and epistemic, to identify and assess different risks. Ontological uncertainty is not considered because it goes beyond the limits of human knowledge and cannot, therefore, be modelled (Alleman et al. 2018a).

A risk can have aleatoric uncertainty as regards the probability of its occurrence, and mainly for its impact if its value can fluctuate over a set range due to its variability. This aleatoric risk uncertainty can be modelled using a probability distribution function (PDF), exactly as we do when modelling activity uncertainty (Acebes et al. 2015, 2014). As the risk management team’s (or project management team’s) knowledge of the project increases, and as more information about the risk becomes available, the choice of the PDF (normal, triangular, beta, among others) and its parameters become more accurate.

A standard definition of risk is “an uncertain event that, if it occurs, may impact project objectives” (Project Management Institute, 2017). A risk, if defined according to the above statement, perfectly matches the stochastic uncertainty definition proposed by Hillson (2014). Moreover, one PDF that adequately models this type of uncertainty is a Bernoulli distribution function (Vose, 2008). Thus for deterministic risk probability estimates (the same as for risk impact), we model this risk (probability and impact) with a Bernoulli-type PDF that allows us to introduce this type of uncertainty into our simulation model.

Finally, epistemic uncertainties remain to be modelled, such as those for which we do not have absolute information about and that arise from a lack of knowledge (Damnjanovic and Reinschmidt, 2020; Alleman et al. 2018b). In this case, risks (in likelihood and impact terms) are classified into different levels, and all these levels are assigned a numerical scale (as opposed to the methodology used in a qualitative risk analysis, where levels are classified with semantic values: “high”, “medium” and “low”).

Epistemic uncertainty is characterised by not precisely knowing the probability of occurrence or the magnitude of a potential impact. Traditionally, this type of risk has been identified with a qualitative term: “Very Low”, “Low”, “Medium”, “High” and “Very High” before using the probability-impact matrix. Each semantic category has been previously defined numerically by identifying every numerical range with a specific semantic value (Bae et al. 2004). For each established range, project managers usually know the limits (upper and lower) between which the risk (probability or impact) can occur. However, they do not certainly know the value it will take, not even the most probable value within that range. Therefore, we employ a uniform probability function to model epistemic uncertainty (i.e., by assuming that the probability of risk occurrence lies within an equiprobable range of values). Probabilistic representations of uncertainty have been successfully employed with uniform distributions to characterise uncertainty when knowledge is sparse or absent (Curto et al. 2022; Vanhoucke, 2018; Helton et al. 2006).

The choice of the number and range of each level should be subject to a thorough analysis and consideration by the risk management team. As each project is unique, there are ranges within which this type of uncertainty can be categorised. Different ranges apply to assess likelihood and impact. Furthermore for impact, further subdivision helps to distinguish between impact on project duration and impact on project costs. For example, when modelling probability, we can set five probability levels corresponding to intervals: [0 0.05], [0.05 0.2], [0.2 0.5], and so on. With the time impact, for example, on project duration, five levels as follows may apply: [0 1], [1 4], [4 12], …. (measured in weeks, for example).

Modelling this type of uncertainty requires the risk management team’s experience, the data stored on previous projects, and constant consultation with project stakeholders. The more project knowledge available, the more accurate the proposed model is for each uncertainty, regardless of it lying in the number of intervals, their magnitude or the type of probability function (PDF) chosen to model that risk.

Some authors propose using uniform distribution functions to model this type of epistemic uncertainty because it perfectly reflects lack of knowledge about the expected outcome (Eldosouky et al. 2014; Vose, 2008). On the contrary, others apply triangular functions, which require more risk knowledge (Hulett, 2012). Following the work by Curto et al. (2022), we employ uniform distribution functions.

As a result of this phase, we obtain the model and the parameters that model the distribution functions of the probability (P) and impact (I) of each identified risk in the previous phase (Eq. 2).

$$\left[\begin{array}{cc}P & I\end{array}\right]=\left[\begin{array}{cc}\begin{array}{c}{P}_{1}\\ {P}_{2}\end{array} & \begin{array}{c}{I}_{1}\\ {I}_{2}\end{array}\\ \ldots & \ldots \\ {P}_{m} & {I}_{m}\end{array}\right]$$
(2)

Once the risks identified in the project have been defined and their probabilities and impacts modelled, we move on to “quantitative risk prioritisation”. We start by performing MCS on the planned project model by considering only the aleatoric uncertainty of activities. In this way, we learn the project’s total duration and cost, which is commonly done in a Monte Carlo analysis. In Monte Carlo Methods (MCS), expert judgement and numerical methods are combined to generate a probabilistic result through simulation routine (Ammar et al. 2023). This mathematical approach is noted for its ability to analyse uncertain scenarios from a probabilistic perspective. MCS have been recognised as outperforming other methods due to their accessibility, ease of use and simplicity. MCS also allow the analysis of opportunities, uncertainties, and threats (Al-Duais and Al-Sharpi, 2023). This technique can be invaluable to risk managers and helpful for estimating project durations and costs (Ali Elfarra and Kaya, 2021).

As inputs to the simulation process, we include defining project activities (duration, cost, precedence relationship). We also consider the risks identified in the project, which are those we wish to prioritise and to obtain a list ordered by importance (according to their impact on not only duration, but also on project cost). The ‘MCSimulRisk’ software application (Acebes, Curto, et al. 2023; Acebes, De Antón, et al. 2023) allows us to perform MCS and to obtain the main statistics that result from simulation (including percentiles) that correspond to the total project duration (Tot_Dur) and to its total cost (Tot_Cost) (Eq. 3).

$$\left[\begin{array}{cc}{Tot}{{\_}}{Dur} \quad {Tot}{{\_}}{Cost}\end{array}\right]$$
(3)

Next, we perform a new simulation by including the first of the identified risks (R1) in the project model, for which we know its probability (P1) and its Impact (I1). After MCS, we obtain the statistics corresponding to this simulation ([Tot_Dur1 Tot_Cost1]). We repeat the same operation with each identified risk (Ri, i = 1, …, m) and obtain the main statistics corresponding to each simulation (Eq. 4).

$$\left[\begin{array}{cc}{{Tot}{{\_}}{Dur}}_{i} & {{Tot}{{\_}}{Cost}}_{i}\end{array}\right]=\left[\begin{array}{cc}\begin{array}{c}{{Tot}{{\_}}{Dur}}_{1}\\ {{Tot}{{\_}}{Dur}}_{2}\end{array} & \begin{array}{c}{{Tot}{{\_}}{Cost}}_{1}\\ {{Tot}{{\_}}{Cost}}_{2}\end{array}\\ \ldots & \ldots \\ {{Tot}{{\_}}{Dur}}_{m} & {{Tot}{{\_}}{Cost}}_{m}\end{array}\right]$$
(4)

Once all simulations (the same number as risks) have been performed, we must choose a confidence percentile to calculate risk prioritisation (Rezaei et al. 2020; Sarykalin et al. 2008). Given that the total duration and cost results available to us, obtained by MCS, are stochastic and have variability (they are no longer constant or deterministic), we must choose a percentile (α) that conveys the risk appetite that we are willing to assume when calculating. Risk appetite is “the amount and type of risk that an organisation is prepared to pursue, retain or take” (International Organization for Standardization, 2018).

A frequently employed metric for assessing risk in finance is the Value at Risk (VaR) (Caron, 2013; Caron et al. 2007). In financial terms, it is traditional to choose a P95 percentile as risk appetite (Chen and Peng, 2018; Joukar and Nahmens, 2016; Gatti et al. 2007; Kuester et al. 2006; Giot and Laurent, 2003). However in project management, the P80 percentile is sometimes chosen as the most appropriate percentile to measure risk appetite (Kwon and Kang, 2019; Traynor and Mahmoodian, 2019; Lorance and Wendling, 2001).

Finally, after choosing the risk level we are willing to assume, we need to calculate how each risk impacts project duration (Imp_DRi) and costs (Imp_CRi). To do so, we subtract the original value of the total project expected duration and costs (excluding all risks) from the total duration and costs of the simulation in which we include the risk we wish to quantify (Eq. 5).

$$\begin{array}{c}{\left.{{Imp}{{\_}}D}_{{Ri}}\right|}_{a}={\left.{{Tot}{{\_}}{Dur}}_{i}\right|}_{a}-{\left.{Tot}{{\_}}{Dur}\right|}_{a}\\ {\left.{{Imp}{{\_}}C}_{{Ri}}\right|}_{a}={\left.{{Tot}{{\_}}{Cost}}_{i}\right|}_{a}-{\left.{Tot}{{\_}}{Cost}\right|}_{a}\end{array}$$
(5)

Finally, we present these results on two separate lists, one for the cost impact and one for the duration impact, by ranking them according to their magnitude.

Case study

In this section, we use a real-life project to illustrate how to apply the proposed method for quantitative risk prioritisation purposes. For this purpose, we choose an engineering, procurement and construction project undertaken in South America and used in the literature by Votto et al. (2020a, 2020b).

Project description

The project used as an application example consists of the expansion of an industrial facility. It covers a wide spectrum of tasks, such as design and engineering work, procurement of machinery and its components, civil construction, installation of all machinery, as well as commissioning and starting up machines (Votto et al. 2020a, 2020b).

Table 2 details the parameters that we use to define activities. The project comprises 32 activities, divided into three groups: engineering, procurement and construction (EPC). A fictitious initial activity (Ai) and a fictitious final activity (Af) are included. We employ triangular distribution functions, whose parameters are the minimum value (Min), the most probable value (Mp) and the maximum value (Max), to model the random duration of activities, expressed as days. We divide the cost of each activity in monetary units into a fixed cost (FC), independently of activity duration, and the variable cost (VC), which is directly proportional to project duration. As activity duration can vary, and the activity cost increases directly with its duration, the total project cost also exhibits random variations.

Table 2 Definition of project activities (duration and cost) from a real-life project.
Full size table

Under these conditions, the planned project duration is 300 days and has a planned cost of 30,000 (x1000) monetary units. Figure 4 shows the Planned Value Curve of the project.

Fig. 4
figure 4

Planned value curve of the real-life project.

Full size image

The next step in the methodology (Fig. 2) is to identify the project risks. To do this, the experts’ panel meets, analyses all the project documentation. Based on their personal experience with other similar projects and after consulting all the involved stakeholders, it provides a list of risks (see Table 3).

Table 3 Identification of the risks from the real-life project.
Full size table

It identifies 11 risks, of which nine have the potential to directly impact the project duration objective (R1 to R9), while six may impact the cost objective (R10 to R15). The risks that might impact project duration and cost have two assigned codes. We identify the project phase and activity on which all the identified risks may have an impact (Table 3).

The next step is to estimate the likelihood and impact of the identified risks (qualitative analysis). Having analysed the project and consulted the involved stakeholders, the team determines the project’s different probability and impact levels (duration and cost). The estimation of these ranges depends on the project budget, the estimated project duration, and the team’s experience in assigning the different numerical values to each range. As a result, the project team is able to construct the probability-impact matrix shown in Fig. 5.

Fig. 5
figure 5

Estimation of the probability and impact ranges.

Full size image

Each probability range for risk occurrence in this project is defined. Thus for a very low probability (VL), the assigned probability range is between 0 and 3% probability, for a low level (L), the assigned range lies between 3% and 10% probability of risk occurrence, and so on with the other established probability ranges (medium, high, very high).

The different impact ranges are also defined by differentiating between impacts in duration and cost terms. Thus a VL duration impact is between 0 and 5 days, while the same range (VL) in cost is between 0 and 100 (x1000) monetary units. Figure 5 shows the other ranges and their quantification in duration and cost terms.

The combination of each probability level and every impact level coincides in a cell of the risk matrix (Fig. 5) to indicate the risk level (“high”, “medium”, and “low”) according to the qualitative analysis. Each cell is assigned a numerical value by prioritising the risks at the same risk level. This work uses the matrix to compare the risk prioritisation results provided by this matrix to those provided by the proposed quantitative method.

A probability and impact value are assigned to each previously identified risk (Table 3). Thus, for example, for the risk called “Interruptions in the supply chain”, coded as R3 for impacting activity 13 duration, we estimate an L probability and a strong impact on duration (H). As this same risk might impact the activity 13 cost, it is also coded as R12, and its impact on cost is estimated as L (the probability is the same as in R3; Table 3).

Finally, to conclude the proposed methodology and to prioritise the identified risks, we use the “MCSimulRisk” software application by incorporating MCS (in this work, we employ 20,000 iterations in each simulation). Activities are modelled using triangular distribution functions to incorporate project information into the simulation application. Costs are modelled with fixed and variable costs depending on the duration of the corresponding activity. Furthermore, risks (probability and impact) are modelled by uniform distribution functions. Figure 6 depicts the project network and includes the identified risks that impact the corresponding activities.

Fig. 6
figure 6

Network diagram of the project together with the identified risks.

Full size image

Results and discussion

In order to obtain the results of prioritising the identified risks, we must specify a percentile that determines our risk aversion. This is the measure by which we quantify the risk. Figure 7 graphically justifies the choice of P95 as a risk measure, as opposed to a lower percentile, which corroborates the view in the literature and appears in Methodology. In Fig. 7, we plot the probability distribution and cumulative distribution functions corresponding to the total project planned cost, together with the cost impact of one of the risks. The impact caused by the risk on the total cost corresponds to the set of iterations whose total cost is higher than that planned (bottom right of the histogram).

Fig. 7: Distribution function and cumulative distribution of the Total Planned Cost and cost risk impact.
figure 7

Source: MCSimulRisk.

Full size image

By choosing P95 as VaR, we can consider the impact of a risk on the project in the measure. In this example, for P95 we obtain a total cost value of 3.12 × 107 monetary units. Choosing a lower percentile, e.g. P80, means that the value we can obtain with this choice can be considerably lower (3.03 × 107 monetary units), and might completely ignore the impact of the risk on the total project cost. However, project managers can choose the percentile that represents their risk aversion.

Once the percentile on which to quantify the risk is chosen, the “MCSimulRisk” application provides us with the desired results for prioritising project risks (Fig. 8). For the chosen percentile (P95), which represents our risk appetite for this project, the planned project duration is 323.43 days. In other words, with a 95% probability the planned project will be completed before 323.43 days. Similarly, the P95 corresponding to cost is 30,339 ×1000 monetary units. The application also provides us with the project duration in the first column of Fig. 8 after incorporating all the identified risks (corresponding to a P95 risk appetite) into the planned project. Column 2 of the same figure shows the project cost after incorporating the corresponding risk into the model.

Fig. 8: Monte Carlo simulation results with “MCSimulRisk”.
figure 8

The first column corresponds to the risks identified. Columns Duration_with_Ri and Cost_with_Ri represent the simulation values, including the corresponding risk. Columns Difference_Duration_with_Ri and Difference_Cost_with_Ri represent the difference in duration and cost of each simulation concerning the value obtained for the chosen percentile. Finally, Ranking_Dur and Ranking_Cost represent the prioritisation of risks in duration and cost, respectively.

Full size image

With the results in the first two columns (total project duration and cost after incorporating the corresponding risks), and by knowing the planned total project duration and cost (without considering risks) for a given percentile (P95), we calculate the values of the following columns in Fig. 8. Thus column 3 represents the difference between the planned total project duration value (risk-free) and project duration by incorporating the corresponding risk that we wish to quantify. Column 4 prioritises the duration risks by ranking according to the duration that each risk contributes to the project. Column 5 represents the difference between the planned total project cost (risk-free) and the total project cost by incorporating the corresponding risk. Finally, Column 6 represents the ranking or prioritisation of the project risks according to their impact on cost.

To compare the results provided by this methodology in this paper we propose quantitative risk prioritisation, based on MCS. We draw up Table 4 with the results provided by the probability-impact matrix (Fig. 5).

Table 4 Comparison of risk prioritisation: Probability-Impact Matrix & Proposed Method.
Full size table

The first set of columns in Table 4 corresponds to the implementation of the risk matrix (probability-impact matrix) for the identified risks. The second group of columns represents the prioritisation of risks according to their impact on duration (data obtained from Fig. 8). The third group corresponds to the risk prioritisation according to their impact on cost (data obtained from Fig. 8).

For the project proposed as an example, we find that risk R3 is the most important one if we wish to control the total duration because it corresponds to the risk that contributes the most duration to the project if it exists. We note that risks R10 to R15 do not impact project duration. If these risks materialise, their contribution to increase (or decrease, as the case may be) project duration is nil.

On the impact on project costs, we note that risk R15 is the most important. It is noteworthy that risk R5 is the fourth most important risk in terms of impact on the total project costs, even though it is initially identified as a risk that impacts project duration. Unlike cost risks (which do not impact the total project duration), the risks that can impact project duration also impact total costs.

We can see that the order of importance of the identified risks differs depending on our chosen method (risk matrix versus quantitative prioritisation). We independently quantify each risk’s impact on the cost and duration objectives. We know not only the order of importance of risks (R3, R5, etc.) but also the magnitude of their impact on the project (which is the absolute delay caused by a risk in duration terms or what is the absolute cost overrun generated by a risk in cost terms). It seems clear that one risk is more important than another, not only because of the estimation of its probability and impact but also because the activity on which it impacts may have a high criticality index or not (probability of belonging to the project’s critical path).

As expected, the contribution to the total duration of the identified risks that impact only cost is zero. The same is not valid for the risks identified to have an impact on duration because the latter also impacts the cost objective. We also see how the risks that initially impact a duration objective are more critical for their impact on cost than others that directly impact the project’s cost (e.g. R5).

Conclusions

The probability-impact matrix is used in project management to identify the risk to which the most attention should be paid during project execution. This paper studies how the risk matrix is adopted by a large majority of standards, norms and methodologies in project management and, at the same time, practitioners and academics recognise it as a fundamental tool in the qualitative risks analysis.

However, we also study how this risk matrix presents particular problems and offers erroneous and contradictory results. Some studies suggest alternatives to its use. Notwithstanding, it continues to be a widely employed tool in the literature by practitioners and academics. Along these lines, with this work we propose an alternative to the probability-impact matrix as a tool to know the most critical risk for a project that can prevent objectives from being fulfilled.

For this purpose, we propose a quantitative method based on MCS, which provides us with numerical results of the importance of risks and their impact on total duration and cost objectives. This proposed methodology offers significant advantages over other risk prioritisation methods and tools, especially the traditional risk matrix. The proposed case study reveals that risk prioritisation yields remarkably different results depending on the selected method, as our findings confirm.

In our case, we obtain numerical values for the impact of risks on total duration and cost objectives, and independently of one another. This result is interesting for project managers because they can focus decision-making on the priority order of risks and the dominant project objective (total duration or total cost) if they do not coincide.

From the obtained results, we find that the risks with an impact on the cost of activities do not influence the total duration result. The risks that impact project duration also impact the total cost target. This impact is more significant than that of a risk that impacts only the activity’s cost. This analysis leads us to believe that this quantitative prioritisation method has incredible potential for academics to extend their research on project risks and for practitioners to use it in the day-to-day implementation of their projects.

The proposed methodology will allow project managers to discover the most relevant project risks so they can focus their control efforts on managing those risks. Usually, implementing risk response strategies might be expensive (control efforts, insurance contracts, preventive actions, or others). Therefore, it is relevant to concentrate only on the most relevant risks. The proposed methodology allows project managers to select the most critical risks by overcoming the problems exhibited by previous methodologies like the probability-impact matrix.

In addition to the above, the risk prioritisation achieved by applying the proposed methodology is based on quantifying the impacts that risks may have on the duration and cost objectives of the project. Finally, we achieve an independent risk prioritisation in duration impact and project cost impact terms. This is important because the project manager can attach more importance to one risk or other risks depending on the priority objective that predominates in the project, the schedule or the total cost.

Undoubtedly, the reliability of the proposed method depends mainly on the accuracy of estimates, which starts by identifying risks and ends with modelling the probability and impact of each risk. The methodology we propose in this paper overcomes many of the problems of previous methodologies, but still has some limitations for future research to deal with. First of all, the results of simulations depend on the estimations of variables (probability distributions and their parameters, risk aversion parameters, etc.). Methodologies for improving estimations are beyond the scope of this research; we assume project teams are sufficient experts to make rational estimationsbased on experience and previous knowledge. Secondly, as risks are assumed to be independent, the contribution or effect of a particular risk can be estimated by including it in simulation and by computing its impact on project cost and duration. This is a reasonable assumption for most projects. In some very complex projects, however, risks can be related to one another. Further research should be done to face this situation.

As an additional research line, we plan to conduct a sensitivity study by simulating many different projects to analyse the robustness of the proposed method.

Finally, it is desirable to implement this methodology in real projects and see how it responds to the reality of a project in, for example, construction, industry, or any other sector that requires a precise and differentiated risk prioritisation.