Speak to an Advisor
AU
EU
IE
UAE
UK
USA
SA
SG
While there are indications that many project organisations, including those involved in Large Infrastructure Projects, do not take Risk Management (RM) seriously, a closer look would suggest they would rather relegate it to an ad-hoc, optional extra, or nice-to-have practice. For instance, on a multi-billion Rand capital programme, the executive committee once turned down a seasoned RM practitioner; instead, an individual with no proper training was assigned to learn on the job. It is rare to come across a properly constituted RM team, with Risk Management professionals; if they have not merely appointed a lone ranger practitioner, RM would be neglected altogether.
To many organisations, Risk Management is like a buckler one shall only raise when the situation around the project gets “risky”, not something that should always remain activated. As a result, the entire concept of Risk Management is typically employed either at the project's outset or, more commonly, when setbacks or impending massive cost and schedule overruns threaten the project.
The author contends that Risk Management should serve as the “immune system” for the project, not only when a threat lurks around—not like the near-blind man who only puts on his pair of glasses afterwards, to figure out how to come out of a ditch he could not see and has fallen in it. Is prevention (i.e., an ongoing approach to RM) not better than cure (i.e., a sporadic approach)?
Risk Management and Project Delivery
Organisations involved in “risky” initiatives (e.g., projects) should implement risk treatments to reduce residual risks to levels acceptable to stakeholders and ensure efficiency and effectiveness —to protect an organisation from potential losses or threats to its continued operation1. Both the PMBoK (on Project Management) and ISO 31000 (on Risk Management) concur that the aim of Project Risk Management (PRM) should be to increase the “likelihood of success” in projects:
However, poor Risk Management is a constant feature of project failures, even in well-established organisations. Thus, in a previous PRM article, the author laments that Project Risk Management is usually not an integral part of core delivery activities, especially in Large Infrastructure Projects.
“One of the pernicious causes of ineffective application of PRM could stem from its processes not being reconciled to Project Life Cycle methodologies—it shall become an integral part of every phase, process group and aspect of managing the project.”11
Especially in Large Infrastructure Projects, given their VUCA properties (Volatility/Vulnerability, Uncertainty, Complexity, Ambiguity), it is not a matter of whether project outcomes might stray from objectives, but rather the extent and impact of these deviations. Risk Management constitutes a tool of choice in ensuring that investments in infrastructure delivery will provide benefits to the various stakeholders by meeting objectives. A failure to manage project risks will often lead to complications and failure of the project; things ought not to be happening in this unfortunate way. “Research has proven […] that project performance could be improved considerably with Risk Management. This is simply because 70% to 90% of the problems encountered on most projects are predictable and preventable. Risk analyses at the onset of any project will highlight these problems and will increase the chance of completing the project successfully. It will also enable project managers to reduce the time they spend putting out fires.”[9]
Many project teams still fail to identify and manage “predictable and preventable problems” due to three shortcomings or flaws in Risk Management methodologies and approaches, two of which were previously discussed by the author in separate publications, the third being the object of this article:
The Large Infrastructure Projects (LIPs) industry will benefit from the greater awareness of fallacies, flaws, and remedies in the management of project risks these three insights provide in their totality.
In a recent Project Risk Management survey, 45.5% of respondents observed that 10% to 50% of their projects have failed—while 54.5% perceived it to be between 50% and 70%13. Most organisations experience project failures; they just seem to diverge as to how many are failing. Owing to a few shortcomings, PRM continues to disappoint, even across the Southern Africa region.
“Experience reveals that risk management practices are still not widely used, and that the concept of risk efficiency [as immune system] may be a key aspect in best practice projects […]. Only a limited number of projects have used any kind of risk management practices, and many have only used some but not all the available tools.”6
Just as “The body without the spirit is dead” (Bible; James 2: 26), the delivery of Large Infrastructure projects without Risk Management would only lead to complications, failure, and disillusionment. Think of socio-economic opportunities that will be delayed, or forfeited, to the peril of stakeholders.
The ensuing sections will explore the concept of the “immune system” both in its broader sense and its pertinence to project delivery—and the wider organisation, including at other management levels.
Every organisation, as a living entity or organism, whether complex or otherwise, would face hostile circumstances. Large Infrastructure Projects, due to their nature as technological systems nested in socio-economic environments, are prone to adverse circumstances—more so than smaller projects. Treating Large Infrastructure Projects as isolated from their environment is quite widespread in the industry; however, this stance will scarcely allow them to evolve to success in such an environment.
“All organisms are connected in a complex web of relationships. Although many of these are benign, not all are, and everything alive devotes significant resources to identifying and neutralizing threats from other species. From bacteria through to primates, the presence of some kind of effective immune system has gone hand in hand with evolutionary success.”18
Failing to “devote significant resources” to establishing and/or nurturing an “immune system” may prove fatal to project (e.g., LIPs) delivery; a good place to take care of this need is through PRM.
The author has previously alluded to Risk Management serving as the “immune system” in projects. Indeed, such an innovative insight was incidentally unwrapped in the two above-mentioned articles:
“Again, the emphasis is on ‘managing both positive and negative events’ to steer the project toward its objectives, as discussed earlier. On such note, one may suggest that Project Risk Management (PRM) constitutes the ‘immune system’ of the infrastructure project; it provides the ‘intelligence’ to detect and protect the project against anything (or lack thereof) that could prevent/hinder and/or diminish/delay the achievement of project objectives—should PRM fail, the project will soon suffer.”12
“In as much as the increasing complexity of Large Infrastructure Projects today requires a substantial contribution of Systems Thinking and Systems Engineering to ensure successful (system) delivery, Risk Management ought to similarly benefit from the concepts, principles and practices arising from ‘the world of systems’ to advance and promote PRM as a useful ‘immune system’ in LIPs delivery.”13
The relevance of likening project delivery to an "immune system" is detailed in the next section (Three Levels of Project Risk Management). However, it is prudent to explore this concept initially —So, what is the “immune system”, what are its aims, and how does it function in living organisms?
In a nutshell, the “immune system” is an intricate biological defence network that safeguards the (living) body by identifying, neutralising, and remembering threats, such as pathogens and foreign substances, to maintain health and combat illness— “wellbeing-seeking” and “reparative” outlooks.
“The immune system is a complex network of organs, cells and proteins that defends the body against infection, whilst protecting the body’s own cells. The immune system keeps a record of every germ (microbe) it has ever defeated so it can recognise and destroy the microbe quickly if it enters the body again. Abnormalities of the immune system can lead to allergic diseases, immunodeficiencies and autoimmune disorders.”3
The effectiveness of an immune system lies in its capacity to interpret changes in the environment and respond suitably thereto—the “intelligence”. An effective immune system entails four critical attributes—i.e., discrimination, flexibility, infection management, and memory—to address distinct challenges encountered during the organism’s lifecycle. These attributes are elaborated as follows:
The immune system grapples with its relationship to the environment, often encountering new elements that are mostly harmless. Yet, the rare instances where these encounters pose a threat can be sufficiently perilous. A proficient immune system distinguishes between harmless and perilous foreign elements, discerning what element belongs to the body and what does not.
In the same vein, an effective PRM regimen should scan the project environment to detect risk items and proceed to categorise them based on their capacity to hinder/lessen project success.
Adaptable responses to environmental shifts are pivotal for combatting infections and cancer. Continuous cell renewal in our bodies raises infection (viz, project errors) and cancer (viz, overruns) risks. Each cell division bears a chance of unpredictable mutations leading to cancer, while infections swiftly evolve to evade detection. Coping with this uncertainty challenges an effective immune system. To address this, the immune system invests in strategies embracing random changes. Despite creating some inefficiencies, this approach ensures adaptability.
Organisations should invest in a PRM that detects errors and prevents overruns not only from one project to the next (each being unique) but also in varied project environments or contexts.
Pathogens require access to individual cells for infection, countered by skin and mucous membranes serving as deterrents. These (externally faced) barriers foster a healthy microbial community, inhibiting harmful organisms. If pathogens breach these defences, the immune system neutralises each pathogen individually after specific strategies allow entry into cells.
However, if pathogens establish themselves (or accumulate) within cells or lead to cancerous cells, eliminating them becomes necessary. Yet, immune responses to eradicate these threats may endanger the host—by killing both good and bad cells. This balance between immunity and vulnerability, if understood, may yield therapies fortifying defences against pathogens.
Likewise, the adopted PRM must consist of multiple, but different “lines of defence” to prevent the diverse types/stages of risks to the project from both internal and external environments. There will be instances of (i) barring, (ii) defeating, and (iii) ostracising risks to the project.
A critical aspect of the immune response is its memory (extended across the body) of prior infections, guarding against reinfection and limiting community spread. Cells remain alert in vulnerable areas, and ready to swiftly counter reinfection. This aspect of the immune response underlies the enduring benefit of vaccination, e.g., measles immunity can last over 3000 years.
Certain infections (viz, project errors and other inadvertences) influence species' evolution by shaping (or mutating) immune system structures and recognition methods. Survival against lethal infections drives genetic evolution, unveiling insights into host-infection co-evolution.
It follows that an effective PRM ought to gather “lessons learned” from previous projects and previous risk “exposures” (whether error- or overrun-causing), especially those that might have altered or distorted the project environment—worse still, have affected the meta-system.
The foregoing elaboration of the four characteristics of an efficient immune system, when examined from a remedial outlook (i.e., addressing pathologies in project delivery performance) shall support the adoption of a PRM involving three “Lines of defence”, consistent with a generic immune system. The idea is to ensure, as it applies to mammals, that no part of the project is cut off from immunity.
“The problems that the mammalian immune system solves are not restricted to higher animals; they are faced by all forms of life and are ignored by none […] It is a fundamental property of immunity that no part of our body is cut off from its surveillance. For this reason, although the immune system may seem a less substantial thing than an organ such as the heart or the liver, in aggregate, immunity consumes enormous resources, producing the large number of cells that it depends on for successful functioning.”19
The medical field asserts that the mammalian immune system (unlike in the plant world) works in three distinct stages; namely, (i) Surface Barrier, (ii) Innate Response, and (iii) Adaptive Response:
The body uses surface barriers—physical, chemical, and biological defences—to fend off invading pathogens. Systems like respiratory, digestive, urinary, and reproductive use bodily fluids (e.g., saliva or tears) to block germs; also, skin, and mucous membranes, housing the body’s normal flora, create competition for nutrients and space, forming biological barriers.
Upon breaching surface defences (e.g., through skin wounds), pathogens face the immediate, but nonspecific response of the innate immune system. Inflammation starts as macrophages ingest the pathogen and attract more immune cells releasing cytokines—which widen blood vessels and boost blood flow, as neutrophils kill pathogens via enzymes or oxidative bursts.
If the innate response falters, the adaptive immune system kicks in, targeting the invader and creating a “memory” for future encounters. White blood cells, derived from bone marrow, play pivotal roles. Antigen-presenting cells, like dendritic cells, present pathogen fragments in lymph nodes to matching T-cells or B-cells, ensuring “specificity”. These cells expand, forming memory cells for future encounters, while antibodies shield against any reinfections.
The ultimate purpose of the aforementioned “Lines of Defence” (LoDs) is to ensure that any relevant risk item (concerning the project at hand) is addressed by an effective provision of the adopted Risk Management regimen in place in the organisation involved in project delivery, albeit as the owner.
However, this provision only satisfies the structural perspective (i.e., covering every component) of the Project Risk Management (PRM) requirements. Such an “immunity shield” ought to also satisfy the temporal perspective and its requirements; hence, it shall apply throughout the project life cycle. “The purpose of the Risk Management Process is to identify, analyse, treat, and monitor the risks continuously. The Risk Management Process is a continuous process for systematically addressing risk throughout the [entire] life cycle of a system product or service. It can be applied to risks related to the acquisition, development, maintenance, or operation of a system […]”9
In the highly appreciated event of the adopted Project Risk Management (PRM) effectively serving as the immune system of the project at hand, the corollary conclusion would vindicate the author’s argument that consistently poor project outcome is an omen of a failed Risk Management. “Bad or poor project outcomes, when persistent in a certain context, are generally a sign of a failure or a lack of Risk Management in Large Infrastructure Projects […] Should the applied PRM [regimen] fail, the project will eventually flounder or fail.”12
This assertion should not confer a “get-out-of-jail-free card” to other project disciplines or practices; it means the PRM regimen should be the first place to check for “pathologies” in project delivery. An effective PRM (working as an immune system) should be able to pinpoint any areas of the project that need therapy or surgery—a dysfunctional PRM (without an immune system) would leave you wondering as to what could be miscarrying, failing, or causing the entire project delivery to flounder. Alas, the Auditor General of South Africa found in 2011 that 69% of state-owned companies failed to comply with regulatory requirements on RM, while 51% did not maintain effective RM strategies. (God knows what delivery dysfunctions occurred in those companies—which nobody could detect!)
To prevent such an unfortunate predicament, an effective Risk Management regimen should prove effective and include, of necessity (viz, sine qua non), three “Lines of Defence” (LoDs) as follows:
These Lines of Defence (LoDs) are graphically represented in Figure 1 below, in a manner that reflects the relevant actors, their levels of Risk Management concerns, and their “systemic” focus.
These three “Lines of Defence” correspond bijectionally to the three stages of the immune system. Thus, the First Line of Defence corresponds to the “Surface Barrier”, ›the Second Line of Defence to the “Innate Response”, and the Third Line of Defence to the “Adaptive Response”—one-to-one. Therefore, in keeping with the principle of the bijective correspondence between the three stages of the immune system and the three Lines of Defence (LoDs) of effective Risk Management, the PRM implications to the delivery of Large Infrastructure Projects (LIPs) could be summarised as follows:
The PRM should also include mechanisms that function as barriers to risks protecting the project from events (or chains of events) and conditions that might hinder or diminish project success. This is where project team members and other vendors employ day-to-day Risk Management; e.g., once-off instances such as a supplier running late, unanticipated price-hike on materials, and presidential tax rebates before elections could discretely or jointly affect project objectives.
Personnel operating at this level ought to have been trained in RM, say, “to nip risks in the bud” and not allow them entry or accommodate their “accumulation” into the project environment. Nevertheless, risk items that proved stubborn at this level must be escalated to the Second Line.
The PRM should include mechanisms that assess patterns and trends of adverse circumstances (i.e., events, chains of events, and conditions) across project delivery to provide oversight and direction of the Risk Management efforts. Any recurrent and long-range risk items across the project environment ought to be reviewed and synthesised at this level to propose remedies. For instance, risks that keep manifesting (or are likely to do so) like a supplier who is often late, recurring floodings that delay production, or frequent export opportunities shall be treated here. .
However, current experience will suggest that many, if not most project delivery organisations suffer from a failure or lack of the crucial Second Line of Defence. Consequently, issues at this level (e.g., frequent theft of tools) will often find themselves being discussed at the board level. Only risk states of affairs that call for a strategic adjustment shall be escalated to the Third Line.
The PRM should more importantly include mechanisms and processes that seek to influence or change the environment, whether internal or external, for the organisation involved in project delivery to bear or elude adverse circumstances (i.e., events, chains of events, and conditions).
Such adverse circumstances could arise from “systemic arrangements” (i.e., the way things are), as well as from prevailing “mental models” (i.e., the way people are, or ought to be, thinking). Any happenings that could alter how the business is (should be) operating are addressed here.
The idea is to “reposition” the environment, whether internal or external, in a way that protects the pursuance and/or fulfilment of the project objectives and goals—securing project success. The Third Line of Defence leverages policies and management systems (or changes thereto) to reposition the business ecosystem based on feedback from independent controls and validation. In this Third Line of Defence, the “memory” attribute of the immune system comes to the fore; not only lessons learned are compiled from feedback, but policies also impose “mental models”.
It must follow from this elaboration of the Three Lines of Defence (LoDs) that Risk Management should not be limited to the project “operational” level, but it ought to also permeate the organisation.
It was earlier pointed out that “From bacteria through to primates, the presence of some kind of effective immune system has gone hand in hand with evolutionary success”18.
Just as no project part (i.e., scope) or phase (i.e., lifecycle) should be cut off from the immunity that PRM provides, the same principle ought to apply to any organisations involved in project delivery.
In addition to risks arising from their market interests and operational activities (“run-the-business”), organisations find themselves impelled to manage risks regarding projects (“change-the-business”). The prevalent lopsided attention to strategic and operational risks alone has left many organisations bleeding on the project side. Many executives and directors brazenly decline to discuss project risk matters; “Such shall be left to those engineers or blue-collar fellows to deal with—we talk business”. This attitude is counterproductive since what happens in projects will soon catch up with business.
“[…] (2) Escalations and inflation costs, due to increases in prices of goods and/or services in the general economy, and particularly in the construction and related industries […] (4) Opportunity costs due to other investments being delayed, interests forfeited or loss of goodwill, and more importantly, loss of potential clients/customers by the time the facility is eventually complete [following schedule overruns]. These financial repercussions are debilitating to the economics of projects, to the business, and the country’s overall economy. They might even destroy ‘value’ in the projections of the Net Present Value (NPV), Income Statement, and Balance Sheet. For these reasons, the project manager (and the project board) must know when to stop—i.e., to abort the project and cut their losses.”14
“As we look back over the past 23 years at IPA customers [involved in projects] that have disappeared, all but one of them grossly overspent for their capital assets.”15
More organisations are learning the hard way that every sphere of the hierarchy should be involved in the management of project risks, some of which are in fact in the province of executive managers. Think of these risks: sovereign, regulatory, policy/strategic, social acceptance, market, financial, and supply risks—what actions can the project manager take to address such challenges?
It is no wonder that Project Risk Management, even when considering the essence of Figure 1 above, shall be construed as “everybody’s business”. Some (e.g., project team) will handle it at the project level, others (e.g., executives and directors) will handle it at business or strategic levels—everybody. “Risk Management is no longer confined solely to risk management specialists. Stakeholders ranging from employees to investors [as well as executive management] must understand how to quantify the trade-offs of risk against the potential returns. The failure to understand the essential nature of risk can have devastating consequences [on projects].”7
“[But] There can’t be a meaningful dialogue about risk and risk management if only one party to the conversation understands the significance of what is being said.”7
Two more points must be made here: (i) as much as executive management will stretch themselves to play a PRM role, project managers, in turn, shall also endeavour to grasp strategic and operational risks that have a bearing on project goals and plans; and (ii) while everybody should get involved in Risk Management, there should still be a Project Risk Manager appointed to facilitate these efforts.
Indeed, the current practice of expecting a lone ranger and under-resourced Project Risk Manager to provide and sustain Risk Management efforts across most projects is not practical, nor reasonable. “Thus, the proper role of the ‘Project Risk Manager’, whether from inside or outside an organisation, is not to manage risks for projects, but to encourage [or teach] and facilitate the management of risks by project personnel themselves—and any other external stakeholders, as appropriate. Hence, the ‘Project Risk Manager’ [or perhaps a team] should provide relevant stakeholders with information, knowledge, understanding, and motivation that can enable them to manage project risks more effectively than they would otherwise.”13
Furthermore, seeing that such a facilitation role will be played across the whole hierarchy, through all Lines of Defence, the assigned Project Risk Manager will need knowledge and expertise beyond the project delivery domain to also encompass business, strategic, and operational aspects. Or else, the entire Risk Management regimen will turn dysfunctional to the peril of the organisation.
So far, an argument has been made about the necessity and benefits of an effective immune system.
What then happens to organisms or projects in the unfortunate event of a defective immune system? An underdeveloped or crippled immune system causes pathologies to both organisms and projects.
“Rarely, but regularly, individuals are born without an effective immune system […] Such children have a limited life expectancy. Without immunity, they are repeatedly attacked by the organisms that afflict all of us […] Less dangerous, but still severe, are mutations that cripple a particular arm of the immune response […] Patients with deficiencies in their natural killer cells are highly susceptible to herpesvirus infections [i.e., a disease which causes painful red spots to appear on the skin]. Patients who have macrophages that cannot digest the bacteria that they eat, develop recurrent abscesses that are difficult to treat.”18
Projects with a dysfunctional PRM (i.e., with a defective immune system) will tend to suffer from “recurrent abscesses that are difficult to treat”—worse yet, suffer “a very limited life expectancy”. Examples abound of Large Infrastructure Projects having suffered massive overruns due to recurrent risks they could not address (i.e., identify or manage) and some others that were simply terminated. Such deficiencies ranging from immunosuppression (crippled immunity) to autoinflammation (due to mutated immunity) to autoimmunity (attacks on healthy cells) to allergies (inappropriate immune response) are introduced in Table 1 below—it also describes their equivalent PRM manifestations. .
One of the reasons PRM or Risk Management in general is not taken seriously could be summarised by this controversial but widespread statement, “Risk Management doesn’t work on large projects”. Ironically, it is within those large and complex projects that Risk Management is needed the most; still, if its significance is being questioned by management, no wonder they resent investing in it. The reality, however, is that Project Risk Management is relevant to Large Infrastructure Projects —this paper does a decent job of establishing the rationale and requirements of an effective PRM. Rather than “spray-paint everything in black”, one should point out and discuss its few pathologies.
Thus, it shall be said aloud that Project Risk Management works, even in large and complex projects. Of course, like in every other discipline of projects, it only works well when effectively employed. It would be unfair to expect remarkable results from PRM where, as is the case in many industries today:
These common shortcomings would usually manifest as pathologies to the PRM system as follows:
| Immunity Pathologies | Manifestations in Organisms | Manifestations in PRM |
| Frequent Infections [Will affect any LoD] | A compromised immune system fails to provide adequate defence against infections due to its reduced ability to protect the body from pathogens; thus allowing “opportunistic” infections. | An inadequate PRM regimen will fail to protect projects against risks arising from its environment—so, ‘anything that could go wrong would go wrong’. Thus, project teams will be locked into a never-ending cycle of firefighting. |
| Delayed Wound Healing [Will affect 1st LoD] | A dysfunctional immune system can result in delayed wound healing and prolonged recovery times, causing a high(er) risk of infections and other health complications, e.g., gangrene. | A dysfunctional PRM regimen would expose projects to escalating impacts of risks whose treatments were not proactively executed. Management of risk, if reactive, diverts attention from delivery to replanning, curative works. |
| Allergies and Asthma [Will affect any LoD] | An immune system that “overreacts” to harmless substances has a high(er) risk of triggering allergic responses (e.g., frequent sneezing) and asthma. | An over-sensitive PRM overreacts to wrong (i.e., irrelevant) and false (i.e., inapplicable) risks, calling ‘knee-jerk’ solutions and, thus, reducing resources available to address/treat actual risks. |
| Autoimmune Diseases [Will affect 2nd, 3rd LoD] | An immune system whose design or programming has mutated (i.e., turned flawed due to failure in its regulation) will lead to attacks on and damage to the body's healthy tissues and organs. | An inconsistent or sporadic PRM (i.e., not properly structured or monitored) has fractional processes often working against itself, dragging projects down even faster than their underlying risks. Such PRM will harm, rather than help. |
| Chronic Fatigue [Will affect 1st LoD] | A “malfunctioning” immune system (not properly supported or balanced) leads to chronic fatigue syndrome, causing reduced productivity levels, impaired daily functioning, higher vulnerability to health issues, etc. | An overcomplicated PRM is likely to burden project delivery, causing most project teams to spend more effort on managing risks (albeit necessary) than on actual deliverables; the proverbial, ‘Nitor in adversum’ [Latin]— Striving for furniture instead of the building … |
| Mood Disorders [Will affect any LoD] | In an immune system, dysregulation can impact neurotransmitter function and spark/exacerbate mood disorders such as depression, anxiety, and even mental problems in some cases. | A constrained PRM, that is limited to the project realm and has no linkages to other organisation’s spheres such as governance and strategy, would lead to organisational trauma and conflicts between project teams and executives. |
| Cancer Susceptibility [Will affect any LoD] | A compromised immune system may lack the checks and balances needed to identify and eliminate abnormal or excessive cells, resulting in a higher susceptibility to developing cancer. | A crippled PRM that fails to identify or treat risks will allow errors, leading to rework or other inadvertences (e.g., scope creep, diseconomy of scale) that engender costs or schedule overruns. |
This table seeks to provide a practical guide for the diagnosis of PRM pathologies in LIPs; should the adopted PRM exhibit any such traits, therapy or surgery will be needed to avoid project failures. (Our remedies will depend on the maladies entailed and shall be discussed on a case-by-case basis.)
Of the plentiful instances of Large Infrastructure Projects that suffered from a defective PRM, the author herein discusses a few cases that are already in the public domain—to protect the innocents. These instances refer to South Africa, Zimbabwe, and Lesotho, all from the Southern Africa region.
In South Africa, a fatal PRM malady has been diagnosed around infrastructure delivery as follows:
“We identified deficiencies on over 80% of the 137 projects we visited. We have found that, all too often, infrastructure delivery projects are delayed, costing more than planned or the work done is of poor quality. There are also delays in newly built infrastructure being used. Once again, we report on existing infrastructure that is deteriorating because it is not properly maintained and protected.”2
This predicament denotes a defective PRM regimen that has not been remedied over many years. Such an acute infection signals a failure at the 3rd LoD too; no wonder, “The premier also indicated that he fully supports our call to action to […] implement suitable risk management […]” (Ibidem). One shall trust that such a “suitable risk management” would incorporate all three Lines of Defence.
Elsewhere, an evaluation of a state-owned company's capital programme, totalling 300 billion Rand, revealed that complexity posed the most significant risk, followed by internal approval processes, planning, and start delays. While project personnel (1st LoD) could manage day-to-day complexities and start delays, these challenges emerged consistently across diverse projects in various divisions, qualifying them as systemic issues falling under the purview of the corporate 2nd LoD. As internal approvals and planning were also managed at the corporate level, they, too, fell within the 2nd LoD's remit. Given the programme's scale and poor overall performance, these issues warranted escalation to the 3rd LoD. Sadly, while the “corporate office” had a risk management department for “run-the-business” risks, there were no equivalent structures for “change-the-business” risks (viz., projects). Thus, critical capital project concerns requiring attention at the 2nd and/or 3rd LoDs were discarded, leading to severe consequences—the company faced insolvency barely years after this programme.
In Zimbabwe, the Karanda Bridge was nearly completed when heavy rains struck the province in December 2019, causing its collapse17. It was the first instance of such a substantial bridge being washed away; the project team (1st LoD) might not have anticipated this disaster. However, it was the duty of the project board (2nd LoD) to direct and verify that both the “what-to-build” and the “how-to-build” (i.e., construction process) were designed according to the flooding data of the province. Their failure to consider “patterns and trends” of rains in providing oversight to the project resulted in the disaster; still, the ensuing national embarrassment went straight to His Excellency the Minister (viz, 3rd LoD) who had bankrolled the ill-fated bridge with ± $1.5 million.
In Lesotho, from the early days of the Polihali Dam project, local authorities (sponsors, at 2nd LoD) observed that on-site workers (mostly foreign) were indulging in sexual exploitation of villagers, including minors and married women16. This concern was escalated to the national government (3rd LoD), prompting policy directives and monitoring measures to curb the abuse. Because site supervisors and sentries (1st LoD) could not thwart it, the concern was escalated straight up to the right level with authority to enact changes in society (e.g., stop unsocial conduct). While one commends the Lesotho government for this prowess, it is hoped lessons learned would be shared and applied to future projects in the region, where the same beast might rear its ugly head.
Executive management in many organisations still questions the significance and utility of Project Risk Management (PRM), often relegating it to an ad-hoc, optional extra, or nice-to-have practice; “It makes no ‘visible' contribution in the pursuance or fulfilment of the project objectives and goals”. This attitude may explain their lingering reluctance to devote significant resources to PRM efforts. However, both theory and experience increasingly indicate that large and complex infrastructure projects would not do without an effective PRM regimen that “focuses not solely on risk avoidance and mitigation, but also on risk-taking as a means to value creation”8—a risk shield.
The author makes a compelling case for the critical departure from the current and widespread sporadic approach to Risk Management to an ongoing approach that positions PRM as an “immune system”. A Project Risk Management regimen that fails to constitute an effective immune system would allow infections and other pathologies (i.e., risk scenarios) to cause maladies in and around projects.
The mammalian immune system, it is argued, plays a crucial role in maintaining overall health by recognising and eliminating foreign invaders while also distinguishing them from the body's healthy cells. Any Risk Management regimen modelled on such a naturally excellent system would surely prove effective “in protecting a project from potential losses or threats to its continued operation”. Moreover, since an effective immune system consists of three distinct but collaborating stages, the envisaged Project Risk Management ought to similarly encompass three “levels of defence”.
Transposing the three stages of the immune system to PRM gives rise to three Lines of Defence. The First Line of Defence corresponds to the “Surface Barrier” stage of the immune system and concerns itself with daily risk occurrences that are in the purview of project managers and vendors. The Second Line of Defence corresponds to the “Innate Response” stage of the immune system; accordingly, it concerns itself with “patterns and trends” issues in the remit of governance entities such as directors and sponsors—they provide direction and oversight to risk management efforts. The Third Line of Defence, eventually, corresponds to the “Adaptive Response” of the immune system and responds with policy and strategic adjustments to systemic issues that might affect the organisation's internal and external environments and might even impair its strategic positioning.
The significance of the “immunity shield” model of PRM lies not only in its ongoing and continual nature but, more importantly, in its systemic and all-inclusive framework. It does not exclude any phases or parts of both the project and the broader organisation from the immunity it provides. .
Therefore, this model makes PRM “everybody’s business”—from project teams to the executives.
An effective PRM manages risk exposures in various parts of the organisation to efficiently pursue its strategic goals, by considering interactions among multiple risks instead of focusing on a single risk item. Thus, the overlap between the “run-the-business” risks and the “change-the-business” risks (viz project risks) at the second and third lines of defence is a welcome development in PRM. Companies that separate the two risk streams may encounter strategic dissonance in their projects.
To enhance the practical implications of this study, the author has provided a guide (see Table 1) aimed at assisting PRM practitioners and other consultants in diagnosing any potential issues affecting their adopted PRM regimen. The aim is to maintain a PRM regimen that pinpoints any project aspects that could be miscarrying, failing, or causing the whole project delivery to flounder. Further, the study reviews real-world examples of ineffective PRM regimens and their outcomes to confirm the relevance (e.g., benefits, requirements) and applicability of the proposed PRM model. It is therefore hoped that this paper will foster the worldwide adoption of the immunity-based PRM.
References
Explore our Courses
Upcoming Course Dates
Corporate Training
Partnership
Certification Overview
IPM Certification
IPMA Certification
PMI Certification
PRINCE2® Certification
IPM Membership
Events
Mentorship
Articles
Expert Insights
Ebooks & Toolkits
Publish Your Writing
The Institute
Faculty
Global Advisory Board
Apply to Lecture or Volunteer
Apply to Intern or Campus Ambassador
