How Do You Put a Value on Risk Management?


Everyone agrees managing risk is a good thing, but it has traditionally been very hard to justify proactive expenditure on risk management activities. It is difficult to convince an organisation to expend valuable resources on mitigating the impact of perceived future events that may, or may not occur. Additionally, after taking proactive action, how does the risk practitioner quantify the benefits realised?

However, there are ways to convince your senior managers that you can measure the value of risk management. And more importantly, you can show that if you don’t take proactive risk treatment action, the organisation is probably going to be in for some rather unpleasant surprises.

This whitepaper provides an insight into how to measure the value of risk management using Return On Investment (ROI), in the following sections:

Understanding success provides a view of the forces pulling you towards failure and the risk management steps to help address this.

Performance-based contracting? gives a worked example of a contract based on milestone performance payments, with a calculation of projected Return on Investment (ROI).

The effect of late delivery on ROI extends the worked example to incorporate the uncertainty of being able to deliver on time, marching army costs and liquidated damages.

The effect of risk events on ROI continues to develop the worked example to incorporate risk impacts and the effect of risk sharing between customer and contractor.

The value of risk management – a series of what-Ifs shows how you can measure the value of risk management by comparing Return of Investment under different ‘what-if’ scenarios, systematically testing the value of strategies to manage risk.

Risk analysis modeling is used to illustrate key points throughout this whitepaper.

Understanding success

In any contracting situation, the challenge is to deliver performance, within the constraints of time and budget. In a perfect world, everything would go to plan and it would be straightforward to deliver against our targets, including the Return On Investment (ROI) promised in the business case, bid etc. Unfortunately, life isn’t like that and we are faced with difficult challenges when trying to meeting expectations.

The problem is that uncertainty and risk events affect our chance of success, impacting on all three constraints – time, cost and performance. Often the three criteria are dependent on each other; for example, you may need to pay more or take longer to deliver the promised performance. Each pulls against the other two, as can be seen in figure 1.

Risk management helps you handle uncertainty and risk events, using a simple process:
(a) Have a clear understanding of what you’re trying to achieve
(b) Look ahead to understand what might impact on achieving your goals
(c) Take positive action to address significant uncertainties, threats and opportunities
(d) Have response plans to address threats and exploit opportunities if they materialise
(e) Hold regular reviews to ensure everything is on track.

However, while we may believe in risk management, others may not. We need to measure the value of risk management, to provide a convincing argument. In the following sections we will develop a method to calculate the impact on ROI of doing (or not doing) risk management.

Performance-based contracting

Current commercial contracts vary between a mixture of traditional milestone payments and those termed performance-based. The former requires that the contractor deliver a ‘product’ (equipment, services, data etc) against a previously agreed timeframe to receive a predetermined payment. The latter is a similar approach, but you receive payments weighted against your timeliness and quality of the ‘product’.

The performance-based approach generally only guarantees the contractor a fee to cover costs, and holds the profit element against a predetermined set of achievement criteria. Performance at, or above, expectation and the customer pays well. Fail to achieve product quality/performance or timeliness criteria and your profit evaporates! So, if you are working a performance-based contract, how do you determine expected payment profiles, and manage the flow of cash? The answer is to model your contract within Predict! Risk Analyser and determine your level of confidence of achieving the desired outcome.

Calculating return on investment (ROI)

Take an example where the contract guaranteed value is £3.96m, with a maximum of £5.14m, based on delivering on time and achieving the maximum performance payment of 30% of guaranteed contract price. Alternative performance payments of 10% and 20% of the base price are available, again subject to delivering on time, but based on achieving a lesser set of requirements. This means that you could expect to achieve an ROI of between 10% and 30% as shown in figure 2.

Investment return

Figure 2. Expected return on investment (ROI) of 20% for a performance based contract

On the face of it, the contract looks good, as we feel reasonably confident that we can achieve the minimum performance level. Therefore a sure 10% ROI should be achievable.

The effect of late delivery on ROI

There is a good chance we will be unable to meet all our milestone delivery dates. In the model below, we have used three point estimates to represent how many days early or late we might be for each milestone. We have set our likely finish as being on time i.e. 0 days late.

Expected ROI

Figure 3. Expected ROI is reduced to 5% when we incorporate an uncertain finish time

By applying this time uncertainty using a triangular distribution, our expected ROI has shifted from 20% to 5%, so delivering late reduces our expected ROI by 15% (equivalent to over £575k on this contract). Our surefire 10% return is now only our best case scenario. This gives us a starting point to work out what it would be worth spending on risk management activities to eliminate potential overruns – you should be able to achieve a considerable amount with over half a million pounds.

N.B. This model shows each milestone being most likely to finish on time. In practice, we would use 3 point estimates from a schedule risk analysis, in which delays typically accumulate as the project progresses. Therefore the reduction in ROI above is likely to be significantly greater than shown in this example.

Adding “Marching Army” costs
Whenever we fail to meet one of our milestones, not only do we lose our performance payment for that milestone, but we also have to cover extra costs for each day we overrun (to pay for our overheads or ‘marching army’). Since the base cost is fixed, this ‘marching army’ cost will fall entirely to the contractor.

Let’s say our overheads on this contract are £5,000 per day overrun. When we run this through the model, it shows even more bad news:

By incorporating Marching Army costs, our result has now reduced ROI by a further 6% to -1%. Instead of making a profit, the contract now stands at a £40k loss – a shift of £820k on our original expected position. This is the cost of not doing risk management.

An alternative approach – applying penalties (and bonuses)
If you are a wise customer, you may start to get concerned about whether your contractor will consider it more attractive to compromise performance in order to deliver on time. That way, they can still earn 10% ROI. So you consider refining the contractual terms to apply penalties for the number of days late (and bonuses if early), leaving performance payments to be earned separately.

Expected ROI is 3%

Figure 5. Expected ROI is 3% when late penalties are applied to time separately from performance

In this case, the contractor has an incentive to deliver performance, but also needs to focus on timely delivery; the Expected ROI is now 3%, which is £650k worse that the original estimate of 20% ROI. All that is now required is to produce a cost effective risk management plan to save this significant sum of money.

The effect of risk events on ROI

Understanding the impact of risks While preparing the bid, we brainstormed the risks and included budget for associated mitigation actions in the base contract; the risks and actions were approved and are now being managed in Predict! Risk Controller. However, there remains an amount of residual risk that still needs to be accounted for, as any risks that do occur will require budget to recover the position and avoid time penalties or adverse impact on performance.

Therefore, we run a risk impact model to assess the expected value of residual risk, as shown in Figure 6.

Each risk represents a potential future event, with a probability of happening and three point estimate of the cost required to recover from the risk if it happens.

To understand the overall risk impact of the ‘bag’ of risks, we draw a graph; the spread of the risk shows that this could cost us anywhere between zero and £1m depending on how many risks occur, shown in figure 7.

Risk budget graph

Figure 7. The spread of risk on this contract, which could cost us up to £1m

Adding this residual risk into our contracting model, expected ROI has now moved to -3%. We are once again in a loss making situation (to the tune of -£137k), a shift of over £900k from our original expected position.

Residual risk impact

Figure 8. Residual risk impact puts you back into a loss, with -3% ROI

Obviously, as a contractor, you are not happy with this situation, so during negotiations, you ask the customer to share the cost of risk. The customer agrees to pay up to £250k of residual risk costs.

ROI back to 1%

Figure 9. After the customer takes a share of the risk, ROI is back to 1%

Our final expected ROI is 1%, with pessimistic and optimistic values of -8% and 7%. Measuring this against the original expected ROI of 20%, we stand to gain over £750k by managing performance, time and cost risk and uncertainty, to move from our 1% ROI back to the 20% we originally thought we were going to get. We now need to get working on our risk management strategy to achieve this.

The value of risk management – a series of ‘what-ifs’

We have looked at the cost of not managing risk and uncertainty by building up a model of the reduction in ROI based on various adverse scenarios. The next step is to start evaluating the cost benefit of putting in place risk activities to address time delays and risk to performance delivery. We have generated results for some ‘what-if’ risk management scenarios above, to calculate the expected value of risk management:

The expected benefit gives you an indication of the maximum amount of money that could be gained by implementing each management strategy. Therefore, provided expenditure on risk management to achieve these strategies is within this amount, you will receive a net benefit. In this case it can be seen that reducing the time overruns will have the biggest effect on improving ROI, with a potential gain of £643k.

As a quick way to understand which variables are driving ROI, we calculate the sensitivity of ROI to each item (see figure 10).

We can then draw a tornado diagram of the results.

Tornado chart

Figure 11. Tornado chart showing which variables will provide value when risk managed


In this paper, we have used a worked risk analysis example to show the negative impact on expected Return On Investment of various uncertainties and risk events. Obviously, the amounts will vary from contract to contract, but the principle remains the same. It is not whether risk management is value for money, but whether you can afford not to do risk management and pay the consequences.