Selecting a Response Plan Under Budget Constraints

1. Introduction

Usually project risk management plans deal with identifying, assessing and planning adequate responses to risks. The main problem is that there are many types of response plans, and we must be able to select the optimal one. The usual approach is to first handle the most “dangerous” risk (the risk with the maximum expected damage). However, handling this risk may also be very expensive and beyond the limitations of the allocated risk budget. The dilemma is how to select the right risks to be handled within a limited budget.

2. Risk management methodology

Risk management methodology was first described in detail by Wideman in [1]. The methodology was then improved by the PMI [2], adding details based on users’ experience.

Project Risk management involves the following steps:

1. Planning Risk Assessment, which includes selecting an assessment team, setting up rules, and determining the supporting risk management tools. The risk assessment team should include representatives from all areas related to the project.

2. Risk Identification is a process of defining future events that should be considered as risk events. The list is usually generated by a brain-storming session conducted by the projects’ experts. The list is then reduced to the most important risks. This step is sometimes subjective, but this issue is not relevant to this paper.

3. Risk Assessment is the quantification of identified risks, conducted in order to define priorities among the possible risk events. It usually includes the probability of the event and the severity of the damage. Later, the ranking of risks is based on these two parameters. One possible method is the Borda [3] methodology for ranking alternatives.

4. A Risk Response plan includes answers to the threats that are identified in the risk assessment phase. There are a number of ways to address these threats.

1. Avoidance - generate a course of action that eliminates the risk.

2. Transfer – transfer responsibility for the particular risk to a third party, either by utilizing insurance or, in the international arena, by forming treaties and international agreements.

3. Acceptance - a rational decision to accept a known risk without taking any action to prevent its outcome or deal with its consequences. The risk is usually dealt with when it is recognized as a risk. An acceptance of risk is recommended in situations where the consequences of the risk are less costly or less traumatic than the effort required preventing the risk.

4. Mitigation - refers to action taken to reduce either the probability of occurrence of an unfavorable event or the impact of this event. Mitigation is usually executed in the form of a plan designed to handle high-threat possible events.

5. Contingency Planning – refers to specific actions to be taken when a potential risk event occurs. In general, contingency plans should be developed in advance in preparation for the moment when risk events are realized.

Out of the five responses, only three (avoidance, transfer and mitigation) involve a real investment and require budget allocation.

1. A Control Plan is a series of course adjustments within the project’s main objectives. These adjustments include scheduling and tracing the advance of risk situations. The control plan defines indicators that provide warnings regarding the realization of specific risks.

Continuously assessing program risks is the implementation of the control plan by checking any changes in the assessment of risks, and conducting a continuous search for warning signs that indicate any realization of known risks.

This part of the project plan includes the updating of the risk management plan.

The current study concentrates on allocating a budget to the response plan in an optimal manner.

This paper includes a literature review, problem definition, algorithms’ definition, an example that is solved by all algorithms, and a comparison among the algorithms by simulation results. The research is quantitative and presents simulation results. Since the difference among the algorithms for different budgets are so big, statistical analysis is unnecessary.

The simulation and algorithms were verified by solving known problems and their solutions.

3. Literature review

Project risk management literature commonly describes the need to rank and prioritize project risks in order to focus the risk management effort on the higher risks. Baccarinia et al. in [4] describe the use of a methodology for the risk ranking of projects by some subjective judgment; this method has been implemented in construction projects and multi-project environments. Engert from MITRE [3] wrote a user’s manual for an Excel application for risk management. The application includes a ranking method of risks based on Borda’s method. The Borda method is more quantitative than the subjective judgment method, but still includes some fuzzy ranking when it combines the rank of risk probability with the rank of impact. Ochsner [5] emphasizes the limited attention to risk-based priorities and the growing consensus among industries that risk considerations need to be better integrated into decisions. He agrees that although money is not always the best way to measure risks, no better alternative has thus far been suggested. His ranking method is based on discussions with consultants and experts, assigning scores from 1 to 10 for each category. Li et al. [6] present a ranking method for multiple hazard risks; the method is based on screening all the risks with experts and weighting the risks according to frequency, severity, availability of warning, awareness, etc.

In [7] the author presents the difficulties involved in ranking risks. He utilizes the following framework: Risk = Threat×Vulnerability×Consequence, which is usually used in military operations research. The Threat×Vulnerability framework actually reflects the probability to damage a target, when the consequence is the damage impact. Our study is important in that for some qualitative measures, it presents counter examples that highlight the limitation of this measurement type. Klein [8] developed a conceptual model for analyzing alternative risk mitigation responses, while accounting for the possibility of trade-off risk among the three main success criteria: cost, duration and scope (or quality). He showed that, given the numerical estimates of risks probabilities and impacts, of all the relevant responses, mathematical techniques - such as dynamic programming or integer programming - could be applied to find the best combination of responses that minimizes project uncertainty. This approach analyzes trade-off among success criteria.

Ben-David et al. [9] analyzes a problem that is similar to the current one, but takes a different approach. Assuming that several risk mitigation responses can be implemented with different costs and different expected results, a selection of the best combination of responses is needed. All of the responses are broken down to their work elements, so that each risk can belong to several of them. The Total Risk Cost (TRC) is minimized by two heuristic algorithms; the greedy and the naïve, after which a comparison is presented. The current manuscript does not take into account the budget limitation, and assumes that as long as risk can be mitigated and it is worthwhile from the budget point of view – it will be done.

There are many studies that use subjective judgment to rank risks in different areas, industries, projects and programs. However, none of these ranking methods take into account the response capability to risks. There might be a huge difference between two risks that have the same probability to occur and the actual impact,when one of the risks occurs. However, for the first risk there is a mitigation plan that reduces its effect substantially and costs $1,000, while for the second risk, any type of mitigation plan costs more than $100,000. The study of Gonen et al. [10] proposes an additional criterion for the assessment of risks – that of controllability. The introduction of this criterion adds a third dimension to the risk evaluation process, in addition to its probability and impact. The controllability of a given risk reflects the ability to control it, mitigate it, or even prevent it. Assessing controllability may reduce the efforts and spending of managerial time and expenses on non-controllable risks and, in the end, direct the attention of management solely to controllable risks.

Controllability adds a new criterion that takes into account the response capability, but still does not propose a method to quantitatively rank the risks. In the current paper, we overcome the problem of ranking risks by utilizing a method of selecting the optimal mitigation plan for a given budget, and therefore, the risks to be mitigated or transferred.

Kutsch et al. [11] have investigated the type of risks that can be deliberately ignored. In the current study, we deal with risks that are not supposed to be ignored.

4. Defining the problem

The problem we will address in this study is the allocation of a risk management budget among the possible responses. The solution to this problem is not only ranking the risks to be dealt with, but also recommending the best risk response investment.

As was mentioned in Section 2, Part 4, responses to identified risks can be divided into two groups: Responses that include a real money investment - like transfer, avoidance and mitigation - and the other responses, which do not require any investment - like accepting the risk or preparing a contingency plan. Our study concentrates on the responses that require an investment and examines how to select the right set of responses when we are limited by a well-defined budget. In order to clarify these issues, let us look at the following theoretical example:

Assume there are two risks in a project - R₁ and R₂. R₁ will occur with probability P₁ and the damage in this case will be D₁. R₂ will occur with probability P₂ and the damage in this case will be D₂. In order to overcome these risks, we can either transfer the risk R₁ (by purchasing insurance), which will cost C₁₁ and the policyholder's participation D₁₁ or respond to risk R₁ with a mitigation plan that will cost C₁₂. After its application, the remaining probability to occur is P₁₂ with damage when it occurs of D₁₂. For risk R₂, we have one mitigation plan that costs C₂₁; after its application, the remaining probability to occur is P₂₁ with damage when it occurs of D₂₁. We have a risk mitigation budget of B that we can invest to handle these risks and we would like to know what our best policy is (B is usually determined by the project’s customer).

In this study, we assume a linear utility function. This means that we will choose the policy that will reduce our expected cost to a minimum. The following table presents a numeric example of the dilemma described above:

Let B=50. In this case, we can either choose the second or the third row. If we choose the second row, we reduce the expected damage of Risk 1 to 100 and stay with Risk 2 at an expected damage of 210. All together, the expected damage of both risks is 310. The same is true if we choose to handle Risk 2 and reduce the expected damage to 110. Since the expected damage of Risk 1 is 200, the total is 310. Let B=80. In this case, we can choose the first row or the previous option of B=50. Choosing Row 1 derives the total expected damage to 90+210=300 (the 210 is from R₂). If we choose the second row (mitigating R₁), our total expected damage will be 310, and the third row (mitigating R₂) will be the same - 310. However, in both mitigation plans we only invest 50, while in the transfer policy we invest a minimum of 80. People who are risk-averse will prefer this option, while others who are attracted to risk might prefer the second or third row. If B=100, then an additional option is open which allows us to choose Rows 2 and 3 and reduce the expected damage to 210. If B=130 and up, we can choose Rows 1 and 3 and reduce the expected damage to 200.

If we try to minimize the expected damage when B=80, then transferring R₁ would be optimal, although usually risk management methods will rank R₂ higher and recommend treating it first.

In order to define the optimal response problem, we will use the following terminology and symbolization:

There are nrisks R₁,…,R_n. For each risk R_i, the probability of its occurrence is P_i and the damage when it occurs is D_i. Therefore, for each risk R_i, the expected damage is Q_i = P_iD_i.Index i will be used for risks.

For each risk R_i, there are kresponses (some can be empty; others can be transfer or mitigation) out of which we can choose, at most, one. This can be done by combining mitigation plans together. Index j will be used for a response plan.

The response jto risk R_i costs C_ij; after its implementation, the probability of its occurrence is P_ij and the corresponding damage is D_ij. The expected damage after its implementation is

Q_ij= P_ij D_ij.

A response plan is defined as “worthwhile” only if

(Only if the investment + the expected damage after the implementation are lower than the original expected damage). A response plan that is not worthwhile will not be included in the list of possible responses. Actually, the savings in selecting response jto risk R_iis:

Let us now define the decision variables X_ij as 1, if response j is selected for risk R_i, and 0, otherwise.

Only one response can be selected (if the user wants to enable selecting two responses to risk R_i, he can combine both responses into one plan with the accumulated cost). From the definition of X_ij, the expected value of all the risks will be:

After opening the equation, it is clear that the expected value of all the risks (that we would like to minimize) is:

Since ∐i=1nQidoes not depend on the selection of risks to be handled, the problem can be defined as an integer programming problem, as follows:

s.t.

(budget constraint)

5. Solving the problem

The problem can be solved by Integer Linear Programming (ILP), as was mentioned in [9, 12]. In this paper, we compare 3 heuristic algorithms that solve this ILP. The algorithms are as follows:

1. The Most Dangerous Risk(MDR) method (PMI, 2008) is used to show the “naïve” solution. In the current case, the first risk to be handled is the one with maximum Q_i. For the selected risk, the most effective response is selected and the accumulated budget is increased by Cij.

For each selected risk, the response with the maximum savings (Qi-(Cij+Qij)) will always be selected. The algorithm that is used is as follows:

1. Sort the risks according to Qi from higher to lower.

2. For each risk, select the response j with the higher (Qi-(Cij+Qij)).

3. Calculate the accumulated cost of applying the responses according to the sorted list.

4. Calculate the accumulated savings.

5. If the accumulated cost of risk responses is less than the budget, go back to Step 1.

2. The Most Profitable Response(MPR) method is defined as follows:

1. Sort the responses according to (Qi-(Cij+Qij)) from higher to lower.

2. Choose the upper risk in the sorted list that was not selected yet.

3. Calculate the accumulated cost of applying the responses according to the sorted list.

4. Calculate the accumulated savings.

5. If the accumulated cost of risk responses is less than the budget, go back to Step 1.

In this algorithm, the response savings plays a major role and the decision is made according to the possible savings.

3. The Best Saving Ratio(BSR) method is defined as follows:

Definition: The ratio between the savings in expected damage and the cost of the response will be called the savings ratio. Mathematically, it is defined as (Qi-Cij+Qij)/Cij. The economic meaning of this ratio is the amount of savings in expected damage per each unit of investment in the response.

The algorithm will be as follows:

1. Sort the responses according to the savings ratio (Qi-(Cij+Qij))/Cij from higher to lower.

2. Choose the upper risk in the sorted list that was not selected yet.

3. Calculate the accumulated cost of applying the responses according to the sorted list.

4. Calculate the accumulated savings.

5. If the accumulated cost of risk responses is less than the budget, go back to Step 1.

In order to clarify the three algorithms, let us demonstrate them by an example:

In the following table (Table 2) there are 6 risks; for each risk there are three possible response plans. The table includes the Pi, Di, Qi, Cij, Pij, Dij, Qij, and both the savings in expected damage + cost and the savings ratio.

The numeric example is generated by a simulation that will be described later. Table 2 includes all the information needed for applying the algorithms MDR, MPR and BSR.

Tables 3, 4, 5 present the MDR, MPR and BSR solutions accordingly.

In Table 3, the ranked risk =1 means the first risk to respond. The first risk that is handled is Risk number 2, since its Qi is 145 (from Table 2). The response is selected as the highest savings solution. Total handling of the 6 risks requires a budget of 90.1 and saves 236.7 in expected damages, plus the cost of applying the responses.

Table 4 shows that the selection order is different from MDR. However, the accumulated savings converges to the same amount, since at the end both algorithms use the same response plans. The difference is in the selection order.

Table 5 shows that the BSR uses different response options and therefore converges to different accumulated savings. In this example, the BSR is the worst option out of the 3 algorithms, although this result does not represent the most common situation, as will be seen later.

6. Comparison of the three algorithms

In order to compare the three algorithms, a scenario simulation was generated with 15 risks and 3 responses per risk. The simulation draws the probabilities and damages according to the following rules:

1. Draw P_i distributed U(0.01.0.9) (uniform between 0.01 and 0.9)

2. Draw D_i distributed U(10,200)

3. Draw P_ij distributed U(0,P_i)

4. Draw D_ij distributed U(0,Di)

5. Draw C_ij distributed U(0.1, Q_i-Q_ij) where Q_i = P_i D_i and Q_ij=P_ij Dij

For all i=1,….15, j=1,…,3

The following chart (Figure 1) shows an example of the behavior of the three algorithms, while the budget increases, step by step.

Figure 1 is an example of a typical situation in which, for a limited budget the BSR is the best algorithm, while for an unlimited budget, the other algorithms can produce better results. This phenomenon holds in most of the simulation examples, but there are cases where the BSR is better for all budgets and cases.

In order to compare the three algorithms, 100 simulations were generated. For each simulation, the maximum needed budget was calculated. (Since the Cij are drawn, the required budget is stochastic and different in each simulation). For each simulation, the savings was calculated for an investment of 20%, 40%, 60%, 80% and 100% of the budget.

For each percentage investment, the savings was calculated for each algorithm. Later, the best algorithm was defined as the successor, for each specific budget, and the frequency of its success was calculated. The following table (Table 6) summarizes the number of successes of each algorithm

Table 6 shows that for a low budget (20 to 60 percent) the BSR is the best algorithm, while for an unlimited budget the MPR behaves better. In many cases, the MPR and MDR behave the same and reach the same savings.

The main conclusion from Table 6 is that there is no optimal heuristic algorithm. Moreover, if only part of the risks budget can be handled, it is recommended to use the BSR algorithm.

7. Discussion

1. Findings

The paper presented three heuristic algorithms for risk response selection. In many cases, the ranking of risks is not enough for project managers and they need to know how to invest their risk management budget among the possible responses. We observe that for a limited budget the BSR algorithm is better than the MDR or MPR method, while for a budget that can cover all the risks, the MDR or MPR are better. Currently, in most projects, the customer asks to see the risk management plan. The above method adds the selection method of risks to be mitigated. It should be an essential part of the risk management plan.

A stronger result is that risk ranking is no longer needed. This saves the effort of ranking risks, which is usually subjective.

1. Limitations

One limitation of the current paper is that estimating the probabilities and damages for each risk and response is usually considered to be a very difficult task. However, it is required by most of the risk management standards. Tools, like mathematical models and simulations, are available for this task and there are already many projects that include these estimations.

Another limitation is that we assume that responses with a negative expected savings cannot be selected. However, in reality, there are responses, like insurance, that are based on negative expected savings (otherwise, insurance company would not sell insurance policies).

A third limitation is the dependencies among risks. It might be that a delay in one task is not critical, while a delay in a second task, together with delay in the first task, might prove to be a severe problem.

8. Conclusion

In this article, we describe a method for how to allocate a risk management budget among the possible mitigation or transfer plans. In most of today’s literature, the risk management plan usually ranks the risks and recommends handling those with high rankings. Almost no consideration is given to either response plans or response feasibility. This study proposes three heuristic algorithm approaches to budget allocation, and demonstrates the method, including a sensitivity analysis of the budget constraint. The results are encouraging and help define rules about risk management budgeting.

The model is based on the expected damage, and assumes we will always prefer to reduce expected damages plus their cost. It does not discuss the question of risk taking.

A simulated scenario with 15 risks and 45 response plans was demonstrated. The most important lesson learned from the example tested in the study is that the solution is mainly influenced by the response plan, and not only by the expected damage of the risk, as all of the ranking methods recommend. Moreover, for a limited budget, the BSR is usually the best algorithm, while for an unlimited budget the MDR or MPR algorithms are more preferable..