Navigating Risk Management on Large Infrastructure Projects

The Organization for Economic Co-operation and Development (OECD) estimates that by 2030 the combined global annual infrastructure investment requirements for telecommunications, road, rail, electricity, and water are likely to total an average of 2.5 percent of world gross domestic product (GDP). Electricity generation and energy-related infrastructure investments in oil, gas, and coal further increase the share of GDP to approximately 3.5 percent.1 However, infrastructure projects have continuing problems with cost overruns, particularly those in the transportation sector, where cost overruns average 44.7 percent for rail projects, 33.8 percent for fixed links, and 20.4 percent for road projects.2

North America fared slightly better than the worldwide average—significantly better in the case of road projects—but nonetheless incurred average cost overruns ranging from 8.4 percent for the road projects analyzed to 40.8 percent for rail projects.2 Owing to survivorship bias, which excludes failed projects from analyses, and the increasing size and complexity of projects with attendant overestimation of revenue and other benefits, these figures are likely to understate the true risk exposure of many large and mega projects. In contrast to the extraordinary technological advances that have taken place over the past 100 years in other areas of project development and construction, cost overruns have become no less common or severe.2 Without significant changes to the planning, design, construction, and funding/financing of projects, there are likely to be significant, sometimes catastrophic, cost overruns on future projects.

While risk management has always been an implicit part of project management, the past few decades have seen a more concerted effort to systematize the process and apply tools and methodologies to public sector projects. The Federal Transit Administration (FTA), Federal Highway Administration (FHWA), Caltrans, and other federal and state agencies have all published guidelines for project risk management.

Dedicated risk management has become more common on large projects and is mandated by most large state and federal agencies. However, it is not immediately obvious that projects are any more successful in meeting cost and schedule objectives.

Common issues that limit or prevent effective risk management could include risk management personnel that are too isolated from the rest of the project team to gather necessary information and are unable to objectively assess or report on project risks, and risk management processes that lack continuity between groups or over the project lifecycle.

The Risk Management Process


Terminology and specific tools vary, especially within the analysis and management stages, but the risk management process on most projects is generally comprised of the following: preparation, identification, assessment, analysis, management, and monitoring. Most importantly, the process is iterative and must be revisited as more information is developed about a particular risk or the wider project or program.


Preparation for risk management requires a comprehensive review and reconciliation of the scope, schedule, and budget, and a careful explication of implicit and explicit assumptions and constraints. Unreasonable cost and schedule targets and poorly understood scope, with concomitant deficiencies in cost estimates and schedules, are the source of much of what is later quantified as risk.

The US Government Accountability Office (GAO) identifies the following characteristics of a ”good” cost estimate in its Cost Guide (2009):

  • Accurate: estimate is unbiased and based on an assessment of most likely costs.
  • Comprehensive: all possible costs are included in sufficient detail to ensure that costs are neither omitted nor double counted.
  • Well-documented: includes source data and significance, clearly detailed calculations and results, and explanations for choosing a particular method or reference.
  • Credible: discusses any limitations of the analysis from uncertainty or biases surrounding data or assumptions. These can also broadly be taken to be the characteristics of a “good” schedule, that is, one that can serve as a solid foundation for cost and schedule risk identification, assessment, and analysis.


The ability of the project to effectively avoid or otherwise mitigate risks generally declines as the ease with which individual risks are identified and described increases. Nonetheless, a project cannot manage (or assess or analyze) what it has not identified.

For a variety of reasons, technical risks or challenges are typically easier to identify and assess and may dominate early risk identification efforts. Compared to soft risks such as stakeholder, third-party, and real-estate acquisition issues though, technical risks have been largely controllable while non-technical risks were often unexpected, less controllable, and had larger impacts on the project definition.3

The identification stage should also flag planned activities or costs with significant uncertainty associated with them. The uncertainty regarding how much a particular item will cost or how long an activity will take often contribute to a project’s actual risk exposure at least as much as what are normally thought of as true risks, such as an unexpected paleontological discovery, unforeseen ground condition, or force majeure events.



The ultimate objective of the assessment stage is to quantify risks and uncertainties. For risks, this means assessing the potential impact in dollars and/or time as well as the probability that the risk will materialize (Box 5). The dollar or time impacts are quantified by specifying the minimum and maximum potential impact to the project if the risk occurs (a uniform distribution). If justified by greater information, a most-likely value between the minimum and maximum may also be specified and a triangular, pert, or other three-point distribution is used to describe the potential impact. A probability of occurrence is also assessed for risks, events, or situations that may or may not happen. This probability may be based on an analysis of relevant data or, more typically, through discussions with subject matter experts.

Uncertainty surrounding particular costs or activity durations is assessed similarly, though since this uncertainty surrounds planned activities or costs, no probability assessment is necessary. In practice, this generally means replacing the point estimates for durations and costs with ranges as described for risks, with a focus on those activities or costs that have a fair amount of uncertainty regarding their estimates and are significant to the program.


The overall risk exposure of the program is determined during the analysis stage. The risk exposure has two equally important components:

  • The potential delay to major project milestone(s) and potential cost overrun; and
  • The likelihood (probability) of these delays or cost overruns.

The results of such an analysis are typically summarized in a graph that maps various cost or schedule outcomes on the horizontal axis to their probability on the vertical axis. Bottom-up and top-down (or reference-class) analysis, the two general methods for doing such an analysis, may be used in tandem to act as checks on one another and address potential weaknesses of each when used in isolation.

A bottom-up quantitative risk analysis typically employs Monte Carlo simulations to evaluate the combined effect of individual risks and uncertainties on the overall program outcome and identify key cost and schedule drivers through sensitivity analysis. The overall risk exposure is built-up from these individual risks and uncertainties to determine potential cost and schedule outcomes and their associated probability.

In contrast, a top-down or reference-class analysis begins with outcomes (a dataset) from other similar projects and uses these to determine the probability and size of potential cost overruns or schedule delays.

However, much of the necessary information required for reference-class analysis is unavailable and, on its own, reference-class analysis does not provide any project-specific information regarding the particular risks or uncertainties driving the project’s overall risk exposure.
The accuracy of reference-class analysis depends on how well the dataset used to parameterize the risk exposure curve represents the project under consideration and the wider population of similar projects. Unlike bottom-up analysis, it does not depend on the quality and comprehensiveness of the project’s internal risk identification and assessment efforts. For this reason, outside reviewers and oversight agencies may consider reference-class analysis more objective and the results more credible. 


The management phase is comprised of primary mitigations, (contract) allocation, contingency analysis, and secondary mitigations. While allocation, contingency analysis, and secondary mitigations may not be formally identified components of a project’s risk management program, they are nonetheless essential risk management functions.

Primary Mitigations

Primary mitigations are specific response strategies and actions for individual risks designed to avoid risks entirely or reduce their likelihood and/or mitigate their impact if they do occur.

Effective primary mitigations are active and the specified actions are responsive, timely, cost effective, feasible, agreed-upon, assigned, and accepted. For any significant remaining risks, for example for a risk for which no feasible or cost effective mitigation can be identified, contingency plans should be put into place for execution if the risk does materialize.


Allocation is arguably the most important step in the management stage and the risk management process as a whole: if risks are not comprehensively and equitably allocated among the parties, the project could either collapse under the weight of unexpected delays and costs or fail to attract other necessary parties to its construction. The objectives of risk allocation vary depending on the specific project goals, but there are four fundamental tenets of sound riskallocation:4

  • Allocate risks to the party best able manage them.
  • Allocate the risk in alignment with project objectives.
  • Share risk when appropriate to accomplish project goals.
  • Ultimately, seek to allocate risks to promote team alignment with customer-oriented performance goals.

Contingency Analysis

Following award of contracts for construction, the most obvious manifestation of effective management of risks is for the project to demonstrate that it has provided adequate cost and schedule contingency and that it is not consuming (drawing down) this contingency more rapidly than is supportable. It will be necessary to revisit any prior analysis results or recommendations with reference to the specific contract terms under which the project will be delivered to quantify the residual risk exposure following allocation and monitor contingency against risks realized and still outstanding.

Secondary Mitigations

Secondary mitigations are pre-planned, potential scope or process changes that may be triggered when cost or schedule contingency falls below predefined minimum levels. The purpose of embedding these considerations within the risk-management process as secondary mitigations is that these changes are pre-planned to restore the project’s financial margin of safety and keep the project advancing without fundamentally and deleteriously altering it. Identifying such secondary mitigations may prove impossible if unrealistic cost or schedule targets have been imposed during the planning phase of the project.


Risk monitoring involves a regular review and reappraisal of the project’s risk exposure against the project’s cost and schedule objectives. Individual risks are reviewed to ensure that they accurately describe a current threat to project objectives, their assessments reflect the best estimate of potential impacts and probability, and that management strategy and mitigations are well-founded and executed. New risks are flagged for description and assessment, and cost and schedule contingency amount and draw down rates are reviewed.


Risk management, as a distinct, systematic process within the larger project management framework, has become more and more common on large projects over the past several decades. The importance of effective project risk management is only likely to increase in the future as projects grow in size and complexity. Thoughtfully planned and diligently executed, risk management serves to quantify cost and schedule risk exposure, identify cost and schedule drivers, and communicate key challenges to project personnel and stakeholders. It is not, however, a panacea for poorly planned or executed projects or dysfunctional organizations. Where it has provided added value to projects, it has done so as part of the larger project management effort, supported by key decision makers inside and out of the project management organization.


    1. Strategic Transport Infrastructure Needs to 2030 (2011). OECD.
    2. How Common and How Large are Cost Overruns in Transport Infrastructure Projects? (2003).Transport Reviews, Vol. 23, No. 1.
    3. TCRP Project G-07: Managing Capital Costs of Major Federally FUnded public Transportation Projects. (2005)

Image Header Source: North Carolina DOT (Creative Commons)