Construction procurement: project initiation and business cases handbook

One of three handbooks that comprise the Client Guide to Construction Projects, The Project Initiation and Business Cases Handbook provides guidance to assist contracting authorities to successfully deliver construction projects and achieve value for money.

This document is part of a collection

Chapter 7: Risk

1. Introduction
2. Overview
3. Guidance
4. Summary


1.1. The Scottish Government Risk Management Guide defines risk as:

"anything that can impede or enhance our ability to meet our current or future objectives ...."

1.2. All projects contain risks that may affect their cost and quality and the time taken to complete them. Risk is present through the whole life of an asset from inception through to deconstruction and must be actively and effectively managed throughout. Analysis allows us to identify risks and opportunities and use both to ensure project success and maximise the potential of the asset.


2.1. Risk stages. Risk management is the process of identification and assessment of risk and opportunity followed by the production, and implementation, of an action plan to manage it. The Scottish Government Risk Management Guide sets out five key steps to effective risk management:

  • Identify risks
  • Assess risks
  • Address risks
  • Review and report risks
  • Communicating and learning.

2.2. Risk Assessment. Risk is assessed on a combination of consequences (impact) and probability (likelihood). The following tables provide an indication of the criteria and scores which can be applied against both.

Impact Criteria
50 Very High Destructive and unacceptable impact on objectives that would result in a major change to overall approach. Potentially large resource consequences that outweigh current operational circumstances.
25 High Significant and unacceptable impact on objectives that would require a material change to critical approach/procedure/ process. Resource implications would be challenging to absorb within current operational circumstances.
10 Medium Moderate impact on objectives that may require multiple changes in approach/procedure/process. Acceptable level of resource consequences.
5 Low Minor impact on objectives, requires little overall change in approach. Few resource consequences.
1 Negligible No real impact on achieving objectives.
Likelihood Criteria
5 Very High >75% chance of occurring – almost certain to occur
4 High 51 – 75% chance of occurring – more likely to occur than not
3 Medium 26 – 50% chance of occurring – fairly likely to occur
2 Low 6 – 25% chance of occurring – unlikely to occur
1 Rare 1 – 5% chance of occurring – extremely unlikely to occur

2.3. To calculate the overall risk, multiply the impact by the likelihood.

Impact Risk Profile
Very High 50 100 150 200 25
High 25 50 75 100 125
Medium 10 20 30 40 50
Low 5 10 15 20 25
Negligible 1 2 3 4 5
Likelihood Rare Low Medium High Very High

2.4. Risk levels are described in the following table.

Risk Level Score Risk Level Description
Very High 100 - 250 Rating: Unacceptable level of risk exposure that requires immediate mitigating action.
Reporting: A decision should be taken whether to report the risk to Accountable Officer/Audit Committee level or Programme Board or for possible reporting to the Executive Team and Corporate Board.
High 40 - 75 Rating: Unacceptable level of risk which requires controls to be put in place to reduce exposure.
: A decision should be taken as to whether risks recorded as high should be escalated. Scores between 40 and 50 would not usually be escalated where scores of 75 should be given careful consideration.
Medium 10 - 30 Rating: Acceptable level of risk exposure subject to regular active monitoring.
Reporting: At next line of management level.
Low 1 - 5 Rating: Acceptable level of risk subject to regular passive monitoring.
Reporting: At next line of management. Consideration should be given as to whether risks recorded as low are still extant.

2.5. Risk appetite. It is important to understand the risk appetite, that is the levels of risk the organisation is prepared to accept or not accept in delivering its objectives. As stated in the Scottish Public Finance Manual, the concept may be looked at in different ways depending on whether the risk being considered is a threat or an opportunity:

  • When considering threats, the concept of risk appetite embraces the level of exposure which is considered tolerable and justifiable should it be realised. In this sense it is about comparing the cost (financial or otherwise) of constraining the risk with the cost of the exposure should the exposure become a reality and finding an acceptable balance;
  • When considering opportunities, the concept embraces consideration of how much one is prepared to actively put at risk in order to obtain the benefits of the opportunity. In this sense it is about comparing the value (financial or otherwise) of potential benefits with the losses which might be incurred (some losses may be incurred with or without realising the benefits).

Quick Guide 4 of the Scottish Government Risk Management Guide provides further guidance on assessing risk appetite.

2.6. Lifecycle stages. The phases of a built asset, which are set out in Chapter 1, are: Planning - Development - Implementation - Operation - Decommissioning. Operation and Decommissioning, although not normally part of the project period, should still be included for the purposes of the project risk assessment and management. All risks must be identified and managed at the earliest possible point and this will usually mean doing so at the very start of the project period including for the operations and decommissioning phases. Each phase should be assessed and managed for risk individually and as part of the overall lifecycle; this will be an ongoing process throughout the project life and beyond.

2.7. Risk factors. PESTLES (Political, Economic, Social, technological, Legal, Environmental and Security) provides a useful breakdown of risk areas for assessment.

2.8. Stakeholders. All stakeholders are different and risks will have different impacts on each. For example, a specific factor is likely to impact differently on a political stakeholder than it would on a contractor even though the phase and the circumstances which cause the risk are the same. Similarly, consideration of the political heading for a political stakeholder, for example, will be likely to result in different risks being identified during each of the lifecycle phases.

2.9. Whilst risk can be managed, minimised, shared or accepted, it cannot and must not be ignored. It is unrealistic to expect that systematic risk management will remove all uncertainties, but pro-active risk management which is fully integrated into the day-to day management of the project and the asset can reduce the impact of uncertainties and improve the likelihood of a successful project outcome and asset life cycle management. It must though, be actively managed and reviewed regularly to ensure that the plan remains valid.


3.1. As noted above, the Scottish Government Risk Management Guide provides guidance on managing risk generically across any situation, whether in the project setting or in core operations. This guidance is, however, only accessible through Scottish Government intranet pages. For contracting authorities that would benefit from an introduction to the range of considerations which apply in risk management, the HM Treasury Orange Book Management of Risk - Principles and Concepts may be a useful source of guidance.


4.1. Effective and proactive risk management is essential to the successful delivery of projects, it informs the conduct of all outputs, outcomes and phases of the planning, delivery and operation and must be afforded appropriate resource and priority.



Back to top