An integral part of every construction project is a risk management plan. In our industry especially managing risks is not only vital for business and financial purposes but for health and safety reasons.

Health and safety

Lost days from illness and non-fatal injury

According to the Health and Safety Executive, each year around 3% of workers suffer from what they believe to be a work-related illness and another 3% sustain a work-related injury. Primary types reported include:

Primary tupes of work-related illness and injury 

This has led to 1.7 million working days lost, and that can translate to schedule and budget overruns, as well as other complications.

Fatal injuries

HSE has also published a document regarding fatal injuries in the workplace for the year 2015/2016: Statistics on fatal injuries in the workplace in Great Britain 2016. In summary, it says that the provisional figure for fatal injuries for this time frame is 144, which represents 0.46 deaths per 100,000 workers. Amongst that number are 67 members of the public who died as the result of worksite accidents. This excludes railway incidents and any that come under the remit of the Care Quality Commission.

For the construction industry specifically, HSE reports that in the report year ending April 2016 there were 43 fatal worker injuries, which is up from 35 for the previous reporting year and is the same number as the five year average. This represents 1.94 deaths per 100,000 workers, which is lower than the five year average of 2.04. There were also two members of the public killed as the result of construction site related injuries, bringing the total fatal injuries related to construction to 45 for the reporting year. Construction remains the UK’s most dangerous industry in regards to fatalities.

A report issued by The Centre for Construction Research and Training in 2010 cited the leading cause of construction-related fatalities as falls (33.3%). Figures from 2010–2015 confirm this trend. In those years, there were 217 fatal injuries reported in the UK. Of those, the biggest contributor by far was fall from height, with 97 cases reported. Fall from height remains the number one cause of death in the industry - not only in the UK but in the USA, Australia and elsewhere.

Pie chart showing causes of construction-related fatalities.

Penalties and fines – work related incidents

The penalties surrounding work-related incidents are getting bigger. While HSE maintains that the current general level of penalties and fines issued is still far too low, the courts are getting tougher on those found guilty of health and safety negligence. Since January 2016, five people have been sent to prison for health and safety offences, and the Government has made a commitment to increase maximum fines available to lower courts and make imprisonment more readily available as punishment for both higher and lower courts.

Business and finance

Of course, health and safety risks are only one area where risk management is essential for a construction project. There are also financial, business and reputational risks not related to safety that need to be proactively addressed before the start of any project. This is why a risk management programme is so essential; otherwise, something will be left out, overlooked, and/or not planned for – greatly increasing the potential for harmful, highly-damaging and even catastrophic events.

Elements of a risk management programme

Defining risks

Put simply, risk represents the potential for negative or unwanted impact on a business, person or project from either a present situation or process, or a future event. Level of risk is measured by evaluating the probability and potential impact of a known loss or unwanted gain. The earlier potential risks are identified and assessed, the better they can be controlled, alleviated or avoided completely.

The question is, of course, how to determine what risks require what level of attention. This is where the risk management process comes in. A good risk management process aids in:

Diagram showing areas impacted by a good risk management process

While this article focuses primarily on negative risks, it is important to note that positive risks must also be considered as part of a project risk assessment and be integrated into the risk management plan.

A positive risk is an event or outcome that has the potential to positively affect a project; however, if not properly managed, it can also result in a negative outcome. So, the purpose of positive risk management is to ensure that positive risks are not only taken advantage of but controlled to prevent them from having an unwanted effect.

The following is an example of a positive risk turned negative:

A series of fortuitous events results in phase one of a project completing earlier than scheduled.

Positive impact
Negative impact
With proper risk management, the resources necessary to start phase two are in place, and the project is delivered ahead of schedule and at a cost savings, increasing the reputation of those involved.
Lacking proper risk management, an unwanted gap appears in the project plan that results in delays and complications due to the unavailability of necessary resources. This results in employee leaving the project, unused material degradation, financial losses, and compromised reputation.

Risk assessment

Forecasting risk

The first step of the risk assessment process is identifying what risks could potentially present themselves at any given time within the project. Risks should be identified early in the project process, before related works begin, and risk identification should be a continuous effort throughout the project’s lifespan. Key to identifying risks is understanding the type of risk assessments needed.

This includes:

  • Identifying project scope and key performance parameters
  • Examining investment decisions
  • Comparing stakeholder expectations to current plans
  • Evaluating operational uncertainties, implementation challenges, and integration/interoperability issues
  • Recognising weaknesses within the supply chain
  • Determining internal versus external dependencies
  • Addressing worker safety and workplace security

From the outset, a common understanding of goals and objectives needs to be fostered across the project team, and a context for risk identification should be established. Data from similar projects can be used to create risk lists and provide insight into what specific areas need to be examined for risk.

Once risks have been identified, they must be assessed for impact, i.e., how bad the risk is. The simplest way to do that is to ask, “What is the consequence if this risk occurs?” In some cases, a single risk event can result in multiple consequences, and all of them need to be identified and ranked.

The consequences should be determined using both quantitative and qualitative information. Wherever possible, consequences should be assessed objectively against existing, industry-accepted parameters and definitions to ensure consistency. Of course, in any risk assessment, there will be some subjectivity; however, there are tools and guidance documents available to help ensure that risks assessments and scoring are consistent across the industry. This includes HSE’s risk assessment examples and templates, their interactive tools, and their advice for small builders.

Once risks have been identified and their potential consequences determined, the next step is to create a response plan that not only includes mitigation strategies to minimise the impact of the risk and/or prevent it from happening, but also prescribes what actions will be taken should a risk event occur.

Identify risks, Analyse impact, Implement countermeasures

Avoiding future risks

While a good risk management plan works to alleviate the threat of potential risks, sometimes things just happen. The key is to minimise the impact and then learn from mistakes and failures in order to prevent and/or minimise risk in future. Learning to avoid future risk also enables better forecasting, which in turn, strengthens risk mitigation.

Input and output

While there are certain risks inherent to every construction project, the individual project plan, as well as its goals and objectives, should be used as a foundation to making a project-specific risk assessment. Once risks have been identified, assessed, and priori tised, a plan for managing and mitigating risks should be put into place. The risk assessment plan is a living plan that should undergo regular audits and reviews to ensure that it continues to be relevant.

Project plan
Risk assessment
Risk management plan
Objectives Assess High priority list
  Analyse and prioritise

Risk matrix

The risk matrix is an assessment tool that helps with ranking and prioritising risks. It uses probability and consequence on a sliding scale to help determine which risks need the strongest level of focus and that, in turn, provides decision makers with a clearer idea of what risks there are, what is involved in terms of cost, and what is needed re: behavioural and procedural changes, etc.

When used effectively, a risk matrix helps decision makers visualise the risks faced in qualitative and quantitative terms, organise and plan for those risks, and make informed decisions should a risk situation arise.

When should a risk matrix be used?

A risk matrix should be used before and during a project to continually assess risks. This includes
during hazards analysis, site studies, and health and safety audits. The matrix helps define acceptable
levels of risks and determine risk mitigation measure effectiveness.

What are the parameters?

A typical risk matrix is laid out a four by four or five by five grid that provides probability (Y axis) versus consequence (X axis). The words used provide parameters for ranking by both likelihood and severity.

Risk probability / impact matrix

To aid in determining ranking, one can look at both the impact on employee health and the costs involved for rectification. For instance:

Risk chart showing impact and likelihood

Numbers can also be assigned to help rank risks:


Assigning values

It’s important to be careful when assigning values. The approach should not be overly quantitative, and it is important to avoid including ‘protective measures’ in the evaluation process in order to lower an assigned risk level. Protective measures should be considered a part of the risk response plan, not a part of the risk itself.

Once values have been assigned, decision makers can then use the results to create a risk response and management plan, define project-specific policies, and allocate room in the project budget to not only address likely risks but prepare for potentially catastrophic ones.

Handling risks

There are four basic approaches to handling risks once they have been defined and prioritised:

Avoid – eliminate the risk altogether
Reduce – lessen the impact via proactive planning and corrective measures
Share – transfer the risk to someone else (insurer, etc.)
Accept – realise that certain risks are inevitable and prepare for them

Managing risks

Monitor, Control and Record

As an ongoing part of a risk management plan, there must be a system in place that monitors risks – keeping track of identified risks, determining what risks are no longer a threat, monitoring risks that are still viable, and recognising any new risks that might have presented themselves.

Questions to ask during risk monitoring include:

  • Have risk responses been implemented according to the risk management plan?
  • Were those responses as effective as anticipated? If not, have new responses been developed?
  • Are the project assumptions still valid?
  • Has risk exposure changed?
  • Has a risk trigger occurred?
  • Are policies and procedures being followed?
  • Are there any new risks not previously identified?

Who is involved?

Risk management plan
Risk response audits
Risk response plan
Scheduled risk reviews
Corrective actions
Additional risk identification / analysis
Performance measurements
Change requests
Change in scope
Additional planning Risk plan updates
    Risk database
    Risk idenfication checklist updates

Every project should have someone who serves as a safety representative, and that individual along with other project employees should be involved in the risk assessment process. The assessment should always be carried out before the work to which a risk is associated has begun. As the project situation changes, new hazards will arise. Therefore, the risk assessment must be an ongoing activity under regular review to make sure that nothing has been overlooked. A project’s risk management plan needs to be a living document that reflects changes as they occur.

Best practice for projects and worksites is to promote risk awareness and encourage employees to be actively involved in ongoing risk assessment. This includes reporting any unsafe behaviours, situations, conditions, etc. as and when they are discovered, even if it means stopping work to examine the issue. It is better to delay the project for a short period of time whilst a potential hazard is investigated than risk major project delays as the result of having to shut down a site to deal with a risk occurrence.

Keeping records

Health and safety law requires that risk assessments findings are recorded and kept for businesses and projects that employ more than five people. However, it is good business practice to record risk assessment findings no matter what the project size. If nothing else, it serves as proof that a risk assessment was carried out, should a health and safety inspector become involved and make an inquiry.

CDM regulations

Since 2015, CDM regulations affect anyone performing a construction project – be it domestic or nondomestic. There is also a new requirement for projects that either 1) last more than 30 days total duration and require more than 20 people on site at any time or 2) last longer than 500 man days with a workforce of any size to have an HSE form F10 filed.

Notification of construction project form

The new regulations also place a much higher level of accountability on the client and designers, creating the role of principal designer who, amongst other things, coordinates health and safety efforts and ensures that proper records are maintained. This role is appointed by the client and can be an individual or an organisation.

To aid in CDM 2015 compliance, CITB offers industry guidance that addresses CDM 2015 regulations. The guidance is provided via six documents addressing the responsibilities of each of the five primary duty holders plus an additional document for employees. You can find the guidance here: CITB Guidance for CDM 2015

The key to risk management is a proactive approach

Despite regulations and the wealth of best practice methodologies available for risk assessment and management, in far too many cases, risk assessment is still being carried out retrospectively – at a cost of lost man hours, missed deadlines, increased budgets, damaged reputation, threatened business and lost or irrevocably damaged lives. By taking a proactive approach to risk identification, assessment and management, many of these events can be mitigated or avoided completely.

Reactive response and proactive response

This article has been edited and repurposed from “Risk Management”, written for the Construction Information Service.