Risk Management Planning Risk Management Planning is the most important process through which the approach of project

authorities towards risk management is reflected. The more importance and necessity felt for risk management, the higher is the chance of fining this process in the project/firm. Based on the survey results, only in a very few responding organizations (2 out of 45 cases), risk management planning is performed in a systematic manner and according to the predefined processes and instructions. Its interesting to mention that these two companies are classified as large, therefore it seems the decision and also the resources required for preparing a plan for risk management is mostly found in the large companies. Most of the responding companies act upon risks in a reactive manner which means no plan is developed. They usually hold sessions of risk assessment when the necessity arises and make decision. The outcomes of these meetings are documented in the form of an action plan and are forwarded to the responsible bodies. Although these meetings are held based on the need and not based on the plan, but since it can still respond partly to project needs for risk management. This situation is not ideal but still preferable when its compared to the common practice in small companies. In most of the responding small companies, no action is done regarding risk management planning. What they do can be summarized as oral discussions in order to create a shared understanding about possible risks. Another important issue related to risk management planning is the time scope of planning. In a few responding projects, risk management planning is done for the whole horizon of the project whereas in most of the large and medium companies, it is done for only a part of time horizon. In small companies, planning is done only for a very near time horizon. In order to manage risks effectively, its essential to plan first. However, it seems that risk management planning in Iranian construction companies is not followed in a systematic manner and according to defined instructions. This implies a

serious weakness for Iranian construction companies that should be considered for improvement. Risk Identification Risk Identification process exists in many of the responding organizations but there is some variation in how its done, the time scope and the size of risks identified. Only in a few companies, Risk identification is performed in a systematic manner and according to predefined procedures. Most of the companies and project authorities perform risk identification in the form of holding meetings upon the need. Its interesting to see that in 1/3 of small companies risk identification is absolutely absent. But, on average, risk identification has gained more popularity and use compared to risk management planning. An important aspect that differentiates companies in terms of risk identification is the timeframe and frequency of this activity. Whereas in small companies risk identification is done at the threshold of risk occurrence, in many of large companies its done at the start of project in order to reflect on the required resources and actions for managing the identified risks. These resources and actions would be included in the contract agreement. Some companies conduct risk identification runs throughout the whole project lifecycle. As the project moves on, new risks might show up or fade away. Periodic runs of risk identification help to identify these cases and update the planning accordingly. Apart from the type of project, the approach of project managers towards risk can also play a role in frequency and timeframe of risk identification activity. The degree of risks being identified is also different among large, medium and small companies. In majority of small and medium companies, risk identification is confined to a few so called big risks with major effects on the outcome of the project. Only in a few companies/projects all the existing risks are identified, no matter how big they are. Therefore, it can be concluded that risk identification is tailored to risk prioritization in many of the organizations. Moreover, the general

approach of organization/project towards risk management can greatly affect the degree and scope of risk identification. Different tools and methods are available for risk identification. In medium companies, the brainstorming method is a common practice. However, in large companies, more systematic tools such as checklists and document reviews are used. Small companies mostly rely on the expert idea and experiment in order to identify the risks. In sum, risk identification is represented in responding organizations much more than the other activities of risk management. It is utilized more effectively and is viewed as more easy-to-implement than the other processes. However, similar to other processes of risk management, risk identification practice varies in the organizations. The variations in the risk identification seems correlated to the organization size. How frequent the risk identification is done, the time scope of risk identification, size of risks being identified and tools used in risk identification are the most important aspects that can differentiate the risk identification of one company from the other. With the spread of risk management knowledge in Iranian companies, its expected that these companies promote their risk identification practice through more frequent conduct of risk identification along the whole project lifecycle. Qualitative Risk Analysis In order to respond effectively to the risks, its necessary to evaluate the probability and effect of the identified risks. Risk analysis can be done with both qualitative and quantitative approach. Qualitative analysis is generally simpler and needs less data and information.