A comprehensive risk register may contain up to 250 risks. There is no minimum or maximum number of risks that must be quantified, although typically there are between 20 and 40 risks that are calculated. To make the risk quantification more efficient, it is recommended that, where possible, risks be aggregated and quantified as a group. For example, there are many possible sources of delay (risks) that can be aggregated under a category of delay-related risk for quantification purposes. These different sources of delays can be considered possible scenarios. Rather than calculate the value of each individual risk, the value of the combined impact of these risks is determined. It is important to keep a large number of risks in the risk matrix even if only some of them are quantified. The reason is that most require a unique risk mitigation strategy.
It is recommended that retained and transferred risks not be aggregated. Risks that are shared (usually a very small number), should also be kept separate and quantified individually. Once quantified, a decision can be made about how the risk should be shared (i.e., 50/50, all dollars above a certain threshold, etc.).
Examples of some of the larger risk categories include:
• Pre Construction
o Approvals at various levels of government (e.g., Provincial Treasury Board, municipal, zoning, development).
• Design and Construction
o Construction delays,
o Cost escalation (e.g., supply of materials, labour, equipment),
o Scope changes by owner,
o Geotechnical risks,
o Errors and omissions, and
o Estimating risk (errors).
• Operating Period
o Failure to meet performance standards, and
o Failure to meet hand-back requirements at the end of the contract term.