ENGI5003 · Professional Engineering Management
Risk Management
This chapter is the risk management topic of ENGI 5003: how an engineering project surfaces what could go wrong, grades each threat by likelihood × impact on a 5×5 matrix, chooses a response, and records everything in a risk register. It is a near-guaranteed exam earner — expect a short-answer or scenario task asking you to score and rank risks, name a response strategy, or place a control on the hierarchy, so the method here maps straight onto marks.
What this chapter covers
- 01What a risk is: likelihood + impact, inherent vs residual
- 02The four-phase pipeline: identify, analyse, respond, manage
- 03Identification tools: PESTLE, Risk Breakdown Structure, bowtie
- 04The risk-statement template (event / cause / consequence)
- 05Qualitative analysis on the 5×5 matrix (score = L × I)
- 06Response strategies: avoid, transfer, mitigate, accept
- 07Hierarchy of controls (Eliminate → … → PPE)
- 08The risk register and WHS Act 2012 (SA) s22 designer duty
Score and rank four site risks on the 5×5 matrix
- +2Multiply L × I for each risk — score is the product, never the sum: R1 = 3×4 = 12; R2 = 4×3 = 12; R3 = 4×1 = 4; R4 = 1×5 = 5.
- +1Read each score against the band scale (1–4 Low, 5–9 Medium, 10–14 High, 15–25 Very High): R1 = High, R2 = High, R3 = Low, R4 = Medium.
- +1Rank by score, highest first; break a tie by the larger impact, since a severe consequence is less tolerable than a frequent nuisance — R1 (impact 4) outranks R2 (impact 3) despite the equal score of 12.
- +1Identify the treatment priority and note R4: although Rare, its Severe impact means it cannot simply be ignored — a fatality-class risk warrants attention beyond its modest score.
Key terms
- Risk (PMBOK)
- An uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective. Its two components are likelihood (probability) and impact (severity).
- Inherent vs residual risk
- Inherent risk is the rating before any controls are applied; residual risk is what remains after controls. The aim of a response is to pull inherent risk down to an acceptable residual level.
- Risk matrix (5×5)
- A grid combining a 1–5 likelihood scale (rare…almost certain) with a 1–5 impact scale (negligible…severe). The product L × I gives a score read as Low / Medium / High / Very High.
- Risk Breakdown Structure (RBS)
- A hierarchical categorisation of risk sources, typically Technical, Management, Commercial and External, used to organise identification and the register so no source area is missed.
- Bowtie method
- A diagram centred on a top event: the left side lists causes plus proactive (preventive) controls, the right side lists consequences plus reactive (mitigation) controls.
- Hierarchy of controls
- Risk controls ranked most-to-least effective: Eliminate → Substitute → Isolate → Engineering controls → Administrative controls → PPE. Higher levels are preferred as they depend less on human behaviour.
Risk Management FAQ
What is the difference between qualitative and quantitative risk analysis?
Qualitative analysis grades likelihood and impact on word scales (rare…almost certain, negligible…severe) and reads a band off the 5×5 matrix. Quantitative analysis attaches numbers, such as a probability times a dollar impact (expected monetary value). For most engineering projects qualitative grading is sufficient, and that is what the exam emphasises.
How do you calculate a risk score?
Multiply likelihood by impact, each rated 1–5: score = L × I. The product (1–25) maps to a band — 1–4 Low, 5–9 Medium, 10–14 High, 15–25 Very High. It is a product, never a sum, and the band (not the raw number) drives the management response.
What are the four risk response strategies?
Avoid/eliminate (remove the cause so the event cannot occur), Transfer (shift the financial consequence to a third party, e.g. insurance), Mitigate (reduce the likelihood and/or impact), and Accept (take no action on Low risks or hold a contingency reserve).
What goes in a risk register?
Each row records an ID, description, category, likelihood, impact, the inherent risk rating, the control measures, and the resulting residual risk. The register is a living document kept current through monitoring — audits, reserve analysis and reassessment.
Why is PPE the lowest level in the hierarchy of controls?
PPE (such as a harness or respirator) only works if a person wears and uses it correctly every time, so it is the least reliable, last line of defence. Higher controls — eliminating or substituting the hazard, or engineering it out — protect everyone regardless of behaviour, which is why a designer's duty under WHS Act 2012 (SA) s22 is to design out the hazard so far as is reasonably practicable.
Exam move
Memorise the workflow as one chain and recite it on any risk question: Identify widely (PESTLE / RBS / bowtie) and write each risk as "If EVENT due to CAUSE, then IMPACT" → score the INHERENT risk as L × I on the 5×5 → rank, with High/Very High needing controls plus senior sign-off → choose a response (avoid / transfer / mitigate / accept) → for mitigate, climb the hierarchy of controls (Eliminate first, PPE last) → record inherent → controls → residual in the register and monitor. Drill three reflexes the examiner tests: score is L × I (multiply, never add); always rate INHERENT before any control quietly lowers it in your head; and when scores tie, let the larger impact win because severity beats frequency. Practise mapping one hazard across all six control levels and translating one bowtie branch into a single register row — those are the two most common short-answer formats.