Section 1
Purpose
Risk identification and quantification are the foundational activities of the RICS Management of Risk framework. At RIBA Stage 1 the QS’s role is to identify the full range of cost and programme risks, select appropriate methods to quantify their financial impact, and translate that analysis into a risk-adjusted budget allowance — before design has advanced and before commitments have been made.
The governing RICS publication is Management of Risk (1st edition, reissued as practice information March 2025), which defines risk as an uncertain event or condition that, if it occurs, has a positive or negative effect on project objectives. The framework follows six structured steps: Identify → Categorise → Assess (Probability × Impact) → Respond → Allocate → Monitor. Without a complete, realistically quantified risk register, all subsequent cost management is built on an incomplete foundation.
Optimism bias — the systematic tendency to underestimate costs and programme durations — is a separate but related obligation. It must be addressed explicitly and is covered in detail in GN-FE-07. This note focuses on the identification, categorisation, and quantification of individual project risks and on the role responsibilities that accompany good risk management practice.
Section 2
Key Principles
- Risk is defined by RICS as an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives (cost, time, quality, or scope). Both threats (negative risks) and opportunities (positive risks) must be captured in the register.
- The RICS Management of Risk six-step framework: (1) Identify — list all potential risk events using prompt lists, site data, workshops, and lessons learned; (2) Categorise — group by type (site, design, statutory, commercial, programme, external, client/funding); (3) Assess — score for Probability and Impact; (4) Respond — select Avoid, Reduce, Transfer, Share, or Retain; (5) Allocate — assign a named risk owner; (6) Monitor — review and update at every project milestone.
- Quantification methods must be matched to the significance and complexity of the risk. Three methods are used in practice: (a) Expected Monetary Value (EMV) — Probability% × Impact £ — fast and suitable for most risks at feasibility stage; (b) Three-point estimating — uses Optimistic, Most Likely, and Pessimistic cost scenarios to derive a weighted expected value — appropriate for significant individual risks where impact is not a single figure; (c) Monte Carlo simulation — computer-based modelling of thousands of iterations using probability distributions for all risk inputs — appropriate for complex or high-value projects where the aggregate risk profile must be modelled with confidence intervals.
- Schedule Quantitative Risk Analysis (SQRA) applies the same quantification logic to programme durations. Using the Critical Path Method (CPM) as a base and Monte Carlo simulation across uncertain activity durations, SQRA produces confidence levels for the project completion date (e.g. P50, P80) and identifies the activities most exposed to programme risk. For time-critical projects SQRA should be run alongside the cost risk analysis.
- Risk allocation follows the principle that risk should sit with the party best placed to manage it. Design and Build transfers design and construction risk to the contractor; Traditional procurement retains design risk with the client team. This allocation principle directly informs procurement route selection and must be understood and documented.
- Optimism bias is a systemic risk category that applies to the project as a whole and must be addressed separately from individual risk EMVs. It is covered in full in GN-FE-07. The key distinction: EMV-based risk allowances cover identified individual risks; optimism bias covers the systematic underestimation that affects the base cost estimate itself.
- The risk register is a live document. It must be reviewed and updated at every RIBA stage milestone. Risks that crystallise should be closed and their actual cost recorded; new risks must be added as they emerge. A register created at feasibility and never updated is not risk management.
Section 3
Practical Application
Follow these steps to establish the project risk register and quantify the risk allowance at feasibility stage:
Step 1
Conduct a structured risk identification exercise. Use: (a) a prompt list of common risk categories (site, design, statutory, commercial, programme, external, client and funding); (b) review of the project brief, site appraisal, and feasibility report; (c) a facilitated risk workshop with the client and PM where practicable; (d) lessons learned from comparable completed projects. The objective is a comprehensive and realistic register — not a list of remote possibilities, nor an optimistic one that omits material risks.
Step 2
Categorise each risk. Group by: Site; Design & Scope; Planning & Statutory; Commercial & Market; Programme; External & Environmental; Client & Funding. Categorisation enables filtering for reporting and ensures systematic review of each type.
Step 3
Select the appropriate quantification method for each risk. Apply EMV (Probability% × Impact £) as the default for most risks at feasibility stage. For significant individual risks where the impact is a range rather than a single figure, use three-point estimating: Weighted EMV = [Optimistic + (4 × Most Likely) + Pessimistic] ÷ 6, then multiply by Probability%. For complex or high-value projects, commission a Monte Carlo simulation to model the aggregate risk profile and produce confidence intervals (P50, P80) for budget-setting purposes.
Step 4
Score each risk and plot on a risk matrix. Assign Probability (Low <20%, Medium 20–50%, High >50%) and Impact (£ value). Calculate EMV or weighted EMV. Plot on a 5×5 probability–impact heat map to identify which risks require active management (High/Extreme) vs monitoring (Low/Medium).
Step 5
For time-critical projects, run Schedule Quantitative Risk Analysis (SQRA). Map uncertain activity durations on the critical path, assign probability distributions (optimistic / most likely / pessimistic), and run a Monte Carlo simulation to produce P50 and P80 completion date confidence levels. Report the programme risk alongside the cost risk in the feasibility report.
Step 6
Select a response strategy and assign a named risk owner. Response strategies: Avoid (eliminate by changing approach); Reduce (lower probability or impact); Transfer (contract or insurance); Share (allocate between parties); Retain (accept and carry allowance). Every risk must have a named individual owner — not a generic role or team.
Step 7
Quantify the total risk allowance. Sum EMVs across the register. Add an explicit optimism bias allowance (see GN-FE-07). Cross-check the total against the budget risk allowance (per GN-FE-03). If the budget is under-reserved, report this to the client with a recommendation to increase the allowance.
Step 8
Issue the risk register summary with the feasibility report. Include the top 10 risks by EMV, response strategy, risk owner, and total quantified risk allowance. Retain the full register on the project file. Agree a schedule for regular risk reviews with the PM.
Risk Management Role Responsibilities
The following summarises key risk management responsibilities by role. Responsibilities shift materially depending on procurement route — particularly for Design and Build, where design risk transfers to the contractor.
Section 4
Common Mistakes to Avoid
- Applying EMV to every risk regardless of its significance. EMV (P% × single impact figure) is fast but crude for risks with a wide range of possible impacts. Use three-point estimating for any risk where the impact could vary significantly between best and worst case.
- Confusing optimism bias with risk contingency. Optimism bias covers the systematic underestimation embedded in the base cost estimate. Risk contingency covers individual identified risks. Both must appear as separate, named budget lines. See GN-FE-07 for OB methodology.
- Assigning generic risk owners. “Project team” is not an owner. Every risk must have a named individual who is accountable for monitoring and responding to it.
- Not running SQRA on time-critical projects. A cost risk analysis without a corresponding programme risk analysis gives the client an incomplete picture. Where the completion date is a primary driver, SQRA and P80 confidence intervals should be reported alongside the cost risk allowance.
- Treating the risk register as a one-off deliverable. A register created at feasibility and not revisited is not risk management. It must be reviewed, updated, and reported at every RIBA stage milestone and after any material change to the brief or site information.
- Omitting opportunities from the register. Cost and programme opportunities — favourable ground conditions, a competitive tender market, a programme acceleration option — should be captured alongside threats. Ignoring them produces overly conservative cost advice.
Section 5
APC Competency & Quick Reference
This guidance note is relevant to the following RICS APC competencies: Risk Management (, Levels 1–3); Cost Management (, Levels 1–3); Procurement and Tendering (, Level 1); Client Care (B2, Level 1).
What are the six steps of the RICS Management of Risk framework?
Identify → Categorise → Assess (Probability × Impact) → Respond (Avoid, Reduce, Transfer, Share, Retain) → Allocate (named owner) → Monitor (review at every project milestone). The framework is prescribed in RICS Management of Risk (1st edition, reissued March 2025).
What are the three main risk quantification methods used in construction cost management, and when is each appropriate?
(1) EMV (Expected Monetary Value) — Probability% × Impact £ — fast and suitable for most risks at feasibility stage. (2) Three-point estimating — uses Optimistic, Most Likely, and Pessimistic scenarios: Weighted EMV = [O + (4×ML) + P] ÷ 6 × Probability% — appropriate for significant risks with a wide impact range. (3) Monte Carlo simulation — models thousands of iterations across probability distributions for all risk inputs, producing confidence intervals (P50, P80) for budget and programme — appropriate for complex or high-value projects.
What is Schedule Quantitative Risk Analysis (SQRA) and when should a QS recommend it?
SQRA applies Monte Carlo simulation to project programme durations. Each activity on the critical path is assigned optimistic, most likely, and pessimistic durations, and the simulation runs thousands of iterations to produce P50 and P80 confidence levels for the project completion date. It identifies which activities carry the most programme risk. A QS should recommend SQRA for any project where the completion date is a primary driver — e.g. a school that must open for a new academic year, a retail opening tied to a lease, or a phased hospital with operational dependencies.
Section 6
Feasibility Stage Checklist
☐
Structured risk identification completed — prompt lists, site data, brief review, and workshop used
☐
Risks categorised by type: Site, Design, Planning & Statutory, Commercial, Programme, External, Client & Funding
☐
Quantification method selected for each risk: EMV (default), three-point estimating (significant risks), or Monte Carlo (complex/high-value)
☐
P×I scores assigned — basis briefly noted; risks plotted on probability–impact heat map
☐
SQRA commissioned for time-critical projects — P50 and P80 completion dates reported
☐
Response strategy selected for each significant risk (Avoid / Reduce / Transfer / Share / Retain)
☐
Named risk owner assigned to every risk in the register
☐
Total quantified risk allowance cross-checked against budget — any shortfall reported to client in writing
Section 7
CPD Learning Outcomes
- Apply the RICS Management of Risk six-step framework to identify, categorise, and quantify project risks at feasibility stage, selecting the appropriate quantification method (EMV, three-point estimating, or Monte Carlo) based on the significance and complexity of each risk.
- Conduct Schedule Quantitative Risk Analysis (SQRA) to produce P50 and P80 programme confidence levels for time-critical projects, and report schedule risk alongside cost risk in the feasibility report.
- Assign risk response strategies and named owners to all significant risks, cross-check the total quantified risk allowance against the project budget, and report any under-reservation to the client with a recommendation.
Section 8
Further Reading
- RICS Management of Risk (1st edition, reissued as practice information March 2025)
- RICS Optimism Bias (guidance note, 2015) — see also GN-FE-07
- HM Treasury: The Green Book — Central Government Guidance on Appraisal and Evaluation (2022 edition)
- HM Treasury: Supplementary Green Book Guidance on Optimism Bias (Mott MacDonald, 2002)
- RICS NRM 1: Order of Cost Estimating and Cost Planning for Capital Building Works (2nd edition, reissued as practice information October 2022)
- RICS Value Management and Value Engineering (1st edition)
Subscriber Content
Sections 3–8 are for subscribers
Your subscription unlocks Practical Application steps, Common Mistakes to Avoid, APC Quick Reference, the Stage Checklist, CPD Learning Outcomes, Further Reading, and all production-ready templates.