A Risk Management Approach to Engineering

by Richard J. Driscoll, P.E.
Consulting Engineer


The practice of engineering is often defined in terms of the application of mathematics and science, along with experience and judgment, in the investigation, evaluation, planning, design, construction or operations of systems, in which the health, safety and welfare of the public must be protected. Another definition could be extrapolated from a popular definition of structural engineering: engineering is the art of modeling systems that we cannot precisely analyze, which consists of elements and interfaces we do not fully understand, to withstand loads we cannot properly assess, in such a way that the public at large has no reason to suspect the extent of our ignorance (Schmidt 2009).

The first definition emphasizes a rational approach and the consequences of failure; we use mathematics, science, experience and judgment to protect the public. The second definition emphasizes an environment of uncertainty; engineering is an art and we use inherently imprecise models to make predictions. Neither definition emphasizes the value to the public of the systems engineers create and maintain. This value supposedly justifies the acceptance of some level of risk to the public due to the inherent hazards associated with engineered systems and the inherent uncertainty in our methods to mitigate the effects of these hazards.

Considering the uncertainties involved in engineered systems and the need to proactively protect the public from hazards, a proper definition of engineering might incorporate the definition of risk management. If we recognize that risks can have both positive and negative outcomes, risk management can be defined as the art and science of recognizing, assessing and acting upon uncertain events and their consequences. Like risk management, engineering is both an art and a science, functioning in an environment of uncertainty. Through engineering, we allow the public to enjoy the benefits of engineered systems, while we seek to protect the public from the hazards associated with those same systems. This requires recognizing, assessing and acting upon risks in the design process. Thus risk management underlies the practice of engineering whether or not engineers are conscious of it.

Engineering Approaches

The risk management component of engineering may not be self-evident by watching engineers at work. A lot of engineering practice consists of routine calculations, document preparation and field observation, often performed according to highly structured procedures. Engineers and client alike may come to the impression that engineering is primarily transactional, requiring little more than basic technical knowledge and adherence to procedures to complete projects. A transaction approach leads to an inappropriate emphasis on generating engineering documents as efficiently as possible, and deprecation of the art, science, experience and judgment embedded in engineering documents.

In the transactional approach, risks are managed in a highly simplistic way, through the use of codes, standards and procedures, which provide some means of accounting for uncertainty and common, well-understood hazards. However, this can result in some risk being managed through arbitrary and overly conservative means and other risks being neglected. An alternative approach would be to balance the performance goals for the engineered system with the client’s budget and risk tolerance, thus providing a value proposition to the client by increasing the likelihood of project success, without excess conservatism. Since this approach requires a conscientious management of project risk, we can call it the risk management approach.

The Risk Management Process


Qualitatively, risk can be defined as the deviation of project outcomes from the nominal or expected outcomes (Wang & Roush 2000). In civil engineering, these outcomes are often thought of as the negative effects of hazards. However, the more general definition allows consideration of positive deviations. Quantitatively, a risk is a loss or a gain associated with deviation from the expected outcome, which can be expressed in terms of cost, schedule or some other applicable metric and used for decision making.

Risk Management Process

While there is no one process for managing risk, most references describe a few steps in the process, including identification, assessment and disposition.


First, reasonably foreseeable risks must be identified based on available information. Depending on what is known about the project at the time risks are identified, this may rely primarily on experience and judgment, based on what has gone right and wrong for similar projects or projects with similar conditions. In some cases, a particular hazard might be identified and the effect has to be assumed, while in other cases, a risk may be identified without causation being understood. Risk identification requires the honesty and humility to acknowledge that no project is perfect. However, it is also useful to identify outcomes that might be better than expected.


Once risks are identified, they can be assessed. Risk assessment is a field unto itself, but generally, it involves determining the likelihood and consequence of each potential hazard, which together comprise the risk associated with that hazard. Since risk is defined in terms of the expected performance of an element or system, it may be necessary to determine the expected performance at this stage as well. Note that this analysis of nominal system performance is part of the typical design process. Depending on the available information and the level of detail for decision making, the risk assessment might be qualitative or quantitative. In practice, a semi-quantitative approach is often adequate, in which relative probabilities and impact severity measures are used to compare and prioritize risks. It may also be useful to classify risk according to types and the extent to which they can be controlled by various parties.


The heart of risk management is the risk disposition step, in which a strategy for addressing each identified risk is determined, based on the risk assessment. Generally, the available means of risk disposition are avoidance, reduction, transfer or retention.

Avoidance: Avoidance requires eliminating the activity from which they risk arises. For example, the risk associated with pile driving vibrations can be avoided by substituting a mat foundation system.

Reduction: Risks can be reduced, but perhaps not eliminated, through prevention or mitigation. Prevention measures reduce the probability or magnitude of a hazard, which will typically reduce the expected impact and thus the risk associated with the hazard. Grouting a soil mass in advance of tunnelling will reduce the variability of its properties and thus the risk associated with those properties. Mitigation is used to reduce the consequence of a hazard when the hazard cannot be controlled. Providing freeboard between the base flood elevation and the first floor of a building in a flood zone mitigates the risk of flood damage to the contents and finishes of the building.

Transfer: Risks can be transferred from one party to another by contract in exchange for a premium. This can lead to efficiencies if another party can manage a risk better than the party exposed to it. For example, an insurance carrier can manage severe, but rare risks better than their policyholders by pooling the premiums and risks from a large number of policies.

Retention: Any risk that is not avoided, reduced or transferred is retained by the party exposed to it. Risk retention is often employed with risk reduction, since prevention and mitigation measures leave residual risks. Retained risks are often subjected to control and monitoring. Control consists of operating procedures and contingency plans that allow for risks to occur, but provides for corrective measures that can be taken before consequences become too severe. Since control requires early detection of deviation from expected performance, monitoring is necessary, which consists of various means of observation and measurement. Control is conceptually similar to prevention and mitigation, but consists more of processes and other “soft” systems than more tangible prevention and mitigation measures. Peck’s “Observation Method” is a classic example of risk control in geotechnical engineering (van Staveren 2006).

Risk Management in the Engineering Process

It should be apparent that, like the engineering design process, risk management is an iterative, nonlinear, and perhaps recursive process. The available information changes throughout the duration of the risk management process. For example, exploration is often used to reduce the uncertainty associated with existing conditions. The additional information from the exploration might allow previously unforeseen risks to be identified. Thus the risk management process begins for these newly discovered risks. Similarly, with each phase of a project, as more information is available, new risks will be recognized and new opportunities to optimize how risks are managed will arise. In addition, risk management measures may carry their own risks, which have to be assessed and managed prior to implementation. This requires the involvement of the entire design team for the duration of the project. Early involvement of construction managers and key contractors is also useful in managing project risk.

The risk management process provides a framework for understanding the uncertainty associated with a project and taking measures to control the outcomes. This framework is embedded in the process of solving an engineering problem, but if used consciously, it provides opportunities to add value to the problem’s solution. If the hazards and uncertainties specific to the problem can be accounted for as part of the solution to the problem, it becomes unnecessary to control risks through arbitrary measures or excessive conservatism. The result is a solution to the problem that is adequately reliable, considering the risk profile of the project stakeholders, while using resources effectively. Thus, ideally, effective risk management optimizes the risk-reward balance.


A few, hopefully, familiar examples may help illustrate the value of a conscious approach to risk management in engineering practice compared with the transactional approach.

Low-Fee Geotechnical Services

Many geotechnical investigations are performed by testing agencies on a low-bid basis. Since the low fee provides little budget for project-specific engineering analysis, the reports for these investigations typically include limited data presentation and analysis and are prepared with little input from senior professionals. Some risks are not identified or assessed, while others are managed through generic or excessively conservative recommendations. While higher in cost, a more thorough geotechnical scope can provide a better basis for constructor bids, as well as more appropriate foundation recommendations and construction guidance, resulting in lower construction cost and risk.

Design Calculation Standardization

Some design firms make extensive use of standard calculation templates, software and sometimes design assumptions to standardize quality from one project to the next, to maximize productivity and profitability of junior staff and to reduce the amount of time need for senior staff to oversee the production of design calculations. For these organizations, calculation preparation is transactional. The reduced involvement of senior staff can result in junior staff performing inappropriate calculations for a particular problem because a template is available. In addition, non-computational aspects of design, such as constructability can be neglected resulting in increased cost and risk.

Typical Details

Firms that routinely prepare construction documents usually make use of typical details and standard specification, which are not always coordinated with the particular aspects of the project for which they are used. This can increase the likelihood of errors and omissions in the construction documents, requests for information from the contractor and claims.

In each of these examples, a transactional approach is used to reduce the cost of the professional services to be provided and the deliverables associated with those services. The client likely misconstrues the benefit of this approach, understanding the economy, but failing to understand the risk to which they might be exposed by their choices regarding the scope and budget of the services provided to them. Given this attitude, it is hardly surprising that a lot of engineering services have been commoditized.


Managing uncertainty and risk is fundamental to engineering practice and risk management is embedded in the engineering design process. Consequently, some level of risk management is inherent in engineered systems. However, the unconscious risk management embedded in transactional engineering practice is unlikely to yield an optimal risk-reward balance. A risk management approach to engineering practice adds value at every stage of a project, by balancing performance of the engineered system with the client’s risk profile and increases the likelihood of project success, without relying on excess conservatism.

Conscious risk management through the engineering design process requires a higher level of effort and a higher level of service, with the involvement of well educated and experienced professionals. The resulting professional fees will necessarily be higher than document preparation under a transactional approach. However, design fees are usually a small proportion of construction costs and are minuscule compared to life-cycle costs for a typical construction project. Modest savings in cost or a commensurate reduction in risk during the construction or in-service phases can offset these costs, often with a highly favorable return on investment. Therefore, the risk management approach has the potential to be a great bargain on a project.


Ross W. Hayes, John G. Perry, Peter A. Thompson and Gillian Willmer. Risk Management in Engineering Construction. London: Thomas Telford Ltd.: 1987.

William G. Ramroth, Jr., AIA. Risk Management for Design Professionals. New York: Kaplan Publishing: 2007.

Jon A. Schmidt. “InFocus: The Definition of Structural Engineering.” Structure Jan09

Martin van Staveren. Uncertainty and Ground Conditions, A Risk Management Approach. Oxford: Butterworth-Heinemann: 2006.

John X. Wang and Marvin L. Roush. What Every Engineer Should Know About Risk Engineering and Management. New York: Marcel Dekker, Inc.: 2000.

See Also

Risk Management Services