Risk Management of Terminal Development at Airport

Risk Management of Terminal Development at Airport Dissertation Objectives Investigate the problems at the terminal 5 opening, especially with the baggage handling system despite extensive simulated testing using thousands of bags and more than two thousand volunteers in the run up to the opening of T5 Identify the necessary risk strategies to be considered for such mega-projects, the benefits of such approaches, taking into account previous failed and successful projects, and any lessons to be learnt Discuss the implementation approach adopted by BAA and the risk associated with this approach Provide formative evaluation summarising key findings and conclusion based on evidence gathered from research T5 Synopsis The terminal 5 project in addition to being a statement of intent for the future of British aviation was built with the aim of improving customer experience and to exhibit Heathrow as a world class international airport. The baggage handling system at T5 was designed to be the largest baggage handling system in Europe for a single terminal. The system consists of a main baggage sorter and a fast track system. The system was designed by an integrated team from BAA, BA and Vanderlande Industries of the Netherlands, with the aim of handling both intra-terminal and inter-terminal luggage. Its processing capacity was intended to be 70,000 bags a day. Bags are meant to undergo several processes on the way through the system, these include; automatic identification, explosives screening, fast tracking for urgent bags, sorting and automatic sorting and passenger reconciliation. The scheduled completion and opening date was March 2008, and T5 was on time and on budget. This was a remarkable achievement especially in a sector where project delays and vast overspends are commonplace (the Millennium dome, Wembley stadium and the Scottish Parliament buildings were all opened late and cost a lot more than the original estimate). However, on its first day in operation, T5s bespoke baggage system was affected by technical software problems, which led to a number of issues, such as cancelled flights, lost baggage, and substantial delays, but more importantly, BAs challenge were its people issues and integrating teams of staff. Initial reports suggest that the day one issues were less to do with technology issues and more to do with inadequate staff training, and this was not just for one group of people but at all levels. Below is a summary of its problems on the opening day: Hundreds of staff found it difficult finding the staff car park entrance Check-in staff struggled with their systems, these problems ranged from very simple tasks such as logging into the baggage system to complex tasks Security personnel who were totally ignorant of their new roles and had to be taken through new procedures in the morning in front of passengers Ground staff and crews and ground staff getting lost in the huge building Baggage handlers struggled to get a hang of the new baggage system Baggage truck drivers got lost within the terminal and needed directions to the aircraft Baggage drivers and handlers could not get luggage from the conveyors to the gates On nine occasions, inspectors from the department of transport had managed to bypass security checks during trials of the terminals new systems and that the terminals alarm system was not working properly Going through these problems therefore suggest that the entire problem was down to lack of adequate training or simply inappropriate appraisal of risk involved. This is very surprising as this was a very high profile project and taking into account that this was a simple 3 team process get baggage, take baggage to aircraft and load baggage onto aircraft. Training System Testing Prior to Opening Based on initial interviews with BAs CIO, it would suggest that the human elements were given the importance it required. BAs CIO, Paul Coby told CIO UK [in March 2007] â€Å"the IT work to support such a large-scale, new-build project was also going well. â€Å"Devices are deployed, connections are being integrated and 2007 will be testing year. The airline is moving onto the T5 systems, so they run for a year ready to operate at the new terminal when it opens in 2008†. According to XXXXX, in the run up to the opening of T5 there were a series of overnight baggage-systems tests using thousands of bags, up to 2000 volunteers and full trials of the check-in procedure for all the IT systems. According to the spokesman for Vanderlande Industries, in testing the baggage handling system, emulation models were utilized broadly to test the low-level controls software, while computer programs took the place of the baggage handling system, and which behave (almost) the same as the part they replace. The report also suggests that for the high-level controls software, the emulation model was broadened by connecting the loose individual models into a large integrated system in which the physical equipment was replaced by a number of interconnected emulation models. According to a number of the volunteers who tested the system prior to its opening commented that the demos were extremely impressive and felt the system was ready in advance of its opening. T5 System Simulation Prior to Opening According to the spokesman for Vanderlande Industries, low-level emulation models were utilized in place of the physical transport equipment in each of the conveyor lines. The low and high level models that were developed produced the same electrical outputs in response to the same electrical inputs as their corresponding physical equivalent (motors, photo-electric cells, barcode scanners, etc), which in the view of both the software developers and management of BA, proof of extensive system testing. System interaction was facilitated with the use of control panels, and with the right frequency, set of bags or multiple bags were generated. During the testing, the conveyor motors were stopped and started utilizing different scenarios in order to generate as much errors as possible with the hope of fixing them. The spokesman also stated that the transport time between two photocells in emulation was equal to the actual time using the real equipment. The same measurement also applied to the total transport time. In addition, during testing the T5 project, over 90 individual low-level emulation models were created as individual models were integrated into 5 different configurations. A separate team spent 4800 hours on building and testing these emulation models. Questions: Training Testing But the first set of questions now has to be asked: how adequate was the tests and training were carried out in relation to T5s baggage systems in advance of the opening? What were the results? What were the problems revealed? and what steps were taken to resolve the problems revealed? Were the tests re-run and, if so, what was the result? Was the right implementation strategy adopted? Or would it not have been better to open Terminal 5 on a phased basis, to make sure that all its systems were working before going fully operational? The second set of questions to be asked would be: knowing that extensive simulation testing was carried out on the baggage system successfully; doesnt that then suggest that carrying out simulated testing without the real customers is inadequate? With regards to the people issues, what sort of dry runs were carried out? If they were indeed adequate, why were the opening day hiccups not identified? Where there extra staff or volunteers in anticipation of potential glitches? If yes were these trained adequately? For every eventuality or possible scenario, what were the contingency plans? In spite of the extensive testing carried out on the baggage system and the confidence which this would have placed on top management, from the experience on the opening day, we can conclude that in reality, the prospects of operating an airport terminal of such magnitude and scale would require more than simulated testing as the operations are virtually impossible to fully replicate. This then suggests that the risk management utilized by the BA was not robust to take the people issues into account. Good risk management might have come to the conclusion, if there was the possibility of failure. Risk Management: Definitions In order to manage risks we have to understand what a risk is. Smith and Merrit (2002) said that three essential aspects of risk are uncertainty, loss and time, see Figure 1. Uncertainty: A project manager has to identify as many uncertainties as possible. A risk may or may not happen. This inherent uncertainty cannot be eliminated, but it can be made little clearer by clarifying the probability of occurrence of the risk, to get at better understanding of the consequences and alternatives if the risk occurs and determine the factors that influence the magnitude and likelihood of occurrence of the particular risk. This means that an uncertainty can never be completely eliminated, but it can be reduced to a level the project find tolerable. This means that even with the best plans there cannot be any guarantees that there will be no surprises [3]. Loss: A risk is always something that involves some kind of loss. If there is no loss possible, then the project is not concerned about the risk, because it cannot compromise the project [3]. Time: Associated with every risk there is a time where the risk no longer exists. Either the risk has occurred and the loss has been suffered or the potential problems that could cause the risk have been resolved and no longer pose a threat. It is important to know when this time has arrived so the risk can be removed from the agenda [3]. Among writers and in the literature there are differences in the meaning of risk management and risk analysis. Frosdick (1997) says that there are no clear views of the differences and what one writer defines as risk management another writer is calling it risk analysis. Frosdick‘s own view is that he separates them by saying that risk analysis is the sum of the processes of risk identification, estimation and evaluation and risk management is about planning, monitoring and controlling activities that are produced by the risk analysis activity. The Association for Project Management (Chapman, Simister 2004) definition of risk analysis is similar to Frosdick‘s, they have however divided the risk analysis into two stages. The first stage is called the Qualitative Analysis and it is where risks are identified and subjectively assessed. These identified risks are then analysed in terms of e.g. cost and time estimates and that is called the Quantitative Analysis. Just like for Frosdick it is then followed by the risk management process. In their definition it is the process of formulating responses, both proactive and reactive ones. Pennock Haimes (2001) said that risk management could be represented in six steps, three each for risk assessment/analysis and risk management, where each step is a question. Risk assessment/analysis What can go wrong? Identify as many risks as possible. The risks can be of any kind financial, time, resources etc. and no risk is too small to not be included [3]. What is the likelihood for the risk to occur? Try to measure how likely, or unlikely, it is for the risk to occur. Maybe some risks are dependent on each other [3]. What are the consequences? What will be the impact on the project if the risk occurs, is it a minor risk or maybe a stopping fault that endangers the whole project [3]. Risk management What can be done and what options are available? How to decrease the chance of a risk occurring, for example get more resources or have them readily available [2,3]. What are the tradeoffs in term of all costs, benefits and risks among the available options? For every risk there is somewhere a limit for how costly measures one can put in, where there is no economy in putting in more measures. Often the budget is not enough to eliminate all risks therefore one must choose which risks to put more emphasis on [2,3]. What are the impacts on current decisions on future options? [3] The official definition provided by Professor James Garven, University of Texas at Austin is from the American Risk and Insurance Association: Risk management is the systematic process of managing an organizations risk exposures to achieve its objectives in a manner consistent with public interest, human safety, environmental factors, and the law. It consists of the planning, organizing, leading, coordinating, and controlling activities undertaken with the intent of providing an efficient pre-loss plan that minimizes the adverse impact of risk on the organizations resources, earnings, and cash flows. Another definition given by Larry Krantz, Chief Executive of Euro Log Ltd in the UK, states that A risk is a combination of constraint and uncertainty. We all face constraints in our projects, and also uncertainty. So we can minimise the risk in the project either by eliminating constraints (a nice conceit) or by finding and reducing uncertainty []. The objectives of risk management/analysis The Association for Project Management (Chapman, Simister 2004) defines Risk Management/Analysis as a process designed to remove or reduce the risks that threaten the achievement of project objectives. Properly undertaken it will increase the likelihood of successful completion of a project in terms of cost, time and performance objectives. PMBOK (PMBOK Guide, 2004) describes it similarly where they say that the objectives of project management are to increase the probability and impact of positive effects and decrease the probability and impact of events adverse to project objectives. Kendrick (2003) list seven benefits on the use of risk management: Project Justification: Project risk management is undertaken primarily to improve the chances that a project will achieve its objectives. While there are never any guarantees, broader awareness of common failure modes and ideas that make projects more robust can significantly improve the odds of success. The primary goal of project risk management is either to develop a credible foundation for each project, showing that it is possible, or to demonstrate that the project is not feasible so that it can be avoided, aborted, or transformed [1]. Lower Costs and Less Chaos: Adequate risk analysis reduces both the overall cost and the frustration caused by avoidable problems [4]. The amount of rework and of unforeseen late project effort is minimised. Knowledge of the root causes of the potentially severe project problems enables project leaders and teams to work in ways that avoid these problems. Dealing with the causes of risk also minimises fire-fighting and chaos during projects, much of which is focused short-term and deals primarily with symptoms rather than the intrinsic sources of the problems [1]. Chadbourn (1999) describes it similarly when he likened the uncertainties to chaos, where a poorly designed project could be described as a room full of mousetraps, each with a ping pong ball [5]. Before you know it, someone not under your control tosses in the first ball, thus mayhem and chaos erupts [5]. In the ideal project the mousetraps are gone. In their place there is a network of dominos, where each action and reacti on could be foreseen [5]. It is within the role of organisations to try and identify these mousetraps and replace them with an orderly string of dominos [5]. Project Priority and Management Support: Support from managers and other project stakeholders and commitment from the project team are more easily won when projects are based on thorough, understandable information [11]. High-risk projects may begin with lower priority, but a thorough risk plan, displaying competence and good preparation for possible problems, can improve the project priority [11]. Whenever you are successful in raising the priority of your project, you significantly reduce project risk—by opening doors, reducing obstacles, making resources available, and shortening queues for services [11]. Project Portfolio Management: Achieving and maintaining an appropriate mix of ongoing projects for an organisation uses risk data as a key factor. The ideal project portfolio includes both lower- and higher-risk projects in proportions that are consistent with the business objectives [13]. Fine-Tuning Plans to Reduce Risk: Risk analysis uncovers weaknesses in a project plan and triggers changes, new activities, and resource shifts that improve the project. Risk analysis at the project level may also reveal needed shifts in overall project structure or basic assumptions [14]. Establishing Management Reserve: Risk analysis demonstrates the uncertainty of project outcomes and is useful in setting reserves for schedule and/or resources. Risky projects really require a window of time (or budget), instead of a single-point objective. While the project targets can be based on expectations (the most likely versions of the analysis), project commitments should be established with less aggressive goals, reflecting overall project risk. The target and committed objectives set a range for acceptable project results and provide visible recognition of project risk [18]. Project Communication and Control: Project communication is more effective when there is a solid, credible plan. Risk assessments also build awareness of project exposures for the project team, showing how painful the problems might be and when and where they might occur. This causes people to work in ways that avoid project difficulties. Risk data can also be very useful in negotiations with project sponsors. Using information about the likelihood and consequences of potential problems gives project teams more influence in defining objectives, determining budgets, obtaining staff, setting deadlines, and negotiating project changes [18]. Risk Assessment Risk Control There are two stages in the process of Project Risk Management, Risk Assessment and Risk Control. Risk Assessment can take place at any time during the project, though the sooner the better. However, Risk Control cannot be effective without a previous Risk Assessment. Similarly, most people tend to think that having performed a Risk Assessment, they have done all that is needed. Far too many projects spend a great deal of effort on Risk Assessment and then ignore Risk control completely [19]. Risk Assessment has three elements: Identify Uncertainties In this element, the entire project plans are explored, with special focus on areas of uncertainty [20]. Analyse Risks In this element, the requirement is to specify how the areas of uncertainty will have an impact on the performance of the project, either in duration, cost or meeting the users requirements [20]. Prioritise Risks At this stage the requirement is to establish which of the Risks identified should be eliminated completely [20]. This step is only is carried out due to the potential extreme impact, which should have regular management attention, and which are sufficiently minor to avoid detailed management attention [20]. In the same way, Risk Control has three elements, as follows: Mitigate Risks According to Mobey et al (2002), risk mitigation would include taking the necessary actions that are possible in advance to reduce the effect of Risk. It is better to spend money on mitigation than to include contingency in the plan [20]. Plan for Emergencies For all those Risks which are deemed to be significant, have an emergency plan in place before it happens [19]. Measure and Control This involves tracking the effects of the risks identified and managing them to a successful conclusion [19]. Different strategies There are different strategies and methods that have different approaches toward risk management. JISC (Joint Information Systems Management) says that the focus for risk management should be on risks related to the particular project, not project management in general (http://www.jisc.ac.uk/proj_manguide15.html). The overall goal according to Kendrick (2003) for risk management in a single project is to establish a credible plan consistent with business objectives and then to minimise the range of possible outcomes. That is why risk management in a project is about identifying potential risks, analyse the ones that have the greatest likelihood of occurring, grade their different levels of impact on the project and define a plan of how to avoid the risk and if it occurs how to reduce its impact (Heldman, 2005). Smith Merrit (2001) sees risk strategy as a five step process. Figure 3 shows the flow through the five-step process and lists deliverables from each step: Step 1: Identify risks that you could encounter across all facets of the project [28]. Step 2: Analyse these risks to determine what is driving them, how great their impact might be, and how likely they are [28]. Step 3: Prioritise and map the risks so that you can choose those most important to resolve [28]. Step 4: Plan how you will take action against the risks on this short list [28]. Step 5: On a regular basis, monitor progress on your action plans, terminate action plans for risks that have been adequately resolved, and look for new risks [28]. Frosdick (1997) also mentioned Strutt‘s, definition of the concept of risk analysis that is a seven stage process. Systematic assessment (item by item question every part of the system) [13]. Identification of risks [13]. Assessment of risks (frequencies and consequences) [13]. Establish acceptable/tolerable levels of risk [13]. Evaluate the risks. Are they acceptable? Can they be reduced and at what cost? Determine whether the risks are as low as reasonably practicable [13]. Determine risk reduction measures where appropriate [13]. Risk Assessment Evaluation There are many ways and different techniques to evaluate what the risks are, what the effect they have on the project and what measures can be put in if the risks should occur [19]. Risk assessment is by most people divided into two areas, Quantitative Risk Analysis and Qualitative Risk Analysis. Quantitative In its most basic form the formula for risk quantification is: à ¢Ã¢â€š ¬Ã¢â‚¬ ¢Rate of occurrenceà ¢Ã¢â€š ¬Ã¢â‚¬â€œ multiplied by the à ¢Ã¢â€š ¬Ã¢â‚¬ ¢impact of the eventà ¢Ã¢â€š ¬Ã¢â‚¬â€œ = risk. Methods based on this method are often called à ¢Ã¢â€š ¬Ã¢â‚¬ ¢expected value analysisà ¢Ã¢â€š ¬Ã¢â‚¬â€œ and include models like Annualized Loss Expectancy (ALM), the Courtney formula, the Livermore Risk Analysis Methodology (LRAM) and Stochastic Dominance (Snyder, Rainer Jr., Carr 1991). The advantages of Quantitative Risk Analysis methodologies are that they are good at identifying the most critical areas that, if something happens, will have the largest impact on the project. There are also disadvantages to Quantitative Risk Analysis. When one measures the probability of damage to the project the quantitative approach tends to average the events leading up to a problem (Snyder, Rainer Jr, Carr 1991). Qualitative Qualitative methods attempts to express risks in terms of descriptive variables rather than an economic impact. These approaches are based on the assumption that certain threat or loss of data cannot be appropriately expressed in terms of dollars or pounds and that precise information is impossible to obtain. These methodologies include Scenario Analysis/Planning, Fuzzy Metrics and questionnaires (Snyder, Rainer Jr., Carr 1991). The advantages of Qualitative Risk Analysis methodologies are that they save time, effort and expense over quantitative methods. This is because assets do not need exact values in dollars or pounds nor do threats need to have exact probabilities. It is also a valuable methodology in identifying significant weaknesses in a risk management portfolio. There are disadvantages with this method as well. Qualitative Risk Analysis is inexact, the variables used (e.g. low, medium and high) must be understood by all parties involved (Snyder, Rainer Jr., Carr 1991). Risks Reduction Once risks have been identified and evaluated they have to be responded to in some way. Wideman (1992) lists seven basic responses on identified risks: Recognised but no action taken (absorbed as a matter of policy) Avoided (by taking appropriate steps) Reduced (by an alternative approach) Shared (with others, e.g., by joint venture) Transferred (to others through contract or insurance) Retained and absorbed (by prudent allowances) Handled by a combination of the above Dorfman (1997) says that all techniques to manage the risk fall into one or more of these four major categories (remembered as the 4 Ts): Tolerate (aka Retention) Treat (aka Mitigation) Terminate (aka Elimination) Transfer (aka Buying Insurance) Bliss (2005) listed these five types of similar risk responses as Dorfman and Wideman. Risk avoidance: Also known as risk removal or risk prevention, risk avoidance involves altering the original plans for the project so that particularly risky elements are removed. It could include deciding not to perform an activity that carries a high risk. Adopting such avoidance techniques may seem an obvious way to deal with all risks. However, often the areas of the project that involve high risks are also the areas of the project that potentially contain the highest worth or the best value for money. Avoiding such risks may also result in removing potentially the best bits of a resource, and an alternative strategy that retains these risks may be more appropriate [13]. Risk reduction: Risk reduction or risk mitigation involves the employment of methods that reduce the probability of a risk occurring, or reducing the severity of the impact of a risk on the outcome of the project. The loss of highly skilled staff is a considerable risk in any project and not one that can be totally avoided. Suitable risk mitigation could involve the enforcement of a notice period, comprehensive documentation allowing for replacement staff to continue with the job at hand and adequate management oversight and the use of staff development programmes to encourage staff to stay [20]. Risk transfer: Risk transfer moves the ownership of the risk to a third party normally by contract. This also moves the impact of the risk away from the project itself to this third party [20]. Risk deferral: The impact a risk can have on a project is not constant throughout the life of a project. Risk deferral entails deferring aspects of the project to a date when a risk is less likely to happen. For example managing the expectations users have about the content and delivery of a resource can be time-consuming, one way to reduce this risk is by not making a web resource available until user testing is complete [20]. Risk retention: Whilst a certain number of the risks to the project originally identified can be removed by changing the project plan or dealt with by transferring the responsibility of the risk to third parties inevitably certain risks have to be accepted as a necessary part of the project. All risks that have not been avoided or transferred are retained or accepted risks by default [20]. Previous Successful Project: St Pancras International Rail Station According to XXXXXX, before St Pancras International rail station was opened; a number of days were devoted to testing all the systems and processes, using an army of thousands of volunteer passengers. These tests were carried out much before the opening day, thus providing enough time to resolve issues that might have occurred during testing [26]. By carrying out the testing in phases much long before the opening, members of staff were able to familiarize themselves with the systems and get actual hands-on experience before the station was opened to Eurostar traffic. Dry-runs were carried out as well with the vital lessons were learnt and adjustments made before exposing paying customers to the St Pancras experience. Inevitably the result was that on the opening day, everything went without glitches on the first day of international service [26]. Previous Failed Project: Denver International Airport The Denver International Airport was scheduled to open on October 31, 1993 with all three of its concourses fully running on the BAE automated baggage handling system that. On February 28, 1995, the new airport finally opened. Its opening came sixteen months late. The automated baggage system was supposed to improve baggage handling by using a computer tracking system to direct baggage contained in unmanned carts that run on a track. BAE systems presented the City of Denver with a proposal to develop â€Å"the most complex and automated [and integrated] baggage system ever built. Original target opening date for the airport was (delayed seven times over the next three months). City of Denver invited reporters to observe the first test of the baggage system without notifying BAE. This was a public disaster! Reporters saw piles of disgorged clothes and other personal items lying beneath the Telecars tracks. Lots of mechanical and software problems plagued the automated baggage handling system. When the system was tested, bags were misloaded, sent to different routes, and fell out of automated telecarts, thus causing the system to jam. The automated baggage system still continued to unload bags even though they were jammed on the conveyor belt, because the photo eye at this location could not detect the pile of bags on the belt and hence could not signal the system to stop. Main Lessons One of the lessons BA and BAA might have been learnt from the Denver project, was that BAE actually built a prototype of the automated baggage handling system in a 50,000 sq. ft. warehouse near its manufacturing plant in Texas. But as similar to the T5 project, there was no evidence of adequate training and the results from simulation testing has been proven to be different to a real world scenario with real customers. I addition, research also shows that BAE had given an initial estimate of at least a year to test the system and get the system up and running, but United airlines and the other stakeholders pressed for a much shorter timeframe. City of Denver got the same story from technical advisers to the Franz Joseph Strauss airport in Munich (that less complicated system had taken 2 years testing and was running 24 hours a day for 6 months before the airport opened. Risks recognised early in the Project Very large scale of the project. Enormous complexity. Newness of the technology. Large number of entities to be served by the system. The high degree of technical and project definition uncertainty. Risk Identification PMBOK (PMBOK Guide, 2004) lists five tools and techniques for risk identific Risk Management of Terminal Development at Airport Risk Management of Terminal Development at Airport Dissertation Objectives Investigate the problems at the terminal 5 opening, especially with the baggage handling system despite extensive simulated testing using thousands of bags and more than two thousand volunteers in the run up to the opening of T5 Identify the necessary risk strategies to be considered for such mega-projects, the benefits of such approaches, taking into account previous failed and successful projects, and any lessons to be learnt Discuss the implementation approach adopted by BAA and the risk associated with this approach Provide formative evaluation summarising key findings and conclusion based on evidence gathered from research T5 Synopsis The terminal 5 project in addition to being a statement of intent for the future of British aviation was built with the aim of improving customer experience and to exhibit Heathrow as a world class international airport. The baggage handling system at T5 was designed to be the largest baggage handling system in Europe for a single terminal. The system consists of a main baggage sorter and a fast track system. The system was designed by an integrated team from BAA, BA and Vanderlande Industries of the Netherlands, with the aim of handling both intra-terminal and inter-terminal luggage. Its processing capacity was intended to be 70,000 bags a day. Bags are meant to undergo several processes on the way through the system, these include; automatic identification, explosives screening, fast tracking for urgent bags, sorting and automatic sorting and passenger reconciliation. The scheduled completion and opening date was March 2008, and T5 was on time and on budget. This was a remarkable achievement especially in a sector where project delays and vast overspends are commonplace (the Millennium dome, Wembley stadium and the Scottish Parliament buildings were all opened late and cost a lot more than the original estimate). However, on its first day in operation, T5s bespoke baggage system was affected by technical software problems, which led to a number of issues, such as cancelled flights, lost baggage, and substantial delays, but more importantly, BAs challenge were its people issues and integrating teams of staff. Initial reports suggest that the day one issues were less to do with technology issues and more to do with inadequate staff training, and this was not just for one group of people but at all levels. Below is a summary of its problems on the opening day: Hundreds of staff found it difficult finding the staff car park entrance Check-in staff struggled with their systems, these problems ranged from very simple tasks such as logging into the baggage system to complex tasks Security personnel who were totally ignorant of their new roles and had to be taken through new procedures in the morning in front of passengers Ground staff and crews and ground staff getting lost in the huge building Baggage handlers struggled to get a hang of the new baggage system Baggage truck drivers got lost within the terminal and needed directions to the aircraft Baggage drivers and handlers could not get luggage from the conveyors to the gates On nine occasions, inspectors from the department of transport had managed to bypass security checks during trials of the terminals new systems and that the terminals alarm system was not working properly Going through these problems therefore suggest that the entire problem was down to lack of adequate training or simply inappropriate appraisal of risk involved. This is very surprising as this was a very high profile project and taking into account that this was a simple 3 team process get baggage, take baggage to aircraft and load baggage onto aircraft. Training System Testing Prior to Opening Based on initial interviews with BAs CIO, it would suggest that the human elements were given the importance it required. BAs CIO, Paul Coby told CIO UK [in March 2007] â€Å"the IT work to support such a large-scale, new-build project was also going well. â€Å"Devices are deployed, connections are being integrated and 2007 will be testing year. The airline is moving onto the T5 systems, so they run for a year ready to operate at the new terminal when it opens in 2008†. According to XXXXX, in the run up to the opening of T5 there were a series of overnight baggage-systems tests using thousands of bags, up to 2000 volunteers and full trials of the check-in procedure for all the IT systems. According to the spokesman for Vanderlande Industries, in testing the baggage handling system, emulation models were utilized broadly to test the low-level controls software, while computer programs took the place of the baggage handling system, and which behave (almost) the same as the part they replace. The report also suggests that for the high-level controls software, the emulation model was broadened by connecting the loose individual models into a large integrated system in which the physical equipment was replaced by a number of interconnected emulation models. According to a number of the volunteers who tested the system prior to its opening commented that the demos were extremely impressive and felt the system was ready in advance of its opening. T5 System Simulation Prior to Opening According to the spokesman for Vanderlande Industries, low-level emulation models were utilized in place of the physical transport equipment in each of the conveyor lines. The low and high level models that were developed produced the same electrical outputs in response to the same electrical inputs as their corresponding physical equivalent (motors, photo-electric cells, barcode scanners, etc), which in the view of both the software developers and management of BA, proof of extensive system testing. System interaction was facilitated with the use of control panels, and with the right frequency, set of bags or multiple bags were generated. During the testing, the conveyor motors were stopped and started utilizing different scenarios in order to generate as much errors as possible with the hope of fixing them. The spokesman also stated that the transport time between two photocells in emulation was equal to the actual time using the real equipment. The same measurement also applied to the total transport time. In addition, during testing the T5 project, over 90 individual low-level emulation models were created as individual models were integrated into 5 different configurations. A separate team spent 4800 hours on building and testing these emulation models. Questions: Training Testing But the first set of questions now has to be asked: how adequate was the tests and training were carried out in relation to T5s baggage systems in advance of the opening? What were the results? What were the problems revealed? and what steps were taken to resolve the problems revealed? Were the tests re-run and, if so, what was the result? Was the right implementation strategy adopted? Or would it not have been better to open Terminal 5 on a phased basis, to make sure that all its systems were working before going fully operational? The second set of questions to be asked would be: knowing that extensive simulation testing was carried out on the baggage system successfully; doesnt that then suggest that carrying out simulated testing without the real customers is inadequate? With regards to the people issues, what sort of dry runs were carried out? If they were indeed adequate, why were the opening day hiccups not identified? Where there extra staff or volunteers in anticipation of potential glitches? If yes were these trained adequately? For every eventuality or possible scenario, what were the contingency plans? In spite of the extensive testing carried out on the baggage system and the confidence which this would have placed on top management, from the experience on the opening day, we can conclude that in reality, the prospects of operating an airport terminal of such magnitude and scale would require more than simulated testing as the operations are virtually impossible to fully replicate. This then suggests that the risk management utilized by the BA was not robust to take the people issues into account. Good risk management might have come to the conclusion, if there was the possibility of failure. Risk Management: Definitions In order to manage risks we have to understand what a risk is. Smith and Merrit (2002) said that three essential aspects of risk are uncertainty, loss and time, see Figure 1. Uncertainty: A project manager has to identify as many uncertainties as possible. A risk may or may not happen. This inherent uncertainty cannot be eliminated, but it can be made little clearer by clarifying the probability of occurrence of the risk, to get at better understanding of the consequences and alternatives if the risk occurs and determine the factors that influence the magnitude and likelihood of occurrence of the particular risk. This means that an uncertainty can never be completely eliminated, but it can be reduced to a level the project find tolerable. This means that even with the best plans there cannot be any guarantees that there will be no surprises [3]. Loss: A risk is always something that involves some kind of loss. If there is no loss possible, then the project is not concerned about the risk, because it cannot compromise the project [3]. Time: Associated with every risk there is a time where the risk no longer exists. Either the risk has occurred and the loss has been suffered or the potential problems that could cause the risk have been resolved and no longer pose a threat. It is important to know when this time has arrived so the risk can be removed from the agenda [3]. Among writers and in the literature there are differences in the meaning of risk management and risk analysis. Frosdick (1997) says that there are no clear views of the differences and what one writer defines as risk management another writer is calling it risk analysis. Frosdick‘s own view is that he separates them by saying that risk analysis is the sum of the processes of risk identification, estimation and evaluation and risk management is about planning, monitoring and controlling activities that are produced by the risk analysis activity. The Association for Project Management (Chapman, Simister 2004) definition of risk analysis is similar to Frosdick‘s, they have however divided the risk analysis into two stages. The first stage is called the Qualitative Analysis and it is where risks are identified and subjectively assessed. These identified risks are then analysed in terms of e.g. cost and time estimates and that is called the Quantitative Analysis. Just like for Frosdick it is then followed by the risk management process. In their definition it is the process of formulating responses, both proactive and reactive ones. Pennock Haimes (2001) said that risk management could be represented in six steps, three each for risk assessment/analysis and risk management, where each step is a question. Risk assessment/analysis What can go wrong? Identify as many risks as possible. The risks can be of any kind financial, time, resources etc. and no risk is too small to not be included [3]. What is the likelihood for the risk to occur? Try to measure how likely, or unlikely, it is for the risk to occur. Maybe some risks are dependent on each other [3]. What are the consequences? What will be the impact on the project if the risk occurs, is it a minor risk or maybe a stopping fault that endangers the whole project [3]. Risk management What can be done and what options are available? How to decrease the chance of a risk occurring, for example get more resources or have them readily available [2,3]. What are the tradeoffs in term of all costs, benefits and risks among the available options? For every risk there is somewhere a limit for how costly measures one can put in, where there is no economy in putting in more measures. Often the budget is not enough to eliminate all risks therefore one must choose which risks to put more emphasis on [2,3]. What are the impacts on current decisions on future options? [3] The official definition provided by Professor James Garven, University of Texas at Austin is from the American Risk and Insurance Association: Risk management is the systematic process of managing an organizations risk exposures to achieve its objectives in a manner consistent with public interest, human safety, environmental factors, and the law. It consists of the planning, organizing, leading, coordinating, and controlling activities undertaken with the intent of providing an efficient pre-loss plan that minimizes the adverse impact of risk on the organizations resources, earnings, and cash flows. Another definition given by Larry Krantz, Chief Executive of Euro Log Ltd in the UK, states that A risk is a combination of constraint and uncertainty. We all face constraints in our projects, and also uncertainty. So we can minimise the risk in the project either by eliminating constraints (a nice conceit) or by finding and reducing uncertainty []. The objectives of risk management/analysis The Association for Project Management (Chapman, Simister 2004) defines Risk Management/Analysis as a process designed to remove or reduce the risks that threaten the achievement of project objectives. Properly undertaken it will increase the likelihood of successful completion of a project in terms of cost, time and performance objectives. PMBOK (PMBOK Guide, 2004) describes it similarly where they say that the objectives of project management are to increase the probability and impact of positive effects and decrease the probability and impact of events adverse to project objectives. Kendrick (2003) list seven benefits on the use of risk management: Project Justification: Project risk management is undertaken primarily to improve the chances that a project will achieve its objectives. While there are never any guarantees, broader awareness of common failure modes and ideas that make projects more robust can significantly improve the odds of success. The primary goal of project risk management is either to develop a credible foundation for each project, showing that it is possible, or to demonstrate that the project is not feasible so that it can be avoided, aborted, or transformed [1]. Lower Costs and Less Chaos: Adequate risk analysis reduces both the overall cost and the frustration caused by avoidable problems [4]. The amount of rework and of unforeseen late project effort is minimised. Knowledge of the root causes of the potentially severe project problems enables project leaders and teams to work in ways that avoid these problems. Dealing with the causes of risk also minimises fire-fighting and chaos during projects, much of which is focused short-term and deals primarily with symptoms rather than the intrinsic sources of the problems [1]. Chadbourn (1999) describes it similarly when he likened the uncertainties to chaos, where a poorly designed project could be described as a room full of mousetraps, each with a ping pong ball [5]. Before you know it, someone not under your control tosses in the first ball, thus mayhem and chaos erupts [5]. In the ideal project the mousetraps are gone. In their place there is a network of dominos, where each action and reacti on could be foreseen [5]. It is within the role of organisations to try and identify these mousetraps and replace them with an orderly string of dominos [5]. Project Priority and Management Support: Support from managers and other project stakeholders and commitment from the project team are more easily won when projects are based on thorough, understandable information [11]. High-risk projects may begin with lower priority, but a thorough risk plan, displaying competence and good preparation for possible problems, can improve the project priority [11]. Whenever you are successful in raising the priority of your project, you significantly reduce project risk—by opening doors, reducing obstacles, making resources available, and shortening queues for services [11]. Project Portfolio Management: Achieving and maintaining an appropriate mix of ongoing projects for an organisation uses risk data as a key factor. The ideal project portfolio includes both lower- and higher-risk projects in proportions that are consistent with the business objectives [13]. Fine-Tuning Plans to Reduce Risk: Risk analysis uncovers weaknesses in a project plan and triggers changes, new activities, and resource shifts that improve the project. Risk analysis at the project level may also reveal needed shifts in overall project structure or basic assumptions [14]. Establishing Management Reserve: Risk analysis demonstrates the uncertainty of project outcomes and is useful in setting reserves for schedule and/or resources. Risky projects really require a window of time (or budget), instead of a single-point objective. While the project targets can be based on expectations (the most likely versions of the analysis), project commitments should be established with less aggressive goals, reflecting overall project risk. The target and committed objectives set a range for acceptable project results and provide visible recognition of project risk [18]. Project Communication and Control: Project communication is more effective when there is a solid, credible plan. Risk assessments also build awareness of project exposures for the project team, showing how painful the problems might be and when and where they might occur. This causes people to work in ways that avoid project difficulties. Risk data can also be very useful in negotiations with project sponsors. Using information about the likelihood and consequences of potential problems gives project teams more influence in defining objectives, determining budgets, obtaining staff, setting deadlines, and negotiating project changes [18]. Risk Assessment Risk Control There are two stages in the process of Project Risk Management, Risk Assessment and Risk Control. Risk Assessment can take place at any time during the project, though the sooner the better. However, Risk Control cannot be effective without a previous Risk Assessment. Similarly, most people tend to think that having performed a Risk Assessment, they have done all that is needed. Far too many projects spend a great deal of effort on Risk Assessment and then ignore Risk control completely [19]. Risk Assessment has three elements: Identify Uncertainties In this element, the entire project plans are explored, with special focus on areas of uncertainty [20]. Analyse Risks In this element, the requirement is to specify how the areas of uncertainty will have an impact on the performance of the project, either in duration, cost or meeting the users requirements [20]. Prioritise Risks At this stage the requirement is to establish which of the Risks identified should be eliminated completely [20]. This step is only is carried out due to the potential extreme impact, which should have regular management attention, and which are sufficiently minor to avoid detailed management attention [20]. In the same way, Risk Control has three elements, as follows: Mitigate Risks According to Mobey et al (2002), risk mitigation would include taking the necessary actions that are possible in advance to reduce the effect of Risk. It is better to spend money on mitigation than to include contingency in the plan [20]. Plan for Emergencies For all those Risks which are deemed to be significant, have an emergency plan in place before it happens [19]. Measure and Control This involves tracking the effects of the risks identified and managing them to a successful conclusion [19]. Different strategies There are different strategies and methods that have different approaches toward risk management. JISC (Joint Information Systems Management) says that the focus for risk management should be on risks related to the particular project, not project management in general (http://www.jisc.ac.uk/proj_manguide15.html). The overall goal according to Kendrick (2003) for risk management in a single project is to establish a credible plan consistent with business objectives and then to minimise the range of possible outcomes. That is why risk management in a project is about identifying potential risks, analyse the ones that have the greatest likelihood of occurring, grade their different levels of impact on the project and define a plan of how to avoid the risk and if it occurs how to reduce its impact (Heldman, 2005). Smith Merrit (2001) sees risk strategy as a five step process. Figure 3 shows the flow through the five-step process and lists deliverables from each step: Step 1: Identify risks that you could encounter across all facets of the project [28]. Step 2: Analyse these risks to determine what is driving them, how great their impact might be, and how likely they are [28]. Step 3: Prioritise and map the risks so that you can choose those most important to resolve [28]. Step 4: Plan how you will take action against the risks on this short list [28]. Step 5: On a regular basis, monitor progress on your action plans, terminate action plans for risks that have been adequately resolved, and look for new risks [28]. Frosdick (1997) also mentioned Strutt‘s, definition of the concept of risk analysis that is a seven stage process. Systematic assessment (item by item question every part of the system) [13]. Identification of risks [13]. Assessment of risks (frequencies and consequences) [13]. Establish acceptable/tolerable levels of risk [13]. Evaluate the risks. Are they acceptable? Can they be reduced and at what cost? Determine whether the risks are as low as reasonably practicable [13]. Determine risk reduction measures where appropriate [13]. Risk Assessment Evaluation There are many ways and different techniques to evaluate what the risks are, what the effect they have on the project and what measures can be put in if the risks should occur [19]. Risk assessment is by most people divided into two areas, Quantitative Risk Analysis and Qualitative Risk Analysis. Quantitative In its most basic form the formula for risk quantification is: à ¢Ã¢â€š ¬Ã¢â‚¬ ¢Rate of occurrenceà ¢Ã¢â€š ¬Ã¢â‚¬â€œ multiplied by the à ¢Ã¢â€š ¬Ã¢â‚¬ ¢impact of the eventà ¢Ã¢â€š ¬Ã¢â‚¬â€œ = risk. Methods based on this method are often called à ¢Ã¢â€š ¬Ã¢â‚¬ ¢expected value analysisà ¢Ã¢â€š ¬Ã¢â‚¬â€œ and include models like Annualized Loss Expectancy (ALM), the Courtney formula, the Livermore Risk Analysis Methodology (LRAM) and Stochastic Dominance (Snyder, Rainer Jr., Carr 1991). The advantages of Quantitative Risk Analysis methodologies are that they are good at identifying the most critical areas that, if something happens, will have the largest impact on the project. There are also disadvantages to Quantitative Risk Analysis. When one measures the probability of damage to the project the quantitative approach tends to average the events leading up to a problem (Snyder, Rainer Jr, Carr 1991). Qualitative Qualitative methods attempts to express risks in terms of descriptive variables rather than an economic impact. These approaches are based on the assumption that certain threat or loss of data cannot be appropriately expressed in terms of dollars or pounds and that precise information is impossible to obtain. These methodologies include Scenario Analysis/Planning, Fuzzy Metrics and questionnaires (Snyder, Rainer Jr., Carr 1991). The advantages of Qualitative Risk Analysis methodologies are that they save time, effort and expense over quantitative methods. This is because assets do not need exact values in dollars or pounds nor do threats need to have exact probabilities. It is also a valuable methodology in identifying significant weaknesses in a risk management portfolio. There are disadvantages with this method as well. Qualitative Risk Analysis is inexact, the variables used (e.g. low, medium and high) must be understood by all parties involved (Snyder, Rainer Jr., Carr 1991). Risks Reduction Once risks have been identified and evaluated they have to be responded to in some way. Wideman (1992) lists seven basic responses on identified risks: Recognised but no action taken (absorbed as a matter of policy) Avoided (by taking appropriate steps) Reduced (by an alternative approach) Shared (with others, e.g., by joint venture) Transferred (to others through contract or insurance) Retained and absorbed (by prudent allowances) Handled by a combination of the above Dorfman (1997) says that all techniques to manage the risk fall into one or more of these four major categories (remembered as the 4 Ts): Tolerate (aka Retention) Treat (aka Mitigation) Terminate (aka Elimination) Transfer (aka Buying Insurance) Bliss (2005) listed these five types of similar risk responses as Dorfman and Wideman. Risk avoidance: Also known as risk removal or risk prevention, risk avoidance involves altering the original plans for the project so that particularly risky elements are removed. It could include deciding not to perform an activity that carries a high risk. Adopting such avoidance techniques may seem an obvious way to deal with all risks. However, often the areas of the project that involve high risks are also the areas of the project that potentially contain the highest worth or the best value for money. Avoiding such risks may also result in removing potentially the best bits of a resource, and an alternative strategy that retains these risks may be more appropriate [13]. Risk reduction: Risk reduction or risk mitigation involves the employment of methods that reduce the probability of a risk occurring, or reducing the severity of the impact of a risk on the outcome of the project. The loss of highly skilled staff is a considerable risk in any project and not one that can be totally avoided. Suitable risk mitigation could involve the enforcement of a notice period, comprehensive documentation allowing for replacement staff to continue with the job at hand and adequate management oversight and the use of staff development programmes to encourage staff to stay [20]. Risk transfer: Risk transfer moves the ownership of the risk to a third party normally by contract. This also moves the impact of the risk away from the project itself to this third party [20]. Risk deferral: The impact a risk can have on a project is not constant throughout the life of a project. Risk deferral entails deferring aspects of the project to a date when a risk is less likely to happen. For example managing the expectations users have about the content and delivery of a resource can be time-consuming, one way to reduce this risk is by not making a web resource available until user testing is complete [20]. Risk retention: Whilst a certain number of the risks to the project originally identified can be removed by changing the project plan or dealt with by transferring the responsibility of the risk to third parties inevitably certain risks have to be accepted as a necessary part of the project. All risks that have not been avoided or transferred are retained or accepted risks by default [20]. Previous Successful Project: St Pancras International Rail Station According to XXXXXX, before St Pancras International rail station was opened; a number of days were devoted to testing all the systems and processes, using an army of thousands of volunteer passengers. These tests were carried out much before the opening day, thus providing enough time to resolve issues that might have occurred during testing [26]. By carrying out the testing in phases much long before the opening, members of staff were able to familiarize themselves with the systems and get actual hands-on experience before the station was opened to Eurostar traffic. Dry-runs were carried out as well with the vital lessons were learnt and adjustments made before exposing paying customers to the St Pancras experience. Inevitably the result was that on the opening day, everything went without glitches on the first day of international service [26]. Previous Failed Project: Denver International Airport The Denver International Airport was scheduled to open on October 31, 1993 with all three of its concourses fully running on the BAE automated baggage handling system that. On February 28, 1995, the new airport finally opened. Its opening came sixteen months late. The automated baggage system was supposed to improve baggage handling by using a computer tracking system to direct baggage contained in unmanned carts that run on a track. BAE systems presented the City of Denver with a proposal to develop â€Å"the most complex and automated [and integrated] baggage system ever built. Original target opening date for the airport was (delayed seven times over the next three months). City of Denver invited reporters to observe the first test of the baggage system without notifying BAE. This was a public disaster! Reporters saw piles of disgorged clothes and other personal items lying beneath the Telecars tracks. Lots of mechanical and software problems plagued the automated baggage handling system. When the system was tested, bags were misloaded, sent to different routes, and fell out of automated telecarts, thus causing the system to jam. The automated baggage system still continued to unload bags even though they were jammed on the conveyor belt, because the photo eye at this location could not detect the pile of bags on the belt and hence could not signal the system to stop. Main Lessons One of the lessons BA and BAA might have been learnt from the Denver project, was that BAE actually built a prototype of the automated baggage handling system in a 50,000 sq. ft. warehouse near its manufacturing plant in Texas. But as similar to the T5 project, there was no evidence of adequate training and the results from simulation testing has been proven to be different to a real world scenario with real customers. I addition, research also shows that BAE had given an initial estimate of at least a year to test the system and get the system up and running, but United airlines and the other stakeholders pressed for a much shorter timeframe. City of Denver got the same story from technical advisers to the Franz Joseph Strauss airport in Munich (that less complicated system had taken 2 years testing and was running 24 hours a day for 6 months before the airport opened. Risks recognised early in the Project Very large scale of the project. Enormous complexity. Newness of the technology. Large number of entities to be served by the system. The high degree of technical and project definition uncertainty. Risk Identification PMBOK (PMBOK Guide, 2004) lists five tools and techniques for risk identific