Risk management is like the weather - everybody complains about it but nobody does anything about it. To a sceptical observer risk management seems to be flabby, intellectually impoverished and full of empty words.

Fortunately risk management in a contract is intellectually rigorous; and that is what this proposed tutorial will discuss. Using a typical public-private partnership contract for instance for a build-own-operate-transfer toll road, a number of risks will be identified, transferred to that party best able to manage it, and then managed. A number of questions need to be asked, and the answers point in the direction of a reasonable risk management solution. The relevant questions are:

• Who are the contracting parties? What is the nature of the contract?
• What precisely is this risk? What will happen to whom? When does the risk come into existence?
• How should this contractual risk be prevented or minimized?
• If the contract did not transfer the remaining risk, which one of the contracting parties would by default carry that risk? Note The default situation is a firm-fixed price contract.
• Which contracting party can control this risk and is thus best able to carry the risk?
• If these parties are not the same, how should the remaining risk be transferred to that party best able to carry it?
• How should that party manage this risk, and how should risk management be enforced?
• How should risk exposure be contractually rewarded?

The answers to these questions do not solve the question of how to handle the risk, but it illuminates the way towards the solution.

It is impossible to manage risk in general - only a precisely-specified risk can be managed. The more precise a risk has been specified, the more self-evident the best way of responding to it becomes, and the easier risk management turns out to be.

This approach is only valid for a procurement risk. Other risks, for instance the reputational risk of a company involved in a mining venture, will need to be handled differently.

Don;t start with the answer, for instance a penalty clause to enforce a delay risk. Start with the problem and with a clean sheet, and then think your way through it. If you start with the answer the questions won’t help, except cause further confusion. Don't mix various risks - isolate a single risk and develop a response to it, before starting with another risk. Don’t change the topic - stick to one particular risk until it has been completely resolved.

The cost risk is transferred by means of the type of contract, for instance a firm-fixed-price contract or a time-and-material contract. To transfer any other risk needs a particular clause in the contract, for instance an escalation clause for currency exchange risk, or a clause defining the contracted end date. Then define an enforcement approach.

Risk enforcement can be handled in terms of a set of three increasingly severe levels:

• Sue for breach of contract. This most basic approach suffers from lengthy delays, the high legal costs of litigation and the unpredictability of the outcome.
• Claim penalties for breach of contract in terms of the Conventional Penalties Act, Act 15 of 1962.
• Insist on a surety bond, also known as a performance bond or as a bank guarantee, similar to surety for individuals.

These mechanisms are risk enforcement instruments, not risk transfer instruments.

This tutorial material has been developed for one of the modules of a post-graduate course in project management at the Graduate School of Technology Management at the University of Pretoria. The material is also used for various courses on behalf of Continuing Education at the University of Pretoria. It has been presented about twenty times and has been systematically improved. In other words, this is not a to-be-developed tutorial but a going concern.

The issues to be addressed by this tutorial are of concern to most engineering managers: What are the risks in a given contract? How should those risks be minimized? Which party to the contract should carry those risks? How should the risk be transferred? How should it be enforced?