Please Wait a Moment
22 February 2023 ·

Due diligence - shooting the risk before the risk shoots us!



Recent times have proven we cannot anticipate every risk - for example, COVID, supply disruptions, inflation. We know such events will repeat unexpectedly, without warning.  True, we cannot always successfully absorb or transfer the risk, but we can incorporate smarter strategies today.  Worldwide, we’re seeing a growing interest in establishing mutually agreed governance frameworks designed to widen our focus on detecting risks and taking actions.  Even though we cannot produce a totally risk-free ecosystem (i.e., well-trained communities), we are getting smarter about eliminating the risk before it takes us by surprise!

Due diligence approach – we can do this together!

Due diligence means performing precautionary risk assessments to protect our business goals.  It means raising awareness of potential risks at their earliest signs of appearance – then diligently training your project teams to eliminate risks before they adversely affect – or destroy -- a project or an entire business. Before that can happen, due diligence practices must be strong, visible, and well understood in the workplace.   

Mitigating the risk is responding to the risk before it has affected the project. Mitigation covers all actions the project team can take to 

overcome risks from the project environment.  To mitigate effectively, our organizations must provide sufficient resources for mitigation by creating an ecosystem for thorough prevention.  Managing risks in infrastructure projects determines the performance of the project.  A qualitative risk analysis may observe the following as possible risk potentials that should be scrutinized:

  • Opposition to mitigation from social bodies, perhaps within social media;
  • changes in design that could involve or create hidden risk;
  • non-approval of deliverables;
  • suspension of work (i.e., layoffs), etc. 

Due-diligence solution – what does the contract say?

We use contract documents as tools to manage risk.  Within that, all clients, contractors, and investors need to figure out and establish risk management policies that respond to applicable contract clauses throughout the project life. Depending on contract requirements and timeframes specified in the contract documents -- clients, consultants, contractors, and government bodies -- must work cooperatively throughout all specified processes to respond to all potential risks.  This must be done on time as specified in the contract or related documents before it’s too late and unforeseen events arise.

Meeting stated deadlines on time is essential to prevent or control unwanted outcomes resulting from the political, financial, social, or construction-related risks. But whatever the danger, the enterprise must know the potential effect any hazard could have on any project. So, albeit any time and cost involved, the executive plan must include the requirement for completing the task within the target date and timeline specified in the contract documents.

Cost overruns can be huge in a project involving a large amount of money. Loss of services during the project overruns can be enormous. You must ensure that various project management techniques are clearly understood and you need to identify and manage all risks associated with the project at every stage of the project.

The construction industry, perhaps more than most other industries, is known for being overwhelmed by risks. If these risks are not dealt with satisfactorily, you will likely experience cost overruns, time delays and low-quality workmanship resulting in client and public dissatisfaction. As with other developing countries, less importance is given to this aspect of project management.  And that is unfortunate!

It is therefore most vital for any organization to ensure due diligence in responding to or issuing a request for proposal (RFP) or a request for quotation (RFQ).  Equally important is the client’s due diligence.  Decisionmakers on both sides (buyer and seller) need to have a fair and just understanding of the project, the related contract terms, and all risks that project could represent.

Determination of Risk

Two approaches determine risks in a project -- the qualitative and the quantitative approach.

The quantitative approach relies on statistics to calculate the probability of occurrence and impact of a risk on the project. The most common way to use quantitative analysis is a decision tree.1  This involves applying probabilities of two or more outcomes. Another method is the Monte Carlo simulation,2 which generates value from a probability distribution and other factors.

The qualitative approach relies on judgments and uses criteria to determine outcomes. An example is the precedence diagramming method,3 which uses ordinal numbers (numbers defining a position of something in a series like first, second, third) to determine priorities and outcomes. Another way of using this approach is to list the processes of a project in descending order, calculate the risks associated with each process, and list the controls that may exist for each risk.

Events that can spawn risks

  • Failing to process an RFP received from the contracts and legal teams and overlooking risks sighted within the RFP.
  • Failing to track a client’s past record of risks or reputation.
  • Underpricing the bid to beat the competition by overlooking the hidden costs that can arise during the project’s development.
  • Frequently changing the project leads.
  • Lacking management oversight by failing to make periodic site visits or conduct peer reviews and view risk registers to determine accurately the monthly status of the project.

Classic risk response strategies can be risky!

Accepting the risk implies understanding the risk, its consequences, and its probability of occurrence -- but doing nothing about it. In such a case, the project team will react to the risk if it occurs. This strategy is commonly used when the probability of a problem occurring is minimal.

Risk quantification means avoiding a risk by not doing part of the project which contains a risk. The project scope is changed which might change the business case as well, because a scaled down product could lead to lesser revenue or cost-saving opportunities. More risk is involved with high return on an investment. Avoiding risks on projects can have the same effect on low risk and low return projects

Monitor the risk and prepare contingency plans means using a predictive indicator to watch the project as it approaches a risky point. The risk strategy is to monitor the risk by being part of the test team.

Contingency plans are alternative ways to prepare before the risk event occurs. The most common contingency plan is setting aside extra money, such as a contingency fund, to withdraw if unforeseen cost overruns occur. Contingency plans can be viewed as a kind of insurance and, like insurance policies, they can be expensive.

Transfer the risk - Many large-scale projects purchase insurance for risks ranging from theft to fire. Which means the risk is transferred to the insurance company, and if a disaster occurs, the insurance company would be liable to pay the costs associated with the disaster.

Insurance is the most direct method of transferring risk; however, there are other methods as well. For example, a fixed price contract with a contractor states that work will be done for a pre-specified amount. A fixed schedule can also be added to such a contract, but penalties are imposed in case of overruns. 

These measures transfer cost and schedule risks from the project to the subcontracting firm and any overruns will be the responsibility of the subcontractor. The only drawback is that the subcontractor knowingly makes a higher bid to make up for the risk assumed. Risk can also be transferred by hiring an expert. Transferring risk to another party has advantages but also introduces new risks.

In conclusion, although we lack any risk-free scenario, it is critical for any organization to create a risk-aware ecosystem which is proactive and has enough detection safeguards to sense and mitigate the risks from the start before they occur or become threats. Due diligence training is essential for making project teams aware of the risks and strategies for eliminating them.


  1. asana article titled, What is Decision Tree Analysis – 5 steps to make better decisions December 6, 2021.
  2. Investopedia article titled, Monte Carlo Simulation: History, How it Works, and 4 Key Steps  August 11, 2022.
  3. wrike article titled, Precedence Diagramming Method (PDM) Explained February 7, 2022.

The author is an Executive Director with Grant Thornton Bharat LLP . Mohit has more than two decades of rich experience in areas of risk management, dispute resolution, commercial management, growth and strategy. Grant Thornton is one of the leading management and development consultancy firms that is part of Grant Thornton International which operates in more than 140 countries involving more than 62,000 professionals.

Mohit Khullar
Related topics

More resources