Shawmut prequalifies subcontractors and uses subcontractor default insurance, he said; however, administratively, prequalification is a lot of work, "and it still won't cover some root causes and something unforeseeable" that leads to a default.

Balfour Beatty's Littleton said his company manages subcontractor default risk through prequalification, too, and by establishing a single and aggregate limit risk for the sub. "If someone has bandwidth for $70 million, we don't want them doing $60 million with us," he said.

Not Just Compliance

Littleton opened the summit with a nimble tour of how he evaluates owner credit and the risks posed by integrated project delivery, off-site manufacturing, P3s and the evolution of organizations due to mergers or generational changes.

Enterprise risk management—"I don't even known what that means," said Littleton—has been replaced by corporate-level risk assessment. And the job of the risk team isn't just to warn about what can go wrong on the deep downside of any project but, rather, on the opportunities.

"We are not compliance anymore," said Littleton—meaning, compliance is important, but it doesn't drive his view of risk management.

Instead, Littleton said, his job involves creating best-practice programs, developing captive insurance capabilities and providing project-level support with "all the complexities."

At the same time, Littleton said, he spends time working with a colleague looking for opportunity.

"Our internal motto is, 'Get to a hard yes instead of an easy no.' That's something new in risk, but something we need to embrace. Evaluate risk [in a way] that isn't just reporting but helps us go forward."