The Commonwealth of Virginia. P3 Risk Management Guidelines

Transcription

1 The Commonwealth of Virginia P3 Risk Management Guidelines March 2015

2 Document Version control Version Date Issued 1.0 September March 2015 R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 2

3 TABLE OF CONTENTS EXECUTIVE SUMMARY INTRODUCTION APPLICABILITY GUIDING PRINCIPLES ROLES AND RESPONSIBILITIES COMMUNICATE AND CONSULT STAKEHOLDERS CAPTURE AND FEEDBACK LESSONS LEARNED EXPECTED OUTCOMES BACKGROUND INFORMATION SCREENING PHASE HIGH-LEVEL SCREENING/POLICY REVIEW REPORT RISK MANAGEMENT DETAIL-LEVEL SCREENING REPORT RISK MANAGEMENT Risk Workshop and Discussions Risk Assessment Outputs DEVELOPMENT PHASE DEVELOPMENT PHASE RISK MANAGEMENT Risk Workshop(s) Risk Assessment Outputs PROCUREMENT PHASE PROCUREMENT PHASE RISK MANAGEMENT Risk Workshop(s) Procurement Risk Assessment Outputs Contract Finalization Risk Assessment Outputs HANDOFF FROM VAP3 TO THE AGENCY R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 3

4 5 IMPLEMENTATION AND OPERATIONS PHASES SUGGESTED AGENCY DETERMINED RISK MANAGEMENT PROCEDURES MONITOR AND REVIEW TRANSITION BACK TO THE AGENCY APPENDICES: TABLE OF CONTENTS APPENDIX A: DEFINITIONS APPENDIX B: REFERENCES APPENDIX C: RISK REGISTER GUIDE APPENDIX D: RISK REGISTER EXAMPLE APPENDIX E: RISK VALUE AND PROJECT CONTINGENCY APPENDIX F: MONTE CARLO ANALYSIS R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 4

5 E XECUTIVE S UMMARY These P3 Risk Management Guidelines (Guidelines), which were developed by the Virginia Office of Public-Private Partnerships (VAP3), describe a Risk Management Framework that should be utilized on Public-Private Partnership (P3) projects throughout their entire lifecycle from the initial screening to handback. These Guidelines are part of a suite of documents, including the PPTA Manual and Guidelines, which assist the VAP3 and Commonwealth Agencies with successful development and implementation of P3 projects. The purpose of the P3 Risk Management Guidelines is to achieve the following goals and objectives: provide practical guidance to the project team executing the Risk Management Framework during the whole project lifecycle of P3 projects; increase consistency and effectiveness of the Risk Management Framework by describing specific Risk Management activities throughout a P3 project s lifecycle; provide a consistent set of Risk Management terminology; promote effective communication and consultation regarding Risk Management with internal and external Stakeholders; establish a confident and rigorous basis for decision-making and planning in regard to risk; strengthen current Risk Management tools and techniques by incorporating national and international best practices; increase Risk Management accountability of the Agency undertaking a P3 project through the certification of certain risk documents; emphasize the performance goals, measures, review and modification process to ensure continuous improvement of the Risk Management Framework; and improve transparency by making risk information and reports available on the VAP3 website, project website and/or other appropriate means. The Guidelines contain an introduction followed by a description of the Risk Management activities in the five risk phases: (1) screening phase; (2) development phase; (3) procurement phase; (4) implementation phase; and (5) operations phase. R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 5

6 1 I NTRODUCTION In any project context, risk is an event which can, if it occurs, act as a threat and impact overall success of delivery. Public-Private Partnership (P3) projects are challenging due to the relative complexity of procuring a single contract for the delivery of multiple and relatively diverse services. This P3 Risk Management Guidelines introduces the Risk Management Framework (see Figure 1) for P3 projects and serves as an effective guide for managing risk throughout the whole P3 project lifecycle. Typical P3 Project Lifecycle Solicited Projects or Unsolicited Proposal High-Level Screening or Policy Review Screening Detail-Level Screening Risk Workshop and Discussions Risk Register Development Project Development Risk Workshop(s) Updated Risk Register Risk Management Plan Procurement Project Procurement Comprehensive Agreement Executed Project - Design and Construction Risk Workshop(s) Updated Risk Register Handoff from VAP3 to the Agency Risk Management Activities as Determined by the Agency Updated Risk Management Plan Communicate and Consult Stakeholders Capture and Feedback Lessons Learned Operations Project Operations and Maintenance Risk Management Activities as Determined by the Agency Project Handback Figure 1 Risk Management Framework R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 6

7 The purpose of the Risk Management Framework is to achieve the following goals and objectives: identify and understand the risks inherent to a project; establish project specific Risk Management goals, objectives and measures; foster early coordination and consultation with all Stakeholders regarding project risks, resulting in improved transparency and public confidence; achieve effective and consistent communication, consultation, monitoring, reporting and accountability regarding Risk Management for P3 projects across Agencies; identify risk specific strategies to mitigate the likelihood and impact of risk when and if it occurs; identify strategies to allocate risk to the parties best able to manage its impact; and consider levels of contingency that reflect the risk exposure. A Risk Register is essential to achieve the noted purpose of the Risk Management Framework and combines Risk Assessment, Risk Treatment and Risk Response into one comprehensive tool. A well-developed Risk Register is very important for the Agency to have prior to executing a Comprehensive Agreement (CA) to ensure proper Risk Allocation is achieved, which helps inform whether the project brings the Best Value. The Virginia Office of Public-Private Partnerships (VAP3) creates the initial Risk Register, which begins as a simple list of project specific risks categorized under subheadings. The Risk Register should be revisited as often as necessary in consultation with the project team and identified VAP3 project manager. The initial Risk Assessment is qualitative and subsequently updated with quantified values as more project data becomes available. The Risk Register is used to record these Risk Assessments. The Risk Register and Risk Assessment inform the Risk Management Plan, which is a detailed plan of action for the management of project risk. This plan should include the levels of contingency to maintain for a project in order to reflect its risk exposure. 1.1 APPLICABILITY These Guidelines have been specifically developed to apply to projects being considered for delivery as P3s. The examples used in these Guidelines draw from the VAP3 s past experience and thus tend to focus on transportation highway P3 projects. A typical Risk Management Framework is described in these Guidelines; however, in reality, the framework may differ depending on the specific P3 project and how it is developed. Thus, the VAP3 project manager has the flexibility to exercise discretion and use the tools and techniques that are most applicable and appropriate to successfully deliver the project. 1.2 GUIDING P RINCIPLES As shown in Figure 1, the scope of the Risk Management Framework starts in the screening phase and extends through the execution of the CA and handback of the P3 project. These Guidelines advocate early stage Risk Management activities starting in the screening phase, which provides a strong foundation. One of the key issues in undertaking Risk Management activities during the early development of a potential P3 project is to ensure the level of assessment reflects the level of available information. 1.3 ROLES AND R ESPONSIBILITIES Risk Management during the screening, development and procurement phases should be spearheaded by the designated project manager within the VAP3, who works in collaboration with the Agency s project team. The VAP3 project manager is responsible for initiating the Risk Management Framework, ensuring Risk Management activities are carried out in accordance with this guidance, and ensuring that risk responses are implemented. After commercial close, the R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 7

8 project is handed over to the Agency and the Agency should designate a project manager to be responsible for implementing the Agency endorsed Risk Management Plan, monitoring and reviewing risk, capturing feedback and lessons learned, and engaging key Stakeholders and the general public. 1.4 COMMUNICATE AND C ONSULT S TAKEHOLDERS Consultation with Stakeholders, internal and external of the Agency, forms a key part of the Risk Management Framework and is an important action within each of the five risk phases. This engagement strategy encourages a positive and proactive culture that supports the project s Risk Management goals and objectives. By engaging proactively with Stakeholders, either through consultations initiated by the VAP3 project manager or those organized by others, the project will be better positioned to respond to and mitigate risk. The VAP3 project manager's goal is to leverage Stakeholder relationships to better manage risk and build coalitions that foster project success. Effective Stakeholder engagement will not be a single conversation but, a series of consultative opportunities to create understanding about the risk profile of the project and to learn how these parties view the project s risks, impacts, and mitigation strategies. Listening to Stakeholder concerns and feedback can be a valuable source of information that can improve risk outcomes and help to identify and adopt response and treatments to control risk. A successful consultative approach should effectively and efficiently manage the risk information that all Stakeholders receive, their perceptions, and garner the feedback and interaction that is needed in order to be effective in managing risk throughout a project s whole lifecycle. Further, an effective Risk Management consultative and communications approach should identify each Stakeholder or Stakeholder group, the role they play in Risk Management and what should be communicated. There is no one right way of undertaking Risk Management consultation; however, the process will always be context-specific. This means that techniques, methods, approaches and timetables will need to be tailored for the local situation and the various types of Stakeholders being consulted. Ideally, a good consultation process will be: targeted at Stakeholders most likely to be affected by the risk; early enough to identify key risks and have an effect on the response strategy; effective because relevant information has been disseminated to Stakeholders in advance; meaningful because the content is presented in an understandable format; two-way so that both sides have the opportunity to exchange views and information; relevant for each Stakeholder; and proactive and transparent in communicating risk information. Documenting informal discussions and consultation activities and their outcomes is critical to effectively managing the Stakeholder engagement process. The documentation should capture: (1) when, where and the format of meetings; (2) meeting attendees; (3) meeting topics and themes; (4) meeting results and matters that may require action or follow-up; and (5) any commitments to Stakeholders that have been made. The benefits of keeping such a record of Stakeholder consultations are many. It is both good practice to follow up with Stakeholders that are consulted, to let them know what has happened and what the next steps in the process are. 1.5 CAPTURE AND F EEDBACK L ESSONS L EARNED A key aspect of Risk Management is based upon experience, especially the experience of dealing with risk on prior projects. Thus, the importance of documenting project information and experiences is critical. This documentation allows for capturing lessons learned and eventually feeding these lessons back into each of the five risk phases. Capturing and feeding back lessons R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 8

9 learned improves the Risk Management process and makes continuous improvement a precedent that will ultimately strengthen the Risk Management Framework. 1.6 EXPECTED O UTCOMES Screening, development and procurement phases: The purpose of undertaking a Risk Assessment during the screening, development and procurement phases is to systematically process data in order to: better understand project specific Risk Management goals, objectives and measures; support decision making on whether to invest in mitigation strategies; provide risk valuation data for the cost analysis; inform the development of commercial terms and technical requirements; support negotiations regarding Risk Allocation; supply Risk Management information for reporting within the Agency and for communicating with internal and external Stakeholders; and provide input on Risk Management during the implementation and operations phases. and operations phases: During the implementation and operations phases, the expected outcomes include: proactive mitigation and/or avoidance of claims by the concessionaire and/or its designbuild contractor (or maintenance contractor during the operations phase); identification of potential issues early and associated resolution as efficiently as possible; support to the Agency oversight team in understanding risk transfer; optimization of the amount of project contingency allocated to the project; proactive communication with external Stakeholders regarding Risk Management; and reporting Risk Management information to the Agency s key decision makers. 1.7 BACKGROUND I NFORMATION Appendix A contains a list of definitions for key terms used throughout this guidance. Several reference documents were reviewed in the preparation of this guidance to ensure the tools and techniques contained in this guidance are aligned with and satisfy the requirements of relevant federal organizations (for a complete list, refer to Appendix B). R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 9

10 C OMMONWEALTH OF V IRGINIA 2 SCREENING P HASE Screening Development Procurement Operations As a part of the typical P3 project lifecycle, the VAP3 completes two levels of project screening reports to assist in determining the suitability of P3 delivery. The first level is a High-Level Screening Report for Solicited Projects or a Policy Review Report for Unsolicited Proposals. The subsequent level for both Solicited Projects and Unsolicited Proposals is a Detail-Level Screening Report. Whether the project is solicited or unsolicited, the project information during the screening phase is likely to be very high-level at best. Therefore, undertaking any form of quantitative Risk Assessment during this phase is not practical because of the level of available information. The key advantage to carrying out a preliminary Risk Assessment during this phase is to bring together multiple Stakeholders to discuss the project s objectives, gain a broader understanding of its purpose and need, and consider the challenges likely to be encountered with a P3 delivery. The following is a guide to conducting Risk Assessment during the screening phase. 2.1 HIGH-LEVEL S CREENING/POLICY R EVIEW R EPORT R ISK M ANAGEMENT Risk Assessment at this point is not practical due to the lack of available information; however, identifying the critical risks could assist the VAP3 in responding to criteria regarding the ability to transfer risk in the High-Level Screening or Policy Review Report. Initial Risk Discussions Initial risk discussions may be convened by the VAP3 project manager to review the project from the perspective of risk. The need and organization for these discussions is at the discretion of the VAP3 project manager. If performed, these discussions may be valuable in seeking input from various experienced professionals and Stakeholders regarding the likely major risks for the project. Identify Critical Risks The potential output from this initial review is a list of critical risks for further consideration, which is used as input and recorded in the High-Level Screening or Policy Review Report. Having identified the critical risks and depending upon the available information, the VAP3 project manager may choose to undertake an initial review of potential Risk Allocation. To help organize this risk information, the project manager may find starting a Risk Register at this point beneficial; however, the Risk Register is not formally created until the next level of screening report. More details on creating the Risk Register can be found in the next section. 2.2 DETAIL-LEVEL S CREENING R EPORT R ISK M ANAGEMENT The purpose of Risk Assessment at this point is to assist the VAP3 project manager in responding to the Detail-Level Screening Report feasibility criteria under the heading Project Risks. This is one of several criteria and is defined in the screening report as: 1. Are there any particular risks unique to the project that could impair project viability? R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 10

11 2. Are there any project risks proposed to be transferred to the Agency that are likely to be unacceptable? Figure 2.1 below provides an overview of the Risk Management process during the screening phase. Figure 2.1: Screening Risk Management Risk Workshop and Discussions Risk Workshop and discussions are convened by the VAP3 project manager to review the project from the perspective of risk. These initial discussions may be valuable in seeking input from various experienced professionals and Stakeholders on the characteristics of the project to identify what are likely to be the major risks. These discussions are informal, organized based upon the VAP3 project manager s discretion, and may occur via telephone conference, video conferences or casual conversation Risk Assessment Step 1 Create Risk Register Using the High-Level Screening or Policy Review Report, project information, specific project context, previous similar projects, experienced judgment, Agency policy, VAP3 policy, market factors and the Risk Workshop and discussions as inputs, the VAP3 project manager creates a Risk Register. If a Risk Register was created for the High-Level Screening or Policy Review Report, then R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 11

12 the VAP3 project manager may use this as the basis for an updated register. If the Risk Register was not previously developed, then the VAP3 project manager can obtain a Risk Register template from the VAP3 website to use as a basis. The Risk Register template is comprised of a set of typical risks identified on previous P3 projects. These are provided as a guide to help expedite the risk identification process and should be deleted or added to reflect the specific goals and objectives of the project as closely as possible. The Risk Register is usually separated into two parts: 1. development and procurement risks, which occur prior to contract execution; and 2. implementation and operations risks, which occur after contract execution. Appendix C contains a guide to explain the contents of the Risk Register template and Appendix D serves as Risk Register example Enough information may not be available to complete the subsequent processes and perform Steps 2-4 at this point; therefore, complete these steps only when enough information exists. Step 2 Conduct Risk Analysis (only if enough information is available) Once all known risks have been identified, a qualitative Risk Analysis may be performed using professional judgment and experience. An issue in undertaking Risk Analysis during this phase is to ensure the level of assessment reflects the quality of available information. Thus, this guidance recommends a qualitative Risk Analysis if sufficient information is available to allow the evaluators to confidently value the project specific risks. The qualitative Risk Analysis discussed in this guidance is the Red-Amber-Green (RAG) analysis, which values risks by categorizing them based on their probability of occurring, cost and schedule impact. As the following valuations are made and recorded in the Risk Register, notes should be included to document data sources or use of experienced judgment. If available, historic data from similar previous projects, their Risk Registers and details of specific risk events can be used. The three components of the RAG analysis are: (1) probability range, (2) cost impact and (3) schedule impact. These components are defined below. Probability range is the probability any risk event will occur and have a negative impact on the project. As a general rule, any risk event that has a probability of 90% or above of occurring should be included in the cost estimate and identified but not tracked on the Risk Register. Also, any risk event that has a probability of 10% or less of occurring should be identified on the Risk Register but need not be tracked on the register unless circumstances change to increase the probability of occurrence or impact to the project. For this guidance, the probability ranges of a risk occurring are: Greater than 90%; 30% to 50%; 70% to 90%; 10% to 30%; and 50% to 70%; Less than 10%. Cost impact is the additional cost of labor, equipment, materials, financing and/or other costs that are incurred when the risk event manifests and additional work or funding is needed as a direct result. For example, if actual ground conditions differ from the design and the design requires additional foundations, then the cost impact is the cost of additional materials plus the additional labor and equipment needed to carry out the extra work. The value is a percentage of the baseline project estimate. For this guidance, the cost impacts are defined as: Greater than 25%; 10% to 1%; and R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 12

13 15% to 25%; Less than 1%. 10% to 15%; Schedule impact is the delay an event, if manifested, may cause to the baseline project schedule. In the same example, the foundation may take four instead of three weeks to build, so the schedule impact is one week. The value is the period of time the project would be delayed if a particular risk event were to occur. For this guidance, the schedule impacts are defined as: Greater than 12 months; 1 week to 1 month; and 6 to 12 months; Less than 1 week. 1 to 6 months; The purpose of probability and impact ranges is to establish the relative importance of each risk, not to calculate an exact risk value. Many risk events are likely to have an impact on both cost and schedule. The Risk Register allows a separate analysis of both of these factors; therefore, it is important not to double count the impact of the risk. When it comes to assigning the impact of risk a risk value in terms of cost, it is also important not to double count the risk value if it is already considered in the contingency. See Appendix E for more detail about risk value and contingency. Expected risk impact for cost and schedule are categorized based on Tables 2.1 and 2.2 below. At this point of analysis, the impact is classified as High, Medium or Low. Table 2.1: RAG Analysis of Cost Impact Scale Greater than 90% Cost Impact Greater than 15% to 10% to 1% to 25% 25% 15% 10% Less than 1% Include in cost estimate Probability 70% to 90% 5 High High High Medium Low 50% to 70% 4 High High Medium Medium Low 30% to 50% 3 High Medium Medium Low Low 10% to 30% 2 Medium Medium Low Low Low Less than 10% 1 Low Low Low Low Low Table 2.2: RAG Analysis of Schedule Impact Scale Greater than 90% 6 to 12 1 to 6 1 week to months months 1 month Greater than 12 months Schedule Impact Include in cost estimate Less than 1 w eek Probability 70% to 90% 5 High High High Medium Low 50% to 70% 4 High High Medium Medium Low 30% to 50% 3 High Medium Medium Low Low 10% to 30% 2 Medium Medium Low Low Low Less than 10% 1 Low Low Low Low Low Step 3 Identify Risk Response (only if enough information is available) R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 13

14 The Risk Response may be made based on several factors including previous project experience, VAP3 policy and the intended procurement strategy. At this point, sufficient information may not be available to perform this step. If sufficient information is available and this step is practical, then a standard set of response strategies to be assigned include: avoidance, meaning to alter the scope of the project in order to eliminate the risk; transference, meaning to transfer the risk to an entity under contract; acceptance, meaning to take ownership of the risk and address it as if it were to occur; mitigation, meaning to develop a strategy to reduce the impact of a particular risk; and sharing, meaning to share the impact of the risk with an entity under contract. Step 4 Identify Potential Risk Allocation (only if enough information is available) Project risks will ultimately be assigned to either the Agency or an entity under contract with the Agency depending on who would be best positioned to manage them. In some cases, risks will be shared between parties. At this point, it is typically too early to determine what the most cost effective allocation is likely to be. It may be valuable, however, for the project team to start thinking about this using typical Risk Allocations based on the current assumed method of delivery. This can be updated in later assessments. Table 2.3 below is an example of typical Risk Allocations based on best practice for a transportation highway project. Table 2.3: Typical Risk Allocations for a Highway Project Risk Design-Bid- Build Delivery Model Design-Build Design-Build-Finance- Operate- Maintain (P3) Change in Scope Public Public Public NEPA Approvals Public Public Public Permits Public Shared Private Right of Way Public Public Shared Utilities Public Shared Shared Design Public Private Private Ground Conditions Public Public Private Hazmat Public Shared Shared Construction Private Private Private QA / QC Public Shared Private Final Acceptance Public Private Private O&M Public Public Private Financing Public Public Private Force Majeure Public Shared Shared Outputs The primary output of the screening phase is the initial Risk Register that may be used in the overall analysis of the Detail-Level Screening Report. The Risk Register provides the VAP3 project manager with a baseline document for use in later stages of development and procurement. Furthermore, communication and consultation strategies are considered in order to optimize Stakeholder involvement throughout the next phases of the Risk Management Framework. R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 14

15 C OMMONWEALTH OF V IRGINIA 3 DEVELOPMENT P HASE Screening Development Procurement Operations Risk Assessment becomes a critical activity once a project has been approved and prioritized for development. During this phase, the project team should be preparing preliminary cost estimates for the project, as well as the necessary environmental documentation and various technical studies. Performance of Risk Management activities can be highly beneficial during this period as the Agency begins to incur significant project costs using its own resources. The identification of high risk areas can provide an efficient means of targeting the specific risks that are most likely to have an impact on the success of the project. Risk Assessment allows the VAP3 and Agency to carry out the cost analysis, including Initial Value for Money (VfM) Assessment, opportunity cost assessment and/or cost benefit analysis studies. To achieve the above, it is necessary to build upon the qualitative Risk Analysis from the screening phase. The actual level of project development may vary depending on the type of project and amount of available funding. The VAP3 project manager should decide which level of Risk Analysis is appropriate for the quality of project information available, amount of available funding and the current phase of the project. This guidance describes three levels of Risk Analysis: RAG analysis; expected value analysis; and Monte Carlo analysis. 3.1 DEVELOPMENT P HASE R ISK M ANAGEMENT Figure 3.1 on the following page provides an overview of the Risk Management during the development phase Risk Workshop(s) For all levels, a Risk Workshop can be an effective tool for gaining experienced knowledge as an input into the quantification of probability and potential impact. The Risk Workshop during the development phase is the first formal workshop in the Risk Management Framework. A formal workshop is purposefully planned, with a detailed agenda and specific purpose. Formal workshops may include brainstorming sessions with project team members and extended project team members, such as specialty groups, Stakeholders and regulatory agency representatives. Attendees may be the same group that attended any prior Risk Workshops and/or risk discussions (for consistency and explanation of what was done) and may also include additional experienced professionals. Experience has shown that workshops are more efficient when they are well facilitated, thoughtfully organized with an agenda, and prepare attendees for the discussion and work session. Depending on when the workshop is held relative to project development activities, more information may be available from the Agency and other Stakeholders on project goals, scope, cost, operational characteristics and physical constraints. Lead by the VAP3 project manager, this information is prepared by the project team and presented at the workshop to identify additional risks and to close any that are now thought to be irrelevant or have been mitigated. R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 15

16 Figure 3.1: Development Risk Management Risk Assessment Step 1 Conduct Risk Analysis Having identified any additional risks and completed their descriptions and impacts, the attendees of the Risk Workshop then undertake an initial quantification of risk probability and impact (both cost and schedule) on identified risks. Maintaining momentum is important at this point so that the rationale for individual risks is not forgotten. All follow up work should be completed within a few weeks of the workshop date. If it is not possible to assess all identified risks, the VAP3 project manager may identify priority areas on which the quantification should focus. Risks may also be assessed utilizing internal resources and consultant support. Quantification is based on professional judgment, previous experience on similar projects and market factors. Experienced professionals and members of the project team will first determine a percentage for the probability of the event occurring and then identify a range of cost and schedule impacts associated with the consequence of each risk. The three levels of Risk Analysis, one of which the VAP3 project manager should choose to perform during the development phase, are R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 16

17 presented in more detail below. Each approach requires a workshop to discuss and agree on the inputs. RAG Analysis The VAP3 project manager may decide to adopt the RAG analysis carried out during the screening phase if this analysis is considered sufficiently thorough and up-to-date. A workshop would only be required if the VAP3 project manager decides that a significant update is required or if a Risk Analysis was not performed during the screening phase. Risk Analysis is performed by applying the qualitative percentages for cost and schedule impact as a percentage of project cost or time delay to the project schedule. An alternative approach for calculating cost impact is to apply the risk percentages to the cost of the part of the project specifically affected by the risk. This is an approximate method of calculating risk A RAG analysis allows the Agency and VAP3 to sum up all the expected cost and schedule impacts to give a total value of project cost and schedule risk. Because of the approximate nature of this analysis, the overall result should be reviewed carefully impacts and is likely to require further analysis to ensure accuracy. A higher level of Risk Analysis is recommended if sufficient information is available. Expected Value Analysis The VAP3 project manager may decide to adopt an expected value analysis, which is based on the following formula: Risk Value = Probability x Risk Impact The expected value analysis should be used if the amount of project information is sufficient to allow the evaluators to confidently assign the following risk impact and probability values: probability: the probability of occurrence (between 10% and 90%); cost impact: a Minimum (Min), Maximum (Max) and Most Likely (ML) cost impact of the risk in terms of dollars; and schedule impact: a Min, Max and ML schedule impact of the risk in terms of months. To calculate the risk impact in the expected value formula, this guidance recommends the program evaluation and review technique (PERT) formula, which is a common statistical tool used in project management. PERT has been tailored to risk by substituting in the cost and schedule impact. The PERT formula is substituted for risk impact in the expected value formula to produce the following equation: Risk Value = Probability x (Min + Max + (4 x ML) ) / 6 This equation is embedded in the Risk Register template and can be used to assign a risk value to each risk identified in the register. The probability and cost or schedule impact ranges identified for the RAG analysis in Section can be used to determine a high, medium and low risk value. Monte Carlo Analysis The VAP3 project manager may decide to adopt a Monte Carlo analysis if the amount of project information is sufficient to allow the analysis to be run accurately and if the funding is available for this more costly analysis. Due to these reasons, a Monte Carlo analysis is less commonly used during the development phase. For this analysis, risks associated with a range of probabilities are quantified by developing a probabilistic model. The Monte Carlo simulation produces a deterministic sample set of likely project outcomes and the probabilities of their occurrence. The sample set can R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 17

18 then be used to develop distributions, ranges for cost and schedule impacts, and identification of high, medium and low risk values. Monte Carlo analysis is performed after the workshop once all the input values, assumption curves and allocations have been identified. Steps 2-4 below would be required before the simulation can be performed. Please see Appendix F for more detail regarding the Monte Carlo analysis and introduction of the curves commonly used for this type of simulation. Step 2 Refresh Risk Register The current Risk Register should be updated by the VAP3 project manger prior to distribution and posting on the project and/or VAP3 website. Updates may include closing out risks no longer relevant, adding new risk events and adding the results of the Risk Analysis. Each risk that has been identified in the register should be assigned a Risk Owner. Risk Owners should be assigned based on their areas of expertise and ability to manage the risk. They are also responsible for reviewing progress against the Risk Response in the Risk Register. Risk Owners should have open access to the Risk Register so that they can suggest and make adjustments in coordination with the VAP3 project manager. Step 3 Identify Risk Response During the development phase, Risk Assessment includes a more detailed determination of mitigation strategies and potential costs of mitigation. Any of the initial Risk Response inputs are reviewed and either retained or updated and any missing Risk Responses are added. Professional judgment, lessons learned and feedback as well as experience from previous projects should be used to assist in the determination of planned mitigation strategies. If the cost of mitigating a particular risk is comparable to the potential cost of its impact, then it is worth revisiting the Risk Response strategy or developing alternative mitigation options. Additionally, a description may be added for more detail. It is particularly important to provide detail about Agency mitigations as these strategies can be estimated and compared to the calculated risk impact. Note: Future mitigation activities should not be taken into account when determining risk probability and impact values. The Risk Assessment should reflect the level of information known by the Agency at that time. Risk probability and impact values should be re-evaluated once mitigations have been completed. Step 4 Identify Potential Risk Allocation A core principle of Risk Management is that some parties are better able to manage risks than others. This may be for a number of reasons, such as a party s level of expertise, access to information and resources. Therefore, risks should be assigned to either the Agency, an entity under contract with the Agency or shared, depending who is best able to manage a particular risk. At this point, the VAP3 project manager should lead the effort to determine what the most cost effective allocation is likely to be. If Risk Allocation was completed in the screening phase, then this initial allocation should be used as a basis. Moreover, any new risks added should be assigned a potential Risk Allocation. Once the Risk Allocation has been created or updated, the Risk Assessment findings should be revisited to ensure that the values are accurately reflective of the intended Risk Allocation. Historic data from past projects may be helpful in assessing the value of transferred risks. If the development of a CA has already begun, it may be possible to use this version of the CA as the basis for determining the allocation of risk. R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 18

19 3.1.3 Outputs Project development represents the first attempt at quantifying project cost and schedule impacts. Input information may vary in quantity and quality and this should be reflected in the selection of a Risk Analysis level. The output and details of the Risk Analysis, along with the other Risk Assessment information, should be captured by the VAP3 project manager in the Risk Register. Using this Risk Assessment information and Risk Register, the VAP3 project manager leads the Risk Management Plan development in collaboration with as many members of the project team as needed. It should be consulted and revised throughout the development and procurement phases and endorsed by the Agency Administrator before handoff of VAP3 to the Agency. After endorsement, the plan guides the project team through implementation, operations and handback, as applicable. The Risk Management Plan is a detailed plan of action for the management of project risk. The plan incorporates the thoughtful and collaborative development, implementation, and monitoring of appropriate Risk Response and Risk Treatment strategies. It is the process to: (1) develop and document an organized, comprehensive, and interactive Risk Management strategy; (2) determine the methods to be used to execute a Risk Management strategy; and (3) plan for adequate resources. It explains how a project manager and project team manages risk for their project. It provides guidance and requirements, and serves as a communication tool for those who wish to be informed of a project s Risk Management approach. The Risk Management Plan may be specific in some areas and general in others. Every project should have a formal plan, but the level of detail varies with the project complexity. Most Risk Management Plans should include an outline similar to the following: Introduction Summary Definitions Organization and roles Risk management strategy/approach Risk identification Risk assessment and analysis Risk response actions/allocation Risk monitoring and control Capture lessons learned and feedback The outputs of the process described above will be useful for several parts of the project development process: for calculation of risk adjusted cost, revenue and schedule as part of the cost analysis; for calculation (or update) of capital and operations and maintenance contingencies; to provide a quantifiable basis for deciding whether to carry out costly mitigations, such as additional site survey; and to help to inform the early development of procurement documentation. All of the above will help the Agency and VAP3, along with other critical assessment documents not risk related, to make a recommendation whether to move into procurement. R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 19

20 C OMMONWEALTH OF V IRGINIA 4 PROCUREMENT P HASE Screening Development Procurement Operations Once projects are approved to go to procurement, the Agency initiates the procurement process starting with the issuance of Request for Qualifications (RFQ) documents and followed with the issuance of Request for Proposals (RFP). An increased level of project definition at this point provides an opportunity for the Agency to reassess project risks. Some new risks may be added and some may be closed out. As the CA is developed, it is important the Risk Allocations in the Risk Register are updated by the VAP3 project manager. Risk Analysis has a number of benefits throughout the procurement process: enables updating project cost, revenue and schedule risk adjustments; provides input into the cost analysis; helps identify, develop and optimize commercial Risk Allocation in the CA; and increases overall confidence in appropriate allocation of commercial project risks. 4.1 PROCUREMENT P HASE R ISK M ANAGEMENT Figure 4.1 on the following page provides an overview of the Risk Management process during the procurement phase Risk Workshop(s) The VAP3 project manager should first review the Risk Management activities and analyses that have been previously conducted. For instance, an expected value or Monte Carlo analysis should have been conducted for every P3 project regardless of size and complexity. If either of these analyses was performed prior to procurement, then the VAP3 project manager may decide to update the Risk Analysis via targeted meetings with experts and other Stakeholders rather than in a formal Risk Workshop. If the Risk Analysis was a RAG analysis, then the VAP3 should conduct a Risk Workshop to quantify risk event probability as well as cost and schedule impacts Procurement Risk Assessment Step 1 Update Risk Identification and Quantitative Risk Analysis The VAP3 project manager should first review new information that might have become available as a result of further design studies and input from the Risk Workshop, if conducted. This new information is likely to require a review of the identification and quantification of the previously identified risks. If additional risks are identified, they must be added to the Risk Register by filling in the risk category, risk topic, impact phase and risk description columns. Changes in the base cost estimate or the schedule may alter the percentage cost risk impact or number of months delay respectively. It is the responsibility of the VAP3 project manager to make these changes to the Risk Register through discussion with the Risk Owners and members of the project team. Figure 4.1: Procurement Risk Management R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 20

21 Step 2 Update Risk Response After updating the information in Step 1, the VAP3 project manager, in coordination with the Risk Owners, should update the Risk Register to reflect mitigations carried out and new mitigation strategies. Other forms of response may also be deployed and recorded in the Risk Register. At this R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 21

22 point, the focus should be on risks that have been previously identified as having a high risk value (combination of probability and impact). Step 3 Update Potential Risk Allocation The undertaking of Risk Allocation becomes more significant during procurement as risk transfer has to be fully defined in the CA. The allocations listed in the Risk Register must align with the CA and technical requirements. It may be helpful to record, in the Risk Register notes column, the section reference of the CA that relates to the assignment of a particular risk event. Informed Risk Allocation is often a direct result of industry briefings and formal discussions (i.e., proprietary meetings) between the VAP3, the Agency and short-listed Proposers, as well as input from public commentary (i.e., public hearings and citizens information meetings) and Stakeholder consultation. If a Monte Carlo analysis is performed, then any change in Risk Allocation at this point must be adjusted in the Risk Analysis and will yield different results. A change in allocation may not change the impact value of risk, but it will change each party s risk exposure. For example, changing an allocation of risk from transferred to retained by Agency will increase the Agency s total risk exposure and thus should increase its contingency Outputs The procurement phase represents an opportunity to update the quantification of risks. Input information should be well developed by this stage and be appropriate for an expected value or Monte Carlo analysis. The output and details of the Risk Analysis, along with the other Risk Assessment information, should be captured by the VAP3 project manager in the Risk Register. Using this Risk Assessment information and Risk Register, the VAP3 project manager leads the update to the Risk Management Plan. The outputs of the Risk Management Framework are useful for several parts of the procurement process and should help the Agency to decide whether or not to proceed with the procurement and select a preferred Proposer. More specifically the outputs can be used for: an update to estimated project costs; calculation of risk adjusted costs and scheduling of project milestones; revision of the Agency s contingency amount; and consideration of risks and potential allocations as input for forums and meetings Contract Finalization Risk Assessment From a Risk Management perspective, this Risk Assessment involves an update and record of risks in the Risk Register so that an up-to-date register can be reviewed and certified by the VAP3 Director for transmittal to the Agency for review and endorsement.. New inputs may arise from the selection of the preferred Proposer and finalization of the contract so these risks should be identified and analyzed, but quantification may not be necessary. Most of the development phase risks should be closed out during this assessment. Step 1 Confirm Identification and Quantitative Risk Analysis The VAP3 project manager reviews the most recent Risk Register and updates it by adding any new risks that may have arisen and closing out any risk that no longer apply. New risks may arise as a result of internal audits, Stakeholder consultation, public comment and contract finalization. At this point some of the typical planning and approval risks retained by the Agency may be closed (e.g., NEPA approvals, funding availability, etc.). R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 22

23 The VAP3 project manager, assisted by the Risk Owners, may review the current estimates of probability and cost/schedule impacts, especially if some mitigation activities were recently undertaken that reduced uncertainty. If a Monte Carlo analysis was undertaken, then this analysis may be re-run to see what the impact these changes have on the project contingency recommendations. Step 2 Confirm Risk Response Each risk event is likely to have a fixed Risk Response strategy at this stage of the process. Transferrable Risks and Shared Risks should be identified and clearly dealt with in the CA and technical requirements. Retained Risks should have a detailed mitigation strategy described within the Risk Register and the Risk Management Plan. Step 3 Confirm Risk Allocation The Risk Register allows the VAP3 project manager to add notes regarding Risk Allocations and mitigations. If the risk is to be transferred or shared, or is identified as an extraordinary risk whether transferred or shared this column should contain a reference to the relevant section of the CA describing the contractual mechanism. If the risk has been avoided, accepted or mitigated, notes should be entered. It is important to keep track of any changes in Risk Allocation that arise during contract finalization. If the Risk Register is up to date and quantified it may also provide the team with a useful tool to review the impact of negotiated terms Outputs The main output from the contract finalization Risk Analysis is the updated Risk Register and Risk Management Plan. These documents should highlight any extraordinary risks that depart from traditional Agency implementation practices. The VAP3 Director should certify the Risk Management Plan and Agency Administer should endorse it before commercial close in order to timely transmit it to the implementation phase team. The Agency designated project manager, as lead of the implementation phase team, should be well engaged during the procurement phase to facilitate transition. There may be qualitative risks that help inform the appropriate oversight board and the Agency s decision to execute the contract. A top ten summary of retained risks will be particularly useful for handover from VAP3 to the Agency for implementation. 4.2 HANDOFF FROM VAP3 TO T HE A GENCY The VAP3 project manager is responsible for ensuring that the Risk Register is up to date and is suitable for use by the implementation team. It is recommended that the implementation team appoint a risk manager before commercial close in order to provide this person with an opportunity to work with the procurement team on the handover of the Risk Register and Risk Management Plan. This will provide an opportunity for smooth transition and transfer of salient and critical risk related project information as the Agency prepares for the implementation and operations phases. At commercial close, many procurement and commercial risks may be closed out. The final Risk Register will contain implementation and operations risks owned by the Agency, owned by the concessionaire and shared by the Agency and concessionaire. This information is: (1) critical for the Agency s implementation team; (2) certified by the VAP3 Director; and (3) transmitted to the Agency Administrator for review, endorsement and implementation as certified. There may be a delay between a P3 project s commercial and financial closings. This is common for P3 projects where private sources of financing are involved, but the time period can vary considerably. If financial close is delayed by more than four months, then the VAP3 project manager should, consider if refreshing the Risk Register following steps 1-3 above is necessary. This update could be imperative if there are date specific financial Risk Allocations in the CA. R ISK M ANAGEMENT G UIDELINES MARCH 2015 PAGE 23