Purpose of this document Develop and document procedures and work instructions for Risk Management to cover the project Stages set out in the Project Process Map. The purpose of this procedure is to identify and manage risks as opportunities or threats to the project objectives. Risk management aims to maximise the results of positive events (opportunities) and minimise the consequences of adverse events (threats). Identification and management of risk is required to provide assurance to key stakeholders that the project will achieve its stated benefits to cost, time and quality. Certainty of outcome increases, through reduction in risk exposure, as the project progresses. Document History Revision History Revision date Author Summary of Changes New Version Ref: 08/09/09 John London Locked Form V1.1 Distribution History Name Title Date of Issue Version Contents i. Scope...2 ii. Process...2 1. Project Appraisal Stage...2 2. Project Proposals Stage...3 3. Project Design Stage...4 4. Production Information...5 5. Construction...5 Appendix A - Generic Risk Management Tasks...7 Appendix B - Project Risk Register Mandatory Requirements...13 Appendix C - Likelihood Scale...14 Appendix D - Threat Impact Scale...15 Appendix E - Opportunity Impact Scale...17 Appendix F Probability & Impact Diagram...19 Appendix G - Review and update risks...20 Project Services team Status: Final Page 1 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
i. Scope This procedure shall apply to all project risk management activities undertaken and documents generated during each Stage of the project development lifecycle. These procedures shall apply to all projects except for minor projects. ii. Process There are 3 main processes involved in this process that occur at varying stages throughout the project as shown on the Project Process Map: Develop Risk Log Update Project Risk Register Manage and Close Out Project Risks 1. Project Appraisal Stage Risk Log An initial assessment of project risk shall be undertaken for all projects (> 5k). This shall be used to evaluate whether the project is high or low risk and whether it should be treated as a minor or major works project. Responsibility: Project Services Manager Output: Record of Project categorisation (major or minor works project) Undertake Tasks A to D. Responsibility: Portfolio Manager supported by Risk Specialist Output: Generic Risk Register (minor works projects) A generic risk register shall be used as a basis for identifying and assessing risks to minor works projects (APPENDIX I). Output: Project Services team Status: Final Page 2 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
An initial risk workshop as per the agenda (APPENDIX J) with relevant stakeholders and the project team shall be undertaken for all major works projects (see below also). supported by Risk Specialist Output: Project Risk Register (major works projects) The risk workshop shall be used to identify additional/specific project risks (for major projects). Subsequently arrange meetings with project team members and key stakeholders to clarify and complete the output from the workshop. The Project Risk Register shall be established at this Stage and top 20 risks included in the Project Brief. supported by Risk Specialist Output: Risks included in Project Brief All red risks shall be noted on the IPP form. Output: IPP 2. Project Proposals Stage Establish Project Risk Register Undertake Task E., supported by Risk Specialist Output: Updated Risk Register All red risks shall be noted on the PM2 form. Output: PM2 Form A Quantitative Risk Assessment shall be undertaken (major works projects only) to support preparation of budget costs. supported by Risk Specialist Output: QRA cost report for inclusion in project estimate Project Services team Status: Final Page 3 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
3. Project Design Stage Update Project Risk Register (Design) Undertake Task E. The Project Manager shall review and update the Project Risk Register as part of monthly/stage reporting. The Project Manager shall prepare risk management reports to support review of risk status and treatment. Output: Updated Risk Register Quantitative risk assessment shall be undertaken (major works projects only) quarterly, to forecast out-turn costs. The Project Manager shall liaise with the Cost Manager in order to provide contingency costs for inclusion in elemental cost plan and whole life costing studies. Scheduled risk assessments shall be undertaken for time critical projects affecting occupancy for Council academic and research work. The analysis shall be undertaken by a risk specialist using critical path and probabilistic planning tools. supported by Risk Specialist Output: QRA cost report for the project The Project Manager shall liaise with the Procurement Manager to determine the most appropriate contract strategy and terms in view of the risks identified, their severity and treatment strategy. Output: Record of contract strategy on project/ procurement files All red risks shall be noted on the PM3 form (as appropriate). Output: PM3 Form Project Services team Status: Final Page 4 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
4. Production Information Update Project Risk Register (Production Information) Undertake Task E. The Project Manager shall review and update the Project Risk Register as part of the monthly/stage reporting. The Project Manager shall prepare risk management reports to support review of risk status and treatment. Output: Updated Risk Register Quantitative risk assessment shall be undertaken (major works projects only) quarterly, to forecast out-turn costs. The Project Manager shall liaise with the Cost Manager in order to provide contingency costs for inclusion in elemental cost plan (Project Design estimate) and updated whole life cost studies. supported by Risk Specialist Output: QRA cost report for inclusion in project estimate. All red risks shall be noted on the PM3 form (as appropriate). Output: PM3 Form 5. Construction Manage and Close Out Project Risks Undertake Task E. The Project Manager shall review and update the Project Risk Register as part of the monthly/ stage reporting. The Project Manager shall prepare risk management reports to support review of risk status and treatment. Project Services team Status: Final Page 5 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
Output: Updated Risk Register Quantitative risk assessment shall be undertaken (major works projects only) quarterly, to forecast out-turn costs. The Project Manager shall liaise with the Cost Manager in order to update contingency costs ( run down ) for project cost at completion forecasts. Schedule risk assessments shall be undertaken for time critical projects affecting occupancy for Council service delivery work. The analysis shall be undertaken by a risk specialist using critical path and probabilistic planning tools e.g. Primavera P3. supported by Risk Specialist Output: QRA cost report for inclusion in project estimate All red risks shall be noted in the monthly report papers (as appropriate). Output: Monthly risk report Post-Construction The Project Manager shall report as part of project closure on the key issues which impacted successful delivery of the project. The issues shall be reported to the project support team member responsible for updating the generic project risk register. Output: Project Closure Report and updated Generic Risk Register Project Services team Status: Final Page 6 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
Appendix A - Generic Risk Management Tasks The Project Manager shall undertake the following generic Tasks during each Stage of Project Development: A. Define the Project Context B. Identify Risks C. Assess risks (analysis and evaluation) D. Manage risks E. Review and update on a periodic basis An overview of the risk management tasks/activities are shown in APPENDIX A. The diagram shows that the risk management process (Tasks A to E) is cyclical. The iterative approach shall increase certainty of outcome through reduction in risk exposure as the project progresses. The objective and details (including responsibilities and outputs) for tasks A to E are described below. Task A: Define the Project Context The purpose of this task is to define the basic parameters within which risks must be identified and evaluated. It provides a sound basis for identifying risks. The key activities undertaken by the project manager and his team (a risk specialist may be appointed by the project manager to plan and facilitate a workshop and report the results) are: Determine the project scope per the Council Statement of Need/Strategic Brief Determine the project objectives (in view of Council Statement of Need/Strategic Brief) Determine key stakeholders and their requirements Determine statutory or regulatory requirements to be addressed Determine internal policies or regulations t o be followed Determine assumptions made in the preparation of the project scope, design or budget eg. Re source levels or equipment availability made when planning or estimating costs Determine constraints e.g. Site conditions, reporting or approvals cycles Determine the principal work activities (or work breakdown structure) Determine interfaces - both internal and external to the project and Council Confirm project sponsor and organisation - roles and responsibilities Confirm awareness of risk management processes and responsibilities across the project team. Deliverables: Schedule of project objectives and key success criteria Documented project scope and key Tasks Project Services team Status: Final Page 7 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
Schedule of stakeholders and requirements Schedule of constraints (including regulatory, policy requirements) affecting the project Schedule of assumptions made when preparing project estimates Schedule of Interfaces. Task B: Identify Risks The purpose of this task is to determine the source and cause of risk events and the impact on the project objectives. This task shall also be used to ide ntify opportunities. The key activities undertaken by the project manager and his team (a risk specialist may be appointed by the project manager to plan and facilitate a workshop and report the results) are: Identify the anticipated risks in view of the information determined during the earlier Task (defining the context) Group the risks according to the nature of their source, cause and impact Map the risks to the objectives and project activities to ensure relevance and completeness Determine dependency of risks on common causes Clarify risk descriptions and seek additional information as appropriate Use generic or checklists to ensure completeness. The Project Manager shall record risk details in a risk register/database. This shall be maintained up to date as per Task E. The risk register/database shall capture the information stated in APPENDIX B. It shall be capable of being used to report and monitor, on a periodic basis, risk: Status Trends Treatment and management performance. Deliverables: Record of each risk (including cause, event and consequences) Record of supporting details (including source of risk. Task C: Assess Risks This Task comprises the ANALYSIS and EVALUATION of risks. The purpose of risk ANALYSIS is to determine the potential impact to the project and Council objectives for all identified risks. The areas of risk include: Project Services team Status: Final Page 8 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
Cost Time Reputation or quality H&S/Environmental. The scales for analysing the likelihood and impact of individual risks (in terms of cost, time, reputational, H&S/environmental impact) are set out in APPENDIX C and APPENDIX D respectively. The scale for analysing potential risks as lost opportunities is set out in APPENDIX E. Qualitative analysis shall be undertaken by the Project Manager/Team (supported by a risk specialist as appropriate) to determine the relative importance of each risk. Quantitative analysis shall be undertaken subsequently to determine the level of project contingency or to determine the net cost/benefit when deciding management action to mitigate the risk. Quantitative risk analysis (QRA) shall be undertaken by a risk specialist using appropriate software tools eg @Risk. A probabilistic model of project costs and timescales shall be used to determine the variability of project cost and timescales. Models shall be developed using data obtained through project risk workshops, specialist input, previous project records (eg closure reports). The project manager and sponsor should assess the benefit of undertaking QRA, however, the level of benefit is likely to be less for small projects and unlikely to be worthwhile for minor works projects. Note: quantitative analysis shall only be undertaken when appropriate estimates of likelihood and consequence can be provided. The results of QRA shall be used to update project contingency costs and schedule (completion dates). Quantitative analysis shall be undertaken on a quarterly basis or as follows: Cost analysis: pre-design development pre-construction Schedule (completion date) analysis: pre-construction The purpose of risk EVALUATION is to determine which risks are highest priority and require further attention and those which require less attention. Project Services team Status: Final Page 9 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
Tolerance levels have been established at project team and Project Board levels. These are set out in the probability impact diagram in APPENDIX F. The key activities undertaken by the project manager and his team (a risk specialist may be appointed by the project manager to plan and facilitate a workshop and report the results) are: Compare the estimated value of the risk impact in view of the tolerance thresholds (severe risks shall be escalated to the Project Board level in order to provide visibility and appropriate resource/funding for treatment) Agree which threats shall be: o accepted (without further treatment) these insignificant risks shall be retained for monitoring in view of changes in severity during the project o acceptable if worthwhile i.e. can be controlled cost effectively o unacceptable in any circumstances o owned by contracted third parties. Agree which opportunities are: o Critical could significantly enhance savings or benefit the Council o Desirable facilitate achievement of project objectives (time or cost savings or quality enhancement) o Negligible return on investment is not adequate to justify action (retain for monitoring). Undertake further analysis and evaluation as appropriate Schedule risks and opportunities which require treatment plans to be prepared. Deliverables: Risk register including risk owners, ranking, severity details and treatment strategies in view of tolerance levels. Task D: Manage Risks The purpose of this task is t o reduce the severity of threats or facilitate the achievement of opportunities impacting the business. The RISK MANAGEMENT activities are shown in the flow chart in APPENDIX G. Different generic strategies shall be considered for managing risks (either as a threat or opportunity) as follows: Project Services team Status: Final Page 10 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
1. Eliminate or avoid by changing or abandoning objectives (threats) 2. Change approach in order to contribute to the achievement of the outcome (opportunities) 3. Share or transfer risks to contracted parties (threats) 4. Involve stakeholders who can help facilitate the ou t come (opportunities) 5. Reduce the likelihood of occurrence by addressing causes (threats) 6. Enhance the likelihood of occurrence by process improvements or control (opportunities) 7. Develop fall-back plans/provide contingency funds to respond to the threat if it occurs (threats) The key activities undertaken by the project manager and his team (a risk specialist may be appointed by the project manager to plan and facilitate a workshop and report the results) are: Identify Risk Owner Identify the manager with budgetary authority to allocate resource to treat a risk (if not the Risk Owner) Identify Actionees who are best able to contribute to the completion of the planned treatment Determine the actions and timescales to reduce/enhance likelihood of occurrence Identify residual risks (those which remain following treatment i.e. risks that the treatment does not work) Determine secondary risks arising from treatment plans Estimate treatment costs and net benefits of treatment Estimate level of contingency (cost of fall back plans) Obtain appropriate approval for expenditure Agreed mitigation plans shall be include d in project schedules/plans The effectiveness of the treatment plan shall be reviewed following implementation and consideration given to the consequences of secondary risks Deliverables: Risk register stating treatment plans including actions, responsibility, completion date, costs and fallback/contingency Task E: Review and Update Risk Tasks A to D above shall be undertaken on a periodic basis during the project. Typically this shall be monthly as part of project progress reporting and upon completion of project stages. The register of key Red risks shall be reported and included in project forms PM2 and 3. This is to ensure that: New risks relating to changes in the context are identified, recorded and managed Risks which are no longer relevant in view of the context are identified and recorded Changes to risk severity are identified and recorded Current status of treatment plans are monitored Changes to owners or actionees are identified and recorded. Project Services team Status: Final Page 11 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
A trend report can be produced showing the progress of risk management throughout the life of the project Where a quantitative risk analysis has been produced, this can be updated to determine the current risk contingency required. The flow chart in APPENDIX H sets out the process for reviewing and updating risks in view of changes to the project context since the last review. Risks shall be reviewed as per the procedure for Tasks A to D above. The risk register and related reports shall be used by the Project Manager to review risks with the project team and the Project Board ( red risks). All risks input, changed or deleted from the risk database/register shall be reviewed and approved by the Project Manager to ensure risk data is up to date, accurate and complete. Deliverables: Updated risk register stating current risks (including new risks) and status of risks and treatment plans Risk reports stating current risk details and ranking, trends and management performance. The completion of Tasks A to E, responsibilities and outputs during each of the project stages is set out above. Project Services team Status: Final Page 12 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
Appendix B - Project Risk Register Mandatory Requirements The project risk register shall contain the following risk details in order to prepare reports and monitor the status of risks and treatment during the course of the project. A_Source of the cause (this could be used to group risks i.e. risk category) B_Risk description covering: Description of cause (circumstances which are known to exist) Description of risk event (an event in the future which is uncertain i.e. may or may not occur) The consequence of the event to the project work and more importantly the project objectives C_Project area or activity impacted by risk (this could be used to group risks i.e. risk category) D_Risk owner E Risk analysis covering: Likelihood of occurring one or more times (% probability in project period) Impact on cost and time if the risk were to occur (most expected value except when undertaking QRA) Impact on reputation (using 5 point scale) Impact on health and safety / environment (using 5 point scale) Impact as a benefit (opportunities) as well as a cost (threats) Inherent (before improvement in control undertaken) and residual (after improvement in control) risk values Risk priority in view of inherent value. F_Risk treatment covering: Owner/authorising manager Actionees (staff involved in undertaking treatment plan) Treatment plan actions and completion dates Status of treatment plan and forecast completion (as appropriate) Review date Action plan cost Return on investment (opportunities) Further risk treatment plans in the event that residual risk is greater than zero. G_Any other information required to aid the full understanding of the risk Project Services team Status: Final Page 13 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
Appendix C - Probability Scale Scale Description Guidance 1_Almost certain A risk with probability >80% of occurring during the project period. 2_Likely A risk with probability of between 60% and 80% of occurring during the project period. 3_Possible A risk with probability of between 40% to 60% of occurring during the period of development or Construction 4_Unlikely A risk with probability of between 10% and 40% of occurring during the project period 5_Rare A risk which is <10% probability of occurring within the project period Project Services team Status: Final Page 14 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
Appendix D Severity Scale Scale Reputation / delivery of service Health & Safety / Environmental 5_Threat to Council Financial or Organisational reputation Association with high profile, sensitive issues which have a critical impact on Council interests and / or funding. Multiple fatality Major environmental incident involving threat to public health or safety Breach of statutory requirements resulting in criminal liability Cost impact or liquidated damages > 1m or >15% project budget Schedule delay of more than 6 months. 4_Threat to project business case/viability Council business interests will not be affected by a major failure of quality / fitness for purpose. Major incident causing substantial disruption to departmental function with major impact on goodwill stakeholder relationships in jeopardy. Fatality or multiple major injury - criminal liability resulting in prosecution. Major environmental incident resulting in pollution or damage to Council property - legal and compensation costs and adverse publicity. Cost impact or liquidated damages 500k-1m or 6-15% project budget Schedule delay of 3-5 months 3_Partial delivery of Council requirements Delay or partial delivery of Council requirements. Failure may result in media comment or client dissatisfaction and damaged stakeholder relationships. Serious injury Sensitive combination of operation and location likely to trigger complaint of nuisance and/or compensation. Cost impact or liquidated damages 100-500k or 3-5% project budget Project Services team Status: Final Page 15 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
Schedule delay of 1-3 months 2_Late or inconsistent delivery of Council requirements Minor delay or inconsistency in the delivery of project requirements. Failure may result in Council press coverage and loss of goodwill and confidence in Council to deliver. Minor injury Environmental impact requiring management response to recover damage caused. Cost impact or liquidated damages 10k-100k or up to 2% project budget Schedule delay of 2wks-1 month 1_Negligible impact Negligible impact Cost impact or liquidated damages < 1-10k or less <1% project budget Schedule delay<2wks Project Services team Status: Final Page 16 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
Appendix E - Opportunity Impact Scale Scale Reputation / delivery of 5_Opportunity to enhance Council reputation and make significant savings Major quality or service initiative to enhance Council reputation and stakeholder relationships. Systematic adoption of best practice Health & Safety and environmental regulatory compliance Savings in cost and/or improved delivery timescales > 500,000 4_Opportunity to enhance activities or make significant savings Significant improvements to the quality of service or financial savings. Enhanced client/stakeholder relationships. Health & Safety and environmental regulatory compliance Adoption of best practice and continuous improvement Savings in cost and/or improved delivery timescales. > 100,000 3_Opportunity to enhance delivery of requirements and make savings Improvements to quality or service delivery. Improved client/stakeholder relationships. Enhanced HSE arrangements Savings in cost and/or improved delivery timescales. > 10,000 2_Improved consistency in delivery of service or make savings Improved consistency in delivery of Council requirements. Enhanced HSE process arrangements to ensure statutory compliance and good neighbour relations Savings in cost and/or improved delivery timescales. > 1,000 1_Negligible benefit Negligible benefit Project Services team Status: Final Page 17 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
Savings in cost and/or improved delivery timescales. < 1,000 Project Services team Status: Final Page 18 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
Appendix F Probability & Impact Diagram The diagram below shows project risks plotted on against the probability and severity scales (highest impact value used). The Red risks are above the agreed threshold determined for management reporting purposes and shall be reported to the Project Board as part of periodic and Stage reporting. All Red risks shall be stated on the forms IPP, CPBC & CPAF as part of the Evaluation and Approval Procedure. 5 10 15 20 25 5 VH 4 8 12 16 20 4 H 3 6 9 12 15 3 M 2 4 6 8 10 2 L Severity 1 2 3 4 5 1 VL 1 2 3 4 5 R U P L AC Probability Project Services team Status: Final Page 19 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009
Appendix G - Review and update risks Review changes to project since last risk review Ensure project objectives and deliverables remain constant with Council requirements Review changes to project scope or assumptions Yes New risks identified No Assess risk incl. identify ownership and mitigation measures Review impact of changes Add risk to risk register Assess progress against previosly identified mitigation measures Update risk register Project Services team Status: Final Page 20 of 20 Filename: 1.12.2 and Author: John London Date of Issue: 27/10/2009