Metrolinx Electrification Project

Metrolinx Electrification Project Metrolinx Contract No. RQQ-2011-PP-032 Metrolinx Project No. 109503 RISK MANAGEMENT PLAN Version 04 Document Reference No. PB 738 March 7, 2014 Submitted to Submitted by

APPROVALS Role Name Signature Date Author Sasha Pejcic March 7, 2014 Reviewer Joe O Carroll March 7, 2014 Reviewer Neil Mullen March 7, 2014 Approver Zvonko Trajkovic March 7, 2014 QA/QC Ian Connerty March 7, 2014 This submission was completed & reviewed in accordance with Parsons Brinckerhoff s Quality Assurance Program for this project. REVISION HISTORY Date Version Purpose November 2, 2012 00 First Issue for Conceptual Design March 25, 2013 01 Updated to reflect Metrolinx comments and the modified risk register. August 9, 2013 02 Updated to reflect Metrolinx SR comments. December 13, 2013 03 Updated to reflect Metrolinx SR comments and to be used for Conceptual Design Closeout March 7, 2014 04 Updated to reflect Metrolinx comments. Parsons Brinckerhoff Halsall Inc. 2300 Yonge Street, 20 th Floor Toronto ON M4P 1E4 Canada Ph 416-487-5256 www.pbworld.com RQQ-2011-PP-032 Project No.109503 i A p p r o v a ls & R e v is i o n H i s t o r y

TABLE OF CONTENTS 1.0 Introduction... 1-1 1.1 Purpose... 1-1 1.2 Scope... 1-2 1.3 Definitions... 1-2 1.4 Roles & Responsibilities... 1-3 2.0 Procedure... 2-1 2.1 General... 2-1 2.2 Risk Management Process... 2-1 2.3 Risk Identification List... 2-3 2.4 Major Sources of Project Risks... 2-4 2.5 Categorizing Risks by Timeframe... 2-7 2.6 Qualitative Risk Assessment & Quantitative Likelihood Ranking... 2-7 2.7 Risk Analysis Quantitative... 2-9 2.8 Risk Management... 2-10 2.9 Risk Monitoring & Review... 2-12 2.10 Risk Documentation & Reporting... 2-13 2.11 Risk Management Plan Update... 2-15 TABLES Table 2-1 Risk Severity Summary Table... 2-9 FIGURES Figure 1-1 Risk Management Roles Flowchart... 1-3 Figure 2-1 Risk Management Process... 2-2 Figure 2-2 Risk Impact Matrix... 2-8 APPENDICES Appendix A Sample Risk Register for Conceptual Design Appendix B Definitions Appendix C Risk Register V02 RQQ-2011-PP-032 Project No.109503 i T a b l e o f C o n t e n t s

1.0 Introduction This risk management plan was developed for the Metrolinx electrification project that includes both conceptual and preliminary design as well as an environmental assessment and is an element of the project s overarching work plan. A conceptual design risk register was developed for the following corridors Kitchener, Lakeshore West, Lakeshore East and the Union Station Rail Corridor (USRC). That risk register for these corridors forms part of the conceptual design report (CDR). As this project is now in the early preliminary design phase, there are two risk registers, one each for the two corridors currently at preliminary design UP Express and USRC. While this risk management plan may mention certain items for inclusiveness (eg: constructability, financing, funding, quantitative risk analysis), these items are outside the project scope. Effective management of project risks is necessary to increase the chances of delivering a successful project. This risk management plan will support Parsons Brinckerhoff in delivering a successful project within the assigned budget and agreed time frames. It provides Parsons Brinckerhoff and Metrolinx with a systematic process to identify, assess, evaluate, manage and document risks that could jeopardize the success of the project. The primary objectives of the risk management plan are to Reduce, transfer, avoid, eliminate or manage risks that jeopardize the project success through proactive risk mitigation Provide a means to achieve an acceptable level of project cost estimate and schedule certainty Provide the means to manage project cost estimates, contingency and schedule float Interact and coordinate with other entities in areas that may impact Metrolinx s responsibilities, and evaluate and recommend alternative risk control and risk financing mechanisms that best limit Metrolinx s exposure Provide the basis for an insurance review that will lead to an effective and affordable insurance program. This will be accomplished by demonstrating the value of the risk management program to insurance underwriters. 1.1 Purpose The purpose of this risk management plan is to provide Parsons Brinckerhoff with a systematic process to identify, document, assess, evaluate, mitigate and manage risks that could jeopardize the success of the project. It is a living document, being adjusted as the project unfolds. RQQ-2011-PP-032 Project No.109503 1-1 In t r o d u c t ion

1.2 Scope This risk management plan applies only to the risk management for the traction electrification project and entails identifying project risks that relate solely to capital costs or project schedules with appropriate mitigation, allocation of responsibility, and measurement of mitigation effectiveness to adjust risk mitigation measures as appropriate. The risk management plan documents the roles and responsibilities of key individuals with regard to management of risk, the approach to identifying risks, assigning the likelihood of occurrence of each risk, and quantifying the associated potential impact on project delivery objectives. It also describes the process of risk identification, assessment and analysis to evaluate and quantify risk and uncertainty with respect to project schedule and budget. The results of the risk analysis are used to support the decision-making process of the schedule and cost contingency required at any given time given the available options to mitigate risk. Further, the risk management plan describes the procedures to be used to record and report on risks raised by the project team through the two risk registers, which are the repositories used to manage identified project risks. Although this risk management plan does not specifically deal with health and safety issues (hazard analysis) and the tracking and/or management and mitigation of rail operations and/or health and safety risks, these risks can be added to the proposed risk analysis and management system scope, if required. Changes are inevitable and may impact the risk management plan and the assigned mitigation measures. We will be implementing a tracking system for the risk management plan so that its effectiveness can be judged and its lessons-learned documented. 1.3 Definitions Definitions for the various terms used herein are provided in Appendix B. RQQ-2011-PP-032 Project No.109503 1-2 In t r o d u c t ion

1.4 Roles & Responsibilities Individual responsibilities for implementing this risk management plan are shown in Figure 1-1, and described in the sections following. Figure 1-1 Risk Management Roles Flowchart 1.4.1 Project Manager Ensures an appropriate process of risk management and that internal control is embedded in future contractual commitments Provides assurance on management of risks to Metrolinx Accountable for all risks facing the project objectives and decision-making regarding the overall risks. Provides relevant information on risk and controls to Metrolinx. 1.4.2 Deputy Project Manager Undertakes periodic top-level reviews to ensure that all significant project execution critical risks have been identified and are being managed Provides relevant information on risk and controls when requested Discusses and agrees to risks requiring escalation to the project manager and Metrolinx Challenges information received from project controls and engineering departments with respect to risk Determines financial and schedule impact for risks to be reported Ensures that the risk management process is fully embedded with the responsibility to identify, RQQ-2011-PP-032 Project No.109503 1-3 In t r o d u c t ion

classify, quantify and mitigate, as well as response planning of all risks with clearly delegated accountability Identifies those risks that require escalating and reporting and provides the required information on such risks to the project manager. The deputy project manager reports to the project manager. 1.4.3 Risk Manager Ensures that the risk management plan is in place and understood by all Parsons Brinckerhoff and Metrolinx staff Identifies and implements best practices Promotes standards and expectations in management, reporting and monitoring of risks Gathers the latest information, checking and validating risk status and produces a monthly risk report for the monthly project management report Analyzes risk data issues and critical interdependencies between packages and recommends appropriate action Reports on significant risks to the project team as they arise Benchmarks with appropriate organizations Closes out risks that no longer have a residual risk to the project. The risk manager reports to the deputy project manager. 1.4.4 Risk Owner Designated by specific discipline (signalling, SCADA and communications, traction power system, OCS, EMI/EMC, and grounding and bonding) Supports the risk manager in managing risks during the project Communicates changes in risk status to the risk manager and assists in developing residual risk scores during the project s lifecycle and suggests when risks should be closed out Proactively identifies opportunities to minimize the impact of risks Brings new risks to the risk manager s attention. RQQ-2011-PP-032 Project No.109503 1-4 In t r o d u c t ion

2.0 Procedure 2.1 General The purpose of this procedure is to define the risk management policy and processes that will be used for establishing and effectively executing the risk management plan for the project. In addition, this procedure will provide Metrolinx with the means to monitor progress against risk management during the project s lifecycle. Therefore, it is vital that the broader team composed of Metrolinx project management and technical specialists, Parsons Brinckerhoff resources and Morrison Hershfield resources work collaboratively to develop agreement on the universal execution of the risk management plan. 2.2 Risk Management Process The risk review process is guided by the steps shown in Figure 2-1, which are described in the sections following. RQQ-2011-PP-032 Project No.109503 2-1 P r o c e d u r e

Figure 2-1 Risk Management Process RQQ-2011-PP-032 Project No.109503 2-2 P r o c e d u r e

2.2.1 Risk Identification Identify specific risks and, through mitigation of risks, opportunities Outline root causes and effects associated with each risk Appropriately categorize risks Determine which assumption, if any, is applicable to the risk Associate risks with specific cost category or schedule work breakdown structure. 2.2.2 Risk Assessment Assess potential cost or schedule impacts for each risk Assess probability for each risk Specify any sources or assumptions underlying the assessment. 2.2.3 Risk Analysis Perform qualitative analysis Contrast and compare risks Rank in order of risk severity Establish project cost contingencies at 10 th, 50 th and 90 th percentiles. 2.2.4 Risk Management Prioritize risks Identify parties responsible for managing each risk Decide management strategies for each risk (avoid, transfer, accept, reduce) Develop risk mitigation plans and recommend specific actions and deliverables to implement the risk mitigation plan for, at a minimum, those risks rated high Assign personnel to implement the risk mitigation plans and establish due dates for all mitigating actions identified. 2.2.5 Risk Monitoring, Review & Reporting Enact mitigation measures Monitor progress of the mitigation measures Review effectiveness of the mitigation measures Re-evaluate the risks and repeat the above steps as necessary. 2.3 Risk Identification List Risk identification will take place regularly throughout the project lifecycle. At each of the milestones in the project delivery, risk identification and assessment workshops will be held to revisit the changing project definition and current project conditions for additional risks. Risks will be formally documented on the two risk registers. Previously identified risks that have been either fully mitigated, passed their impact or are no longer considered a threat to the project will be recorded in the risk closed column. The output of the risk identification stage includes a description of the project risks or opportunities and their cause/effect relationship. Any underlying assumptions will be identified in sufficient detail to inform the assessment and management stage. This substantive information will be a communication tool and will facilitate the implementation of an action plan. Given the reliance of risk register development process on the expertise and judgement of the RQQ-2011-PP-032 Project No.109503 2-3 P r o c e d u r e

contributors, individuals with the following areas of expertise will be involved with risk identification, assessment and the management workshops at various stages, as required for follow-on risk management efforts Implementation planning Environmental planning Funding/approvals Project management Geotechnical, civil, structural, mechanical, electrical and engineering design Core systems engineering design and vehicles Architectural design Cost estimating Planning and scheduling Budgeting/controls Right of way/real estate Consents and planning approvals Constructability/contractor Rail operations, including rail maintenance Contracts and procurement Other technical (eg: legal, permitting, procurement) Fire life safety, and health and safety. The particulars of a specific risk evaluation may not require all areas indicated or may require other, additional areas of expertise. The designated risk manager will provide a record of personnel along with their area of expertise indicating that appropriate personnel with requisite experience were involved in risk identification, assessment and primary mitigation development activities. 2.4 Major Sources of Project Risks Although certain risks have impacts that are less severe than others, all risks must be considered to reduce cost overruns and schedule delays. The risk registers will capture the following major risks, which are detailed in the sections below Strategic risks Technical risks Financial and economic risks External political and social risks Schedule and resource risks Legal/compliance risks Project management risks Operational risks (outside scope of this project). 2.4.1 Strategic Risks Strategic risks are associated with the means to perform the work required by the project and consist of the following Organization Effective project organization is essential to delivering a successful project. Organizational risks include items such as interfacing with respective project organizations, lines of authority, lines of communication, and provision for integration of disciplines. Viability It is essential to sustain the project s viability. All necessary third party support for the project needs to be developed and maintained. This includes support from elected officials, affected communities, and the numerous stakeholders. The risks associated with the viability of the project also include cost and schedule items (eg: project approach, funding and financing, public outreach, industry outreach, various public hearings), and the procurement process. RQQ-2011-PP-032 Project No.109503 2-4 P r o c e d u r e

Precondition Items Numerous items must be available in time to support the project schedule. Risks associated with obtaining permits, right of way agreements, agency approvals, funding, etc. will be identified. 2.4.2 Technical Risks Technical risks are associated with design, construction and related work performance. Design Conceptual design, preliminary design and environmental assessment include the possibility of design errors, inadequate or erroneous data, and coming to incorrect conclusions. All design activities will be examined for possible risks to the project. In addition, the allocation of risk intended by Metrolinx and reflected in the procurement documents must be properly addressed in the design documents. Risks during conceptual and preliminary conceptual design for the Metrolinx electrification project may include Scope of work Materials supplies and deliveries Constructability Safety program Schedule Quality and performance Design criteria Real estate acquisitions Design standards Regulatory requirements Data reliability External relations Design complexity Access for site investigations Design completeness Planning and consents Accountability for design Engineering competence Construction plans Cost estimating Site conditions Environmental mitigation Accuracy of data from third parties, such as utility companies Policy direction Environmental Insurance Memoranda of understanding with the Province, provincial agencies, federal regulators, private utility and land owners. Many of these potential design risks can be avoided or reduced through effective planning and attention to detail during the design process. Metrolinx will ensure a level of qualification and experience in its design team that is appropriate to the level of work being undertaken. Construction Potential risks related to construction may include Faulty workmanship Utility-related delays Weather, floods and fires Lack of materials or equipment Contractor competence Design errors or omissions Permitting delays Archaeological delays Unforeseen site conditions Subcontract problems Contract disputes Third-party litigation Accidents Interferences Hazardous materials on site Design or scope changes Endangered species on site Unidentified utilities Delays related to real estate or right of way acquisition. Many of these potential construction risks can be avoided or reduced through effective planning and RQQ-2011-PP-032 Project No.109503 2-5 P r o c e d u r e

pre-construction measures. Of particular concern are tasks and activities on the project s critical path, which can delay the entire project if not addressed. It is important for the project team to take welldetermined steps to share or transfer construction risks with appropriate contract terms or insurance policies. 2.4.3 Financial/Economic Risks Financing risks are associated with potential shortfalls in funding. A potential risk associated with financing may occur if additional funds are needed to cover economic factors including cost growth, additional scope, problems or delays encountered during construction and/or unforeseen conditions. The following financial/economic factors are potential risks Contractor bankruptcies Material availability Local labour costs and availability Equipment costs and availability Productivity changes Inflation Number of bidders on contracts Workload of local contractors Lack of competition Pricing by contractors Higher costs of materials Project schedule delays. 2.4.4 External Political & Social Risks External political and social risks affecting the project during design and construction may include Changing political leadership and priorities at various levels of government Relations with local municipalities Relations with public and private utilities Community relations in neighbourhoods near the project Public concern/queries due to construction activities Master agreements with utilities Public response to accidents or incidents during construction Relations with governing board members Relations with federal government, City of Toronto and other provincial agencies Changing environmental regulation Changes in laws affecting the construction or the transit industries. 2.4.5 Schedule & Resource Risks Schedule risks arising during the design and construction phases are generally due to the scope of work being underestimated, or unrealistic assumptions for construction duration or inadequate resources. In addition, projects must be sufficiently resourced in order to perform adequately. Risks associated with the project s resource pool include items such as staffing levels, personnel experience levels, engineering and administrative tools, and work facilities. These and other similar considerations can have a significant impact on cost, schedule and operations. 2.4.6 Legal/Compliance Risks Legal risks include contract management, patents management/legal property, policies, privacy, and procurement risks. Compliance risks include risks that pertain to the organization not being in compliance with laws and regulations. RQQ-2011-PP-032 Project No.109503 2-6 P r o c e d u r e

2.4.7 Project Management Risks Project management risks include those that deal with scope, procurement and scheduling. 2.4.8 Operational Risks Operational risks are outside the scope of this project unless the risk can potentially affect the preliminary design stage. These include uncertainties related to passenger/staff/public safety, operational processes, human resources, business continuity management, crime, the environment, communication, security, and technology. 2.5 Categorizing Risks by Timeframe Risk identification includes categorizing risks with respect project phase. These categorizations will inform the management stage by providing time limits to execute mitigations and suggesting the most appropriate personnel to manage the risk. If the risk manager finds it difficult to reach a consensus on the appropriate categorization, the description and cause and effect relationship will be reviewed with the team. These categories are Requirements Risk is associated with all project development activities from earliest concept through alternatives analysis and preliminary design. Design Risk is associated with all design-related activities occurring after preliminary engineering. Market Risk is related to procurement of construction services, materials and equipment. Construction Risk is associated with all construction related activities and is further subdivided into the following categories Early construction risk is composed of geotechnical/utility activities and is usually associated with 20% completion. Mid-range construction risk is associated with coordination of contractors. Commissioning is included under construction. Start-up and substantial completion risk is associated with 90% completion. The risk manager will plan, validate and approve the risk identification timeframe with input from the technical team and collaboration with Metrolinx. 2.6 Qualitative Risk Assessment & Quantitative Likelihood Ranking During conceptual and preliminary design, a qualitative risk assessment will be undertaken that includes a quantitative likelihood ranking as described below. Following initial identification, description, and categorization, risks will be assessed for potential impact and probability in qualitative (numeric ranges) or quantitative (specific dollar amount or RQQ-2011-PP-032 Project No.109503 2-7 P r o c e d u r e

duration) terms. The findings of the risk assessment will be used to prioritize risks and rank them accordingly for risk management. Any support for this assessment (eg: contract terms, relevant past projects, formulas, calculations) should be recorded when the assessment is made. As with the rest of the steps in the risk management process, assessments will be periodically revisited and refined. While there are a number of other potential impact areas specified for assessment (eg: construction, environmental, legal/community relations), these can be translated and specified in terms of potential cost and/or schedule impacts to the project. Please note that this should not be understood to mean that risk management is only concerned with risks that explicitly impact cost or schedule. A risk impact matrix an assessment scoring guide showing the quantitative likelihood and impact ranges is provided in Figure 2-2. It will be used when assessing both the impact and probability of risks, and employs relatively broad ranges for both potential impact and probability. The objective during assessment is to develop broadly accurate estimates of potential impact and probability. Figure 2-2 Risk Impact Matrix Low Medium High Very High Significant Legend (1) (2) (3) (4) (5) (Risk Score) Likelihood < 10% 10% to 50% 50% to 75% 75% to 90% > 90% < 3 (Low) Cost Impact ($) < $2.5M $2.5M to $10M $10M to $30M > $30M & < $100M > $100M 3 9 (Medium) Schedule Impact (workdays) < 1 month 1 month to 3 months 3 months to 6 months 6 months to 12 months > 12 months > 10 (High) Where more specificity is justified, either on the initial assessment or in subsequent reviews, the assessment team will supply their own, narrower ranges for cost or schedule impacts. Additionally, if a particular value between the lower and upper bounds of the impact assessment is judged more likely than others it can be designated as most likely. Once both the impact and probability assessments are made, the risks will be categorized based on their severity using the risk impact matrix shown above. The risk register acts as a concise action plan and outlines the who, what and when of the risk management plan. It includes a description of the risk, its cause and effect, a ranking of the risk in terms of probability and consequences to the project cost, schedule or other goals, actions that must be taken to reduce the risk, who has been delegated that responsibility, and when an action needs to be taken. Risk severity is determined as an overall function of the risk score. Risk severity is defined as probability multiplied by cost and schedule impact to determine a risk score. The larger the risk score, the greater the negative impact the risk has on the outcome of the project. Risks are categorized using the risk impact matrix. They are ranked based on their impact to cost, schedule and likelihood of occurrence as shown in Figure 2-2. Risks that have a score greater than 10 are shown in red and require the greatest oversight, as they can have material impacts on the project. These risks will be proactively managed RQQ-2011-PP-032 Project No.109503 2-8 P r o c e d u r e

throughout the preliminary design phase to minimize their probability of occurrence. To aid in the management of risk severity, the number of risks according to severity type (Low, Medium and High) are summarized by category. Table 2-1 is a sample of a table that will be used for reporting. This table is updated throughout the risk management process to gauge the effectiveness of the risk management plan in managing risks according to severity. Table 2-1 Risk Severity Summary Table Risk Category Red Zone Risks Yellow Zone Risks Green Zone Risks Corporate 0 0 0 Civil 0 0 0 Communications/SCADA 0 0 0 Cost Estimation 0 0 0 Environmental Assessments 0 0 0 Final Design 0 0 0 Financial 0 0 0 Legal/Compliance 0 0 0 Maintenance Facilities 0 0 0 Operational 0 0 0 Overhead Contact System 0 0 0 Preliminary Design 0 0 0 Procurement/Construction 0 0 0 Project Management 0 0 0 Right-of-Way 0 0 0 Rolling Stock 0 0 0 Signals 0 0 0 Strategic 0 0 0 Traction Power 0 0 0 Total 0 0 0 Risks will be assessed according to whether they are current or residual risks. Current risks are those initially assessed for the purpose of determining a risk score baseline. This initial baseline is used to measure the effectiveness of the risk mitigation measures throughout the life of the project. At predetermined major milestones throughout the project s lifecycle, risks will be reassessed to determine whether residual risk remains after a mitigation plan has been implemented. 2.7 Risk Analysis Quantitative Quantitative analysis will commence when the project proceeds to the detailed design stage and will continue through to final design and construction phases. In this stage of risk analysis, numerical ranges for probability and severity replace qualitative descriptions. Probabilistic ranges will depend on the quality of the information supporting the assessment including the experience of the experts, any relevant historical data, and the confidence of RQQ-2011-PP-032 Project No.109503 2-9 P r o c e d u r e

the project team in the assessment. Monte Carlo simulation techniques use tools such as Oracle Risk Analysis and Palisade@Risk and will be used to model the collective probabilities and impacts identified during the qualitative assessment stage. Once probabilities and severities have been quantified and any relationships specified, risk simulations based on the Monte Carlo method are used to identify a range of cost and schedule outcomes for the project. The Monte Carlo method works by sampling from the previously determined ranges for probability and severity for each activity and then combining each of these values according to the defined risk model to form one possible project outcome. The program repeats this process thousands of times, sampling different values for each activity and combining them to produce a sample of various project outcomes. The outcome for the project as a whole will be a distribution of possible outcomes ranging from very pessimistic to very optimistic, with a particular cost and/or schedule most likely. The analysis will also list the applicable ranges of probability and cost for each activity and will identify the risk areas that have the greatest potential impact on the ability to complete the project within budget and on schedule. This list will highlight areas in which the project team can maximize project success through risk mitigation activities. As risks are mitigated, probabilities and impacts of the managed activities and the risk analyses are rerun to see how mitigation efforts affect the overall risk exposure for the project. The primary deliverables in this stage are risk profiles, which associate a probability with particular cost and schedule outcomes. This stage also provides the input for determining appropriate levels of cost and schedule contingency. Uncertainty in additional measures of interest such as time for completion of an important project milestone or regional variations and comparisons can also be evaluated on an as-needed basis. 2.8 Risk Management The risk management stage deals with the what, who and when of the project s risk response, and provides answers to the following What are we going to do to limit the project's risk exposure? Who is going to do it? When is it going to be done? The answers to these questions are the key components of the risk register inform the management stage of four major tasks Determining an appropriate management strategy Identifying potential mitigations Assigning responsibility Assigning due dates for action/decision by the project team for resolution or mitigation. 2.8.1 Management Strategy The appropriate management strategy will be determined for the given risk RQQ-2011-PP-032 Project No.109503 2-10 P r o c e d u r e

Avoid (eliminate the probability of occurrence with, eg: design changes) Reduce (limit the potential impact and/or probability) Transfer (to a third party) Accept. Management decisions made during this stage are the responsibility of the deputy project manager with input by the risk manager (risk assessment specialist). Prioritization, choice of management strategy, and action assignments involve core management responsibilities. In determining the management prioritization, the following will be considered Manageability Have mitigations to the risk been identified? How effective are these mitigations likely to be? Cost/Benefit How much will the proposed mitigations cost and how does this cost compare with the potential cost of the risk event/situation occurring? Intangibles How might the risk event affect the project if it occurred in ways less tangible than additional cost or delay (eg: reputation or community relations)? 2.8.2 Mitigation Mitigation actions that can reduce or eliminate potential impacts, likelihood of occurrence or both will be identified and will have the following SMART characteristics Specific to each goal Measurable outcome or indicator Attainable it can be accomplished under current conditions Relevant it helps solve the specific problem and needs to be done Timely it can be undertaken in time to achieve the goal. 2.8.3 Assignment of Responsibility Once mitigations have been determined for a risk, action items will be assigned to the risk owner who has overall management responsibility. At this point, the risk or opportunity will be Avoided, reduced or optimized A specific team member with the ability, both in terms of expertise and authority, to effectively manage the risk within the project team must be named as the responsible party Transferred This person or organization must be named Accepted The project manager assumes responsibility for monitoring this risk and periodically reassessing the advisability of this management strategy. 2.8.4 Action Due Dates An appropriate action due date will be specified for all mitigation actions. This is determined based on a reasonable estimate of how long the mitigation action will take to carry out and the likely impact date should the risk occur. Mitigation action due dates should be set for completion far enough in advance of the likely impact of the identified risk to prevent or limit the impact. Mitigations with recurring actions (eg: meetings associated with community outreach) will be indicated as such on the risk register. If it is not possible to determine when mitigation will be carried out then it does not stand as an action item and the suitability of the proposed mitigation will be reconsidered. RQQ-2011-PP-032 Project No.109503 2-11 P r o c e d u r e

The risk manager will assign management responsibility of risks to the individuals most appropriate to manage them. At times, this assignment may be to individuals outside the immediate project team. The primary product from this stage in the process is the creation of a risk and contingency management report. 2.8.5 Risk Meetings Review of the highest ranked risks and risks that have the potential for the greatest impact should be reviewed in the project s monthly progress meetings. One-on-one risk meetings between the risk manager and discipline leads should be held on a monthly basis to track progress on risk mitigations actions, close out risks no longer relevant and add new risks to the risk register as needed. Risk workshops should be held on a bi-annual basis or as needed to update the risk register in full and review the effectiveness of risk mitigation actions. Risk and contingency analysis should be concurrent with every update of the project s cost estimate and baseline schedule. 2.8.6 Fallback or Corrective Action Plan Metrolinx will benefit from having a fallback or corrective action plan that includes pre-determined changes to a program or project s scope that can be made should primary mitigations fail to adequately contain cost or schedule over-runs. This may involve review of certain individual risks and uncertainties and primary mitigations when these rise to a level that might threaten the program or the project as a whole. Actions required by Metrolinx as part of a fallback plan may involve deletion of scope from a project or moving that scope into a future phase of project development where budget and or time will be available to complete that work. The fall back plan is recorded as a subset to the risk management plan. Risks with high severity will have a strategy developed for them. The fall back plan will be validated by the broader project team and Metrolinx. 2.9 Risk Monitoring & Review The process as outlined in the previous steps is intended to be continuous during the project lifecycle. The project manager, deputy project manager and risk manager are expected to regularly monitor and review their risk management efforts to ensure compliance and maintain current records of their risk management efforts. In particular Individual risks (and opportunities) are regularly reviewed to ensure that they accurately describe a current threat to project objectives, that their assessments reflect the best estimate of potential impacts and probability, and that management strategies and mitigations are well-founded. An updated risk score is calculated at regular milestones to reflect the probability and severity of RQQ-2011-PP-032 Project No.109503 2-12 P r o c e d u r e

residual risks once a mitigation strategy has been implemented to gauge the effectiveness of the strategy. Individual team members with management responsibility for one or more risks will monitor and report on the above for their particular risks to the risk manager. Individual mitigations will be regularly updated to reflect their current status and team member responsibilities. It is suggested that these reviews and updates of the risk register proceed on an incremental basis with risk owners or appropriate individual team members. Groups are not conducive to detailing individual risks. In addition, scheduling all of the team members who may contribute to any single part of the process at one time generally precludes regular reviews and leads to start-stop-start-stop risk management efforts and meetings that recall what was discussed and decided at the previous meeting. The risk manager is responsible for motivating and scheduling these small-scale reviews and update sessions with individual or functional groups. It is the responsibility of individual team members or group leads to alert the risk manager of any changes in previously identified risks, or new risks that have been identified in the course of their work, in a timely manner. The project risk team should review the current status as a group as the project manager sees fit, though it is suggested that these meetings should not take place less often than once each quarter. These larger sessions are not intended to identify or reassess individual risks, but instead as updates for the team regarding potential or upcoming challenges facing the project. The risk manager may followup with individuals or smaller groups after meetings to further develop and refine any issues raised at the review meetings. 2.10 Risk Documentation & Reporting Effective risk reporting allows management to quickly grasp the key concerns and recent changes, identify who has prime responsibilities for action, as well as the status of priority actions. The information provided will address the following questions What are our key risks and what is being done to manage them? Which key risks have ineffective responses or outstanding improvement actions? What has changed since the last period? What could prevent us from delivering on the strategic program objectives and what is being done to mitigate these issues? What is the reason for current performance gaps and do the risks and opportunities identified previously explain this? If not, what must be done to improve our risk and opportunity management and our forecasting? Project teams must answer these questions with respect to both their own specific objectives and the larger program objectives, and must be diligent in alerting other people in the organization about any potential issues that may impact project objectives. Risk documentation and reporting includes developing a risk register and a risk assessment report, updating progress against the risk register by highlighting significant changes, and additions or removal RQQ-2011-PP-032 Project No.109503 2-13 P r o c e d u r e

of risks. 2.10.1 Risk Register The risk register provides a description of the risk event that is determined to result in a risk to the project s cost and/or schedule, a description of the outcome if that risk event were to occur, the likelihood of it occurring, and likely cost and schedule impacts should the risk event occur. In addition, the risk register provides a categorization to assist in reporting and sorting of the various risks. As noted earlier, two technical risk registers will be developed for the preliminary design phases of the UP Express and the USRC (including Union Station), using the final conceptual design risk register as a starting point. Specifically, risks relevant to Phase 1 of electrification (UP Express) in the conceptual design risk register will be carried over into the preliminary design risk register and will be tracked as the preliminary design evolves. The conceptual design risk register previously developed for the Kitchener, Lakeshore West and Lakeshore East corridors will not progress any further. The conceptual design risk register for these corridors will be kept with the conceptual design report (CDR) and will be revisited when those corridors are approved for preliminary design. Appendix A provides a sample technical risk register template that will be used for the preliminary design phase of the Metrolinx electrification project. The risk categories identified in the risk register are Requirements Design Market Construction Operations & Maintenance Management. Definitions for these risk categories are Requirements Risk Relates to the establishment and variability of fundamental goals and conditions of a project to which the design must respond, as well as activities to actively identify these goals and conditions. The requirements risk is associated with all project development activities from earliest concept through to alternatives analysis. A significant portion of requirements risk can be attributed to the potential influence of project stakeholders if project goals and requirements are not fully defined. Design Risk Associated with the performance and variability of design-related activities occurring after alternatives analysis. Substantially complete design risk is indicated when no material design-related nonconformances are detected through the scope review, the estimate review indicates that 95% of all construction direct cost activities are shown on both design deliverables and cost estimate, and the schedule review indicates that no project level critical path element or procurement activity exceeds 45 calendar days (or other reasonable minimum) in duration. RQQ-2011-PP-032 Project No.109503 2-14 P r o c e d u r e

Market Risk Related to the procurement of construction services, materials, and equipment and the associated variability. This risk refers to both the effects of the open-market pricing of goods and services, as well as the effects of contract packaging strategies. Construction Risk Includes both risks that are due to the inevitable variability of the project s environment, including such items as unusual weather, unexpected subsurface conditions, and unexpected construction contractor failure, as well as performance risk that is manageable by Metrolinx and its consultants and contractors. Construction risk can be subdivided into: early construction risk (composed of geotechnical/utility activities, usually associated with 20% completion), mid-range construction risk (associated with coordination of contractors, etc), and start-up/ substantial completion risk (associated with 90% completion). Commissioning is included under construction. Operations & Maintenance Risk Includes those risks that can negatively affect the intended operations and maintenance of the project including, but not limited to, rolling stock, systems, and rights-of-way. Management Risk Includes those risks that are related to corporate decisions, such as if and when the project will actually occur. These risks are not technical risks and can happen at any stage of the project. 2.11 Risk Management Plan Update It is important to coordinate and communicate risk issues and mitigation strategies with the project/contract teams throughout the life of the project. Updates to the risk management plan may occur at milestones or as a result of other changes. 2.11.1 Update at Milestones It is difficult to comprehensively foresee all significant risks at project inception. Therefore, at specified milestones, the project team should review and update the risk management plan. Formal milestones should be established at the time the risk management plan is prepared and may include Project transitions, such as conceptual design to preliminary design, preliminary design to final design, final design to construction, or construction to close-out Specific critical milestones in design or construction such as and order placed for overhead catenary supply poles. Structured review of evolving risks can reduce the probability of problems occurring or the magnitude of the consequences. Recognizing that this project scope entails conceptual design for the Lakeshore corridors and the north part of the Kitchener corridor and preliminary design for the UP Express and USRC corridors, the risk management plan is created in such way that will make it easily transferable to future consulting resources when the next phase of design proceeds. For immediate purposes, we propose an update to the risk management plan towards the end of the RQQ-2011-PP-032 Project No.109503 2-15 P r o c e d u r e

preliminary design phase (4 th Q 2013). 2.11.2 Update in Response to Change The risk management plan will be reviewed and updated in response to new risks arising during project execution. Examples of conditions warranting update of the risk management plan include Contract modifications Changes in key project personnel Physical evidence of a potential design or construction problems Formal or informal indications of stakeholder dissatisfaction Other significant changes to the project plan or methods. RQQ-2011-PP-032 Project No.109503 2-16 P r o c e d u r e

APPENDIX A SAMPLE RISK REGISTER FOR CONCEPTUAL DESIGN Please see the next page for definitions of the category headings. Risk Category Identifier Risk Relation Identifier Requirements Risk A Corporate CORP Risk Scoring Matrix Design Risk B Civil CV Low Medium High Very High Significa Legend Market Risk C Communications/SCADA COMM Ranking 1 2 3 4 5 Risk Score Construction Risk D Conceptual Design CD Cost Impact <$2.5M $2.5M - $10M -$30M $30M - $100M >$100M <=3 (Low) Operations/Maintenance Environmental 1-3 E EA Time Impact <1 Mnth Risk Assessments Mnths 3-6 Mnths 6-12 Mnths >12 Mnths 3-10 (Medium) Final Design FD Probability <10% 10-50% 50-75% 75-90% >90% >=10 (High) Financial FIN Part Identifier Legal/Compliance LAW Network N Maintenance Facilities MF Kitchener K Operational OPS Risk Lakeshore West W Overhead Contact OCS System Opportunity Lakeshore East E Preliminary Design PD USRC U Procurement PROC Open Maintenance Facilities M Project Management PM Closed Right-of-Way ROW Rolling Stock RS Signals SG Legend Strategic STRAT New Risk Since Last Register Issue Traction Power TP Risk Description Metrolinx Risk Assessment Risk Strategy Risk # Risk Category Risk Relation Risk/ Opportunity Risk Description Root Cause of Risk Consequences Force Majeure Comp. Date Assessed Cost Impact (C) Time Impact (T) Probability (P) Risk Score (C + T)/2 * P Risk Owner Mgmt/Mitigatio n Plan Action Items Action By Due Date Status Associated Assumption # Corporate Risks 0 0 0 0 0 0 0 0 0 0 0 RQQ-2011-PP-032 Project No.109503 A p p e n d i x A

CATEGORY HEADING DEFINITIONS Term Risk # Definition Itemized numbering of all risks contained in the risk register. The numbers should be unique to each risk and not duplicated. Risk category Risk relation Risk/opportunity Risk description Root cause of risk Consequences Force majeure Compensation Date assessed Cost impact (C) Time impact (T) Probability (P) Risk score Risk owner Mitigation plan Action items Action By Due date Status Association assumption # The stage of a project s lifecycle when the risk is likely to occur. Defines what discipline the risk relates to. Classifies whether the risk has negative consequences and should be minimized ( risk ) or whether the risk has an anticipated positive outcome that should be exploited ( opportunity ). A detailed description and explanation of the risk. Defines what the ultimate cause of the risk is (ie, identify true root causes and not symptoms of a root cause). Describes the worst-case scenario of an unmitigated risk. Signifies whether the risk is caused by force majeure. Signifies whether the risk will result in compensation for Metrolinx. Date when the risk was entered into the risk register and identified. A numerical ranking (1-5) based on the risk matrix scoring methodology that estimates the cost impact of the risk if it were to occur. The larger the number, the greater the risk. A numerical ranking (1-5) based on the risk matrix scoring methodology that estimate the schedule impact of the risk if it were to occur. The larger the number, the greater the risk. A numerical ranking (1-5) based on the risk matrix scoring methodology that identifies the likelihood of the risk occurring. The greater the number, the more likely the risk will occur. A formula-driven calculation generated by determining the weighted-average of the cost and time impact multiplied by the probability: ((C+T)/2) * P. The higher the result, the greater the impact the risk would have if it were to materialize. Risks with higher risk scores require the most management and oversight. Identifies the owner of the risk. Defines the risk management strategy for that risk (accept, avoid, exploit or mitigate). Steps to be taken to implement a mitigation plan. Identifies who is responsible for action items. The same individual or organization is often identified as the risk owner. The date the risk is set to expire or be closed-out. The risk is either active (open) or inactive (closed). The number that corresponds to the respective assumption in the project-specific assumptions log. RQQ-2011-PP-032 Project No.109503 A p p e n d i x A

APPENDIX B DEFINITIONS Consequence The impact and likely magnitude of a risk on the scope, budget, schedule, implementation plan, activity or other event. Contingency The amount of funds held to compensate for unmitigated, uninsured or accepted risk events that occur during the course of the project. Likelihood An assigned probability, expressed either qualitatively or quantitatively, that an identified risk will occur. Probability-Impact Matrix Used to assess the relative importance and ranking of risks. For each hazard, an assessment of the probability of occurrence and the potential severity of impact is made, selecting from a range of high/medium/low or a similar categorization. These assessments are combined to give an overall measure of the severity of the risk. Qualitative Assessment The identification, description, understanding and assessment of the impact of a risk using a probability-impact technique. A qualitative assessment has no absolute measure, but provides an objective and consistent basis to rank risk issues and determine priorities for management attention. Quantitative Assessment Modeling risk in order to quantify effects on the project. Residual Risk The amount of risk remaining after an initial risk mitigation strategy has been implemented. Residual risk is monitored through the life of the project to determine if its risk severity is increasing, decreasing or not changing at all. If no residual risk remains, the risk is closed out. Risk Register The risk register is the depository for all risks identified on a particular project. The risk register will list each risk and potential impact, mitigation measures, responsibilities and latest status. Risk Any decision, activity, event, or lack thereof, which has the potential to jeopardize the success of the project. Risks can include anything that has uncertainty and an impact associated with it. Risk Event A risk event is associated with likelihood of occurrence where the event is less than certain to occur, but if it should occur it has the potential to jeopardize the success of the project. Risk Uncertainty Risk events that are certain to happen, but the magnitude of impact to the project is uncertain and are RQQ-2011-PP-032 Project No.109503 A p p e n d i x B

categorized in the definition of uncertainty. This is typically quantified as a range on the estimate line item or the activity duration in a schedule. Risk Assessment The process of evaluating both the likelihood of an identified risk and the magnitude of its consequence. Risk Acceptance The recognition, by Metrolinx, that further reduction of a risk would come at the expense of the project s fundamental goals, such as unacceptable service loss, cost increases, etc. Risk acceptance often involves the potential consumption of project costs or schedule contingencies, project schedule float, or an increase in either project estimate or schedule. Risk Avoidance When a project element associated with certain risk events may be delivered using a more stable process or design, or may be eliminated altogether. Risk Evaluation The process of comparing assessed risk ratings against pre-established criteria for the purpose of ranking the risks and identifying priorities. Risk Management The systematic process, guided by a project-approved risk plan, which identifies, assesses, evaluates, mitigates, and manages risks for the purpose of increasing the probability of delivering a successful project. Risk Management Plan The risk management plan describes the approach that the project will adopt to identify risks, assign the likelihood of occurrence of each risk, and quantify the associated impact on project delivery objectives if it occurs. The risk management plan provides Metrolinx senior management with a systematic process to identify, assess, evaluate, manage, and document risks that could jeopardize the success of the project. Risk Manager An individual designated by the project manager to have overall responsibility for implementation of the risk management plan. Risk Mitigation Mitigation of risks can include avoidance, transfer, reduction of the likelihood or magnitude of the consequence, or the use of insurance policies when appropriate. RQQ-2011-PP-032 Project No.109503 A p p e n d i x B

Risk Mitigation Effectiveness As mitigation measures are established and implemented at either the project-level or for a specific contract, the effectiveness of the mitigation measure is monitored and adjusted throughout the project or contract life. Lessons learned are documented for application to future contracts. Risk Owner The individual or organization responsible for managing the risk. This will be the person or organization best placed to manage the risk, or with the greatest incentive to manage it. Risk Rating A rating established by computing the product of the assigned likelihood and consequence values. Risk Reduction A planned action that will either reduce the consequences or the likelihood of a risk event. Risk Severity The relative impact a risk could have to a project if it were to materialize. Risks with higher severity should be closely monitored as they have the potential to cause the greatest impact to cost, schedule or scope. Risk severity can either be positive or negative. Risk Transfer Occurs when the mitigation and the consequences resulting from a risk event become the responsibility of a party other than Metrolinx. This may include a partial transfer, also known as risk sharing. This may also include the reallocation of scope to transfer risks to scope elements or contract packages that are better suited to mitigate risk. Sensitivity Analysis Examines the sensitivity of a risk model to individual elements or risks. Successful Project A successful Metrolinx electrification project will have met all of the following 1. Realized the goals and objectives identified for the project 2. Completed within cost and on schedule 3. Achieved the quality expected by the owner and stakeholders 4. Engendered no adverse political or stakeholder reaction throughout its design, construction and commissioning. RQQ-2011-PP-032 Project No.109503 A p p e n d i x B

APPENDIX C RISK REGISTER V02 Please see separate Risk Register. RQQ-2011-PP-032 Project No.109503 A p p e n d i x C