Professional Documents
Culture Documents
BACS Risk Management Plan
BACS Risk Management Plan
# 9>;98<0 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! %
$ 0110.=3?0 ;3<4 6,7,20607= !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! %
% <.890 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! %
& /01373=387<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! &
' -,.< .87<8;=3>6 ;850< ,7/ ;0<987<3-353=30< !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! '
( ;3<4 6,7,20607= 9;8.0<< !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#"
(!# .;<*+31;0 <0. ,65<.?< !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ##
(!$ 1-.5<1<@ 91;2; !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ##
(!% *5*3@A. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #$
(!& 791691<1A.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #'
(!' 73*5 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #'
(!( 4*5*/. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #(
) /,=, 6,7,20607= !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#+
* ,9907/3.0<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$#
)!# 91;2 ;,6915/ ;,0.4. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $#
)!$ *,<1>1<@"-.31>.9*+3. 9.8=19.4.5<; *5- <14.315.; !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $$
This RIMP is directed at managing impacts of uncertain events on Project objectives in dimensions
including but not limited to:
Cost Time Reputation
Safety Quality Security
Environmental Community
3 SCOPE
The BACS Consortium will utilize Project Execution Risk Management (PERM) processes to
examine, among others, the business, commercial, technical, environmental, political and social
risks associated with the Project (i.e. external context and internal context) using Riyadh Metro
program-wide Risk Breakdown Structure (to be agreed with the Engineer). Additionally, this RIMP
4 DEFINITIONS
This Risk Management Plan follows the standards, processes and definitions as set out in the
Project Management Body of Knowledge, Fifth Edition (PMBOK).
Actions – one-off responses in a Response Plan to mitigate or avoid a risk
ALARP – As Low As Reasonably Practicable
BACS – Consortium of Bechtel, Almabani, CCC and Siemens
Contingency – the amount of money and work hours which must be added to an estimate to
account for uncertainties within the estimate detail, in quantity, pricing, and productivity that are
understood by the project and are within an expected range based on historical data and within the
defined project scope. The contingency is expected to be expended during project execution.
Controls – recurring responses in a Response Plan to mitigate or avoid a risk.
Current Risk Level (Current Risk Ranking) – is the current value (or range) of probability of the
risk and of its impact in the relevant impact dimensions. As the understanding of risk progresses,
and as the actions and controls are applied, the Current Risk Level will change and should be
updated in ARM.
Earliest Impact Date – the date on or after which you believe a risk might impact
Employer- Arriyadh Development Authority (ADA)
Engineer- Riyadh Metro Transit Consultants (RMTC)
Fallback Plan – a Recovery plan to execute if an event occurs
HAZOP – Hazard Operability
Latest Impact Date – that date after which the risk cannot impact
Opportunity – an event with a possible beneficial impact
PERM – Project Execution Risk Management
PMBOK – Project Management Body of Knowledge
PMT – Project Management Team, comprises of the Project Director and Deputy Project Directors
QCRA – Quantitative Cost Risk Analysis
QSRA – Quantitative Schedule Risk Analysis
Responding to Risks – processes to prepare Response Plans and execute and manage their
implementation
Project Risk Committee may include members/organization(s) outside the BACS Consortium
including representatives from the Engineer, Employer and possibly external stakeholders with
influence on the Riyadh Metro project.
" Provide governance and guidance for Risk Management activities.
" Ensure legal and regulatory compliance.
" Establish performance measurements.
" Allocate resources to risk management.
Below is Figure 1 showing how the Risk Management Team of the BACS Consortium will interact
with the Project team. In this figure, the Delivery Risk Leads from the BACS Consortium will attend
External Context
" Stakeholders to be included as part of the Risk Management process
" Riyadh-specific Risks
" National and International environment
" All external factors which may impact on the Project’s objectives
Internal Context
Identifying Risks is the process of eliciting Risks that may negatively or positively affect the Project
– Threats and Opportunities. This process starts with a well-developed understanding of Project
objectives and consideration of how the current execution environment, historical information,
Lessons Learned, conventional wisdom and other factors may influence Project outcomes.
Further, as the Project progresses through different phases of execution, as work circumstances
evolve and as forecast assumptions change, it is expected that project Risks will change, emerge
from unforeseen considerations or be discovered from previously unknown information. Risk
identification will therefore occur as an on-going process during Project execution.
Working with the Project Team, the Project Risk Manager will facilitate periodic workshops and
meetings to identify Risks. These workshops and meetings will consider use of various
approaches and techniques to uncover uncertainties that may affect Project objectives. This effort
may include use of:
6.3 Analyze
Analysis is a refinement of the identification process, used to determine as accurately as possible,
Causes and Effects. The Causes and Effects are then used by the Project to establish the
probability and potential impacts before Response Planning takes place (the Current Risk
Ranking).
Risk probability determination will be done by the Risk Owner in accordance with the criteria
established in Appendix 8.1 and confirmed by the Project Management Team review. This review
The cost impact of a Risk as recorded in the Risk Register does include the cost of time impacts
i.e. the cost of ‘house loads’ associated with schedule delay.
The time impact of a Risk as recorded in the Risk Register includes all time impacts not solely
impacts on critical path schedule.
Earliest and Latest Impact Dates will be used for Time Phased Analysis, prioritization by impact
dates, and informing Project stakeholders of Risk status relative to baseline planning.
During the Analyze Risk Management process there will be identified risks which require
escalation within and outside of the BACS Consortium for resolution and management as shown in
Figure 3 below. The mitigation and response plans for these risks may require additional funding
sources.
Quantitative Risk Analysis is the process of numerically analyzing the effect of identified risks on
overall Project objectives. The key benefit of this process is that it produces quantitative risk
information to support decision making in order to reduce project uncertainty.
The Project will make use of both cost and schedule quantitative analysis. The frequency and
output of reporting is described in Section 6.6.
QCRA will provide the project a means to examine the impact of individual risks on the overall
project cost. It will help determine the likelihood of finishing the project on budget as well as to
estimate the requisite Contingency reserve needed to provide the desired amount of certainty
about achieving the cost plus reserve.
QSRA will provide the project a means to examine the project’s critical path to identify risks from a
variety of sources using probabilistic techniques.
It should be noted the timing and frequency of the quantitative reporting output is to be reviewed
after the initial 6 months to ensure appropriateness of resource allocation to the task(s).
6.5 Plan
Risk Response Plans will be prepared by considering the following risk response strategies:
" Risk avoidance which focuses on eliminating the root cause of a risk or by taking a different
course of action to avoid the risk or incorporating preventative measures.
" Risk reduction which focuses on lowering the probability or frequency that the risk will occur, or
minimizing the impacts.
" Risk transfer which focuses on transferring the impacts of a risk.
Note: Risk reduction and Risk transfer are known as risk mitigation strategies.
" Risk acceptance, which occurs when risks cannot be avoided or mitigated, the costs of doing
so would be unacceptable, or the impacts can be accepted by the Project. Risk acceptance
involves monitoring the risk, and may include a specific Fallback Plan and is likely to include
allocation of Contingency reserve funding to cover potential impacts.
" Share or exploit an opportunity to maximize the benefit to the Project objectives
Response Plan development will take place such that:
" High level Risks will undergo Response Plan development within a reasonable period of time
after identification. Lower level Risks may not require response planning.
" All Risk Response Plans will be approved by the Project Management Team prior to
implementation. Where appropriate, the Project Management Team may elect to review a
Risk Response Plan with the Employer.
" A Risk Response Plan may consist of activities not considered in Baseline planning. Where
necessary, a Risk Owner will submit a Trend for cost and schedule activities outside the
Baseline.
" The Risk Owner is responsible for effectively implementing the approved Risk Response Plan
for the Risk. This includes working with the Project Risk Manager to evaluate the effectiveness
of responses on a monthly basis and seeking Project Management Team support when
needed.
6.6 Manage
As the Project progresses through different phases of work execution, as work circumstances
change, and as forecast assumptions prove to be correct or incorrect, it may be expected that
Project Risks will change, emerge from unforeseen considerations or, be discovered from
previously unknown information. The Process of Risk review will therefore take place as an
ongoing process.
Regular risk reviews with Risk Owners will be scheduled according to Current Risk Ranking.
" Risk reviews with Risk Owners and the Project Management Team will include consideration
of: the quality of Risk information (Risk Statement, Causes, Effects), Risk review frequency,
effectiveness of Controls, completion of Actions, sufficiency of Fallbacks, evaluation of
Response Plans, updates to Current and Target Risk Rankings, proper Risk Owner
Changes to Risk Ranking and the addition or removal of Response Plan Actions, Controls or
Fallbacks for High-Level Risks will only occur with Project Management Team approval.
" Risk Program Health - - - Risks past review, High-level Risks without Response Plans,
overdue Risk Responses, the status of Unapproved Risks, and other considerations which
speak to the whether this RIMP is being performed as required.
" Risk Program Performance - - - Response Plan results both forecasted and actual, changes to
High-Level Risks, a summary overview of changes to Low and Medium level Risks, Project s-
curves, Response Plan costs, and other considerations which speak to the overall value of
PERM activities for the Project.
" Presentation and discussion of new and/or Unapproved Risks.
" Approving and closing of Risks
" Other issues, concerns, or successes associated with PERM execution and the need for
additional actions, activities or support.
The Project Management Team will meet quarterly to conduct an extensive review of the Risk
Register and evaluate PERM program effectiveness, and changing Project environment.
BACS Consortium will engage with the Engineer on an as needed basis for risk reviews, progress
meetings and risk response plans and also provide the Engineer with monthly reporting data as
appropriate.
Closing Risks
Risk records will be submitted with supporting documentation for Risk closure by the Project
Management Team when recommended by the Risk Owner and:
" Response plans have been completed and the Latest Impact Date has passed, or
" When the Threat or Opportunity has been fully transferred to the Project Trend Program, or
" When the Risk is no longer considered a Threat or Opportunity to Project objectives, or
" When the Risk has been accepted by the Project.
Risks will be actively considered for transfer to the Project Trend Program having a 70% and
higher probability of occurrence.
Decisions to close high-level Risks will be made following approval of the Project Management
Team as discussed at monthly Risk review meetings. Lower level Risks can be closed upon Risk
Owner recommendation but closure is subject to Project Management Team approval at the Risk
review meeting.
Risk Reporting
The BACS Consortium would prepare the following reports as part of its Risk Management
process as agreed with the Engineer. BACS Consortium will update the Risk Reports if there are
material changes and will provide the Engineer with the updated version.
" Monthly Dashboards from standard ARM Reports showing but not limited to:
The Project Risk Register will be audited as deemed necessary according to the internal
procedures of the BACS consortium.
7 DATA MANAGEMENT
To ensure compliance with Project minimum data standards, the Project Risk Manager will perform
a self-assessment of data quality for the Risk Register semi-annually and provide a report out at
the following Project Risk Review meeting.
At the end of each reporting cycle, the following information is to be archived in the project’s
document management system with appropriate document numbering:
" All reports and metrics provided to the Project Management Team during the month – native
file format.
Consequen Score Cost Impact Cost Impact ($) Time Impact Performance/Quality Impact
ce (SAR)
Very Low 1 <=5Mil <=1.3Mil <two week No impact on Technical Specifications
Requirements
Low 2 5>x<25Mil 1.3<x<6.7Mil 0.5-1month High compliance with Technical Specification
Requirements
Moderate 3 25>x<50MIl 6.7<x<13.3Mil 1-2 months Partial compliance with Technical Specifications
Requirements
Significant 4 50>x<100Mil 13.3<x<26.7Mil 2-3 months Severe discrepancies with the Technical
Specifications Requirements
Very High 5 >100Mil >26.7Mil >3 months No compliance with Technical Specifications
Requirements